Print

Incident Response

What is an Incident?

Incidents can be hard to recognize.  They may best be described as unusual or unauthorized system or network activity.  Activity that adversely impacts or effects normal operations; thereby, causing either monetary damage or loss of system integrity and confidence.   The following is a short list of typical Incidents:

How often do incidents occur?

CERT/CC Incidents 1998-2002

Incidents occur every second of every day.  Automated port scanners, worms, slammers and viruses are constantly probing systems throughout the Internet.  But these automated scripts are not the real threat.  They are normally just the precursor to a directed attack.  One anecdotal example of how hostile the Internet is today, was performed at the San Diego Supercomputer Center in 1999.  An off-the-shelf unpatched Redhat Linux 5.2 installation was placed on the Internet.  After 8 hours it received its first scripted probe,  after 21 days it had received over 20 hack attempts, after 40 days the system was completely compromised.

A stronger indicator of the current fight facing companies on the Internet are the statistics reported by CERT/CC of the University of Carnegie Mellon.  The number of reported incidents has increased each year between 55 and 140 percent, and the latest data from CERT indicates that 2006 will be no different.

Internal incidents can be even more damaging then external attacks.  The insider knows your systems, and has more time to plan and execute the attack.  He knows your administrative and logical safeguards.  Recent internal incidents which have resulted in significant financial loss or loss of customer confidence include:  

What Should I do?

Prevention and Planning

An excellent start is the development of a Computer Incident Response plan.  The plan should supplement your Business Continuity Plan (BCP).  It should include a general response plan with a designated incident leader.  Team memebers with all of their contact information should be available to the leader.  The companies BCP will be relied upon for other issues such as:  media response, facilities management, disaster recovery, etc.  If your company does not have an Incident Response plan, Information Risk Group has experience professionals who can aid your company with it's development.

Another preventative measure your company should consider is a security assessment. An annual security assessment should be performed against your companies administrative, technical and physical safeguards.  The assessment will enable your company to concentrate its limited budget on its information security weaknesses.

Response

It is important that you do not panic when your systems are under attack.   Active incidents are among the most technically stressful and challenging events your IT employees will ever face.  They require experience and advanced knowledge to solve and prosecute.  Minimally consider performing the following actions:
If your company is not ready to react to this type of incident it is important that you contact an external vendor now.  Information Risk Group LLC is prepared to provide you with the latest tools and techniques to verify, suspend and trace an incident against your systems.  Let us help you mitigate your losses by providing the necessary expert services to resolve your crisis.   When possible we will provide you with the necessary information to go to the authorities.  Our emergency response team has worked with the FBI, the US Customs Service,  and state authorities on various cases throughout the years and is available to offer our expertise in this area 24 hours a day.


Please contact us with any questions you may have on this subject or any other services Information Risk Group offers.

Information Risk Group LLC
3220 Henderson Blvd.
Tampa, FL 33609

E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Information Risk Group offering information security and risk management services to companies throughout the Americas.