Page Navigation:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75
Printable Version: RFC2196.PDF
RFC 2196 Site Security Handbook September 1997
The sections in this chapter provide an outline and starting point
for creating your site's policy for handling security incidents. The
sections are:
(1) Preparing and planning (what are the goals and objectives in
handling an incident).
(2) Notification (who should be contacted in the case of an
incident).
- Local managers and personnel
- Law enforcement and investigative agencies
- Computer security incidents handling teams
- Affected and involved sites
- Internal communications
- Public relations and press releases
(3) Identifying an incident (is it an incident and how serious is
it).
(4) Handling (what should be done when an incident occurs).
- Notification (who should be notified about the incident)
- Protecting evidence and activity logs (what records should be
kept from before, during, and after the incident)
- Containment (how can the damage be limited)
- Eradication (how to eliminate the reasons for the incident)
- Recovery (how to reestablish service and systems)
- Follow Up (what actions should be taken after the incident)
(5) Aftermath (what are the implications of past incidents).
(6) Administrative response to incidents.
The remainder of this chapter will detail the issues involved in each
of the important topics listed above, and provide some guidance as to
what should be included in a site policy for handling incidents.
5.1 Preparing and Planning for Incident Handling
Part of handling an incident is being prepared to respond to an
incident before the incident occurs in the first place. This
includes establishing a suitable level of protections as explained in
the preceding chapters. Doing this should help your site prevent
incidents as well as limit potential damage resulting from them when
they do occur. Protection also includes preparing incident handling
guidelines as part of a contingency plan for your organization or
site. Having written plans eliminates much of the ambiguity which
occurs during an incident, and will lead to a more appropriate and
thorough set of responses. It is vitally important to test the
proposed plan before an incident occurs through "dry runs". A team
might even consider hiring a tiger team to act in parallel with the
dry run. (Note: a tiger team is a team of specialists that try to
penetrate the security of a system.)
Fraser, Ed. Informational [Page 39]