Build a Computer Incident Response Team
With money and reputation on the line, a computer incident response team must be speedy and organized.
Computerworld - A computer incident response team, or CIRT, is a lot like a firefighting crew - both are composed of individuals trained to respond quickly to specific incidents with the goal of limiting damage and reducing recovery time and costs.
"Like a fire department, you can use [CIRTs] for actual incident response and for cleanup, for education and for drills," says Richard Mogull, an analyst at GartnerG2 in Stamford, Conn.
A CIRT may be activated by virus or hacker attacks, internal sabotage or even suspicious activity, such as successive attempts to gain access to a system or transactions that fall outside preset boundaries - such as a money transfer exceeding $1 million.
Incident response at companies that don't have a CIRT tends to be expensive and ad hoc, says Steve Romig, manager of the network security group at Ohio State University in Columbus.
And there's more than money on the line. Companies that fail to react quickly to security incidents stand to suffer damage to their reputations and lose customers.
A CIRT's key mission, therefore, is to orchestrate a speedy and organized companywide response to computer threats. The following are some tips for building that capability:
Know Your Constituency Decide which computers, address ranges and domains will be monitored for incidents, says Romig. Know what services the CIRT will provide and to whom. Develop policies for when to disclose security breaches and when to report an incident to law enforcement agencies, Romig says. And be sure to advertise contact information for the CIRT throughout the company, he adds.
Assemble the Team Figure out which department the CIRT should be in and who should head it. Many companies put the team within the IT group, although others add the CIRT to the security or audit group, or make it a stand-alone function, says Georgia Kilcrece, a member of the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.
"Wherever it sits, [a CIRT] will not succeed without management support," she says, because the team may require cooperation among multiple departments, such as legal and human resources.
The incident response team at the University of Wisconsin-Madison has a process for calling in its legal department and local law enforcement when incidents involve activities such as computer-related harassment, says Kim Milford, information security manager at the university.
Companies that can afford it sometimes maintain a formal team of specialists whose sole task is to respond to external and internal security breaches.
For example, one financial services firm has a core incident response team of 12 full-time specialists. Additional members are pulled in from the company's human resources and legal departments to assist this core team if necessary, says the company's IT director, who requested anonymity.
The University of Wisconsin-Madison has entrusted the task of coordinating incident response to one full-time worker. That person acts as a central point of contact for reporting and responding to incidents. Along with the university's IT security group, the employee is responsible for assessing the scope, priority and threat level of an incident, as well as for suggesting a response, Milford says.
Create a SWAT team Maintaining a full-time incident response team can be expensive, so many companies choose to have an ad hoc incident response team that can come together quickly when needed, says Mogull.
Providence Health System creates SWAT teams to respond to specific incidents, such as virus infections, says David Rymal, director of technology at the Seattle-based health care provider.
"We use pager alerts and call an incident response meeting of the functional groups designated to respond to such incidents. In that meeting, we'll set a plan of action and a communication plan" for dealing with the threat, Rymal explains.
But, he adds, Providence Health System doesn't have formal methods of maintaining a CIRT beyond knowing the key players and who responds to which types of incidents.
Get Organized Have written policies and procedures and assign responsibilities upfront, says the financial services firm's IT director. "We maintain a formal list with names, cell phone numbers and beeper [numbers] of people who can be called in to assist the core team," he says.
Figure out what equipment you'll need, where you'll house it and how you'll protect the CIRT function. You don't want unauthorized people accessing information that a CIRT may uncover during a response, Kilcrece says.
None of this does any good if the plan merely sits on a shelf. Conduct frequent drills and mock exercises, especially for ad hoc teams, the financial services IT director says, adding, "Remember, it is a process that you have to do right but hope you never have to use."
- The Security Action Plan
- The Story So Far: IT Security and Disaster Recovery
- Maximum Security Returns
- Manage Those Patches!
- Build a Computer Incident Response Team
- Let the Pros Investigate Computer Crimes
- Watch Out for Wireless Rogues
- For Disaster Recovery, Put Your IT Eggs in Different Baskets
- Denying Network Service
- Think Like a Terrorist
- Field Report: Out from the Shadows
- How to Thrive in the IT Security Market
- The Next Chapter: Predictions about IT security
- IBM's view of the hot trends in IT security
- Case studies in IT security and disaster recovery
- Intrusion-detection systems are evolving
- Reporter's Notebook: IT Security
- Top 10 Vulnerabilities in Today's Wi-Fi Networks
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts