검색

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

10.2. Creating an Incident Response Plan

download PDF
It is important that an incident response plan is formulated, supported throughout the organization, and is regularly tested. A good incident response plan can minimize not only the affects of the actual security breach, but it may also reduce the negative publicity.
From a security team perspective, it does not matter whether a breach occurs (as such occurrences are an eventual part of doing business using an untrusted carrier network, such as the Internet), but rather, when a breach occurs. Do not think of a system as weak and vulnerable; it is important to realize that given enough time and resources, someone can break into even the most security-hardened system or network. You do not need to look any further than the Security Focus website, http://www.securityfocus.com/, for updated and detailed information concerning recent security breaches and vulnerabilities, such as the frequent defacement of corporate webpages or the 2002 attacks on the root DNS nameservers[7].
The positive aspect of realizing the inevitability of a system breach is that it allows the security team to develop a course of action that minimizes any potential damage. Combining a course of action with expertise allows the team to respond to adverse conditions in a formal and responsive manner.
The incident response plan itself can be separated into four phases:
  • Immediate action to stop or minimize the incident
  • Investigation of the incident
  • Restoration of affected resources
  • Reporting the incident to the proper channels
An incident response must be decisive and executed quickly. Because there is little room for error, it is critical that practice emergencies are staged and response times measured. This way it is possible to develop a methodology that fosters speed and accuracy, minimizing the impact of resource unavailability and potential damage in the event of an actual system compromise.
An incident response plan has a number of requirements, including:
  • A team of in-house experts (a Computer Emergency Response Team)
  • A legally reviewed and approved strategy
  • Financial support from the company
  • Executive/upper management support
  • A feasible and tested action plan
  • Physical resources, such as redundant storage, standby systems, and backup services

10.2.1. The Computer Emergency Response Team (CERT)

The Computer Emergency Response Team (CERT) is a group of in-house experts who are prepared to act quickly in the event of a catastrophic computer event. Finding the core competencies for a CERT can be a challenge. The concept of appropriate personnel goes beyond technical expertise and includes logistics such as location, availability, and desire to put the organization ahead of ones personal life when an emergency occurs. An emergency is never a planned event; it can happen at any moment and all CERT members must accept the responsibility that is required of them to respond to an emergency at any hour.
CERT teams typically include system and network administrators as well as information security experts. System administrators provide the knowledge and expertise of system resources, including data backups, backup hardware available for use, and more. Network administrators provide their knowledge of network protocols and the ability to re-route network traffic dynamically. Information security personnel are useful for thoroughly tracking and tracing security issues as well as performing a post-mortem (after the attack) analysis of compromised systems.
Although it may not always be feasible, there should be personnel redundancy within a CERT. If depth in core areas is not applicable to an organization, then cross-training should be implemented wherever possible. Note, if only one person owns the key to data safety and integrity, then the entire enterprise becomes helpless in that one person's absence.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.