Incidents are an unfortunate fact of life in any systems environment that can be extremely visible and disruptive or entirely unnoticed but extremely damaging. Incident response is defined as actions taken to protect and restore the normal operating condition of computers. In Part-I of this article, the author looks at what an incident response plan is and why it is required for organizations.

Computers and computer networks have been part of the corporate landscape for quite some time now. But in the last five years or so, companies have started to connect their systems and networks to other organizations – suppliers, partners and customers. With the ever-increasing reliance on interconnected networks and especially the Internet, the risks that organizations face have grown tremendously.

The 2001 CSI/FBI Computer Crime and Security Survey reveals that computer security incidents are widespread. 85 per cent respondents of the survey detected computer security breaches in the previous 12 months, and 64 per cent acknowledged financial losses due to breaches. Also, 40 per cent of respondents of the survey detected system penetration from the outside while 94 per cent detected computer viruses. The survey also shows that attacks occur frequently, with 24 per cent reporting 6 to 10 incidents and 33 per cent reporting 1 to 5 incidents.

An interesting statistic is that 95 per cent of the respondents had firewalls, 98 per cent had anti-virus software and 61 per cent had Intrusion Detection systems. Which goes on to imply that even organizations that had deployed sophisticated state-of-the-art security systems were attacked. Regardless of what security technologies have been deployed by the organization, an incident response capability is of utmost importance.

What is Incident response
An incident is defined as ‘an event violating an explicit or implied security policy’. In simpler terms, an incident is an adverse event in a computer system or network caused by a failure of a security mechanism, or an attempted or threatened breach of those mechanisms. Incidents are essentially events that interrupt normal operating procedure and precipitate some level of crisis. They can include, but are not limited to:

• attempts (either failed or successful) to gain unauthorized access to a system
• unwanted disruption or denial of service
• unauthorized use of a system for the transmission, processing or storage of data
• insider theft of information
• changes to system hardware, firmware or software characteristics without the owner’s knowledge and consent
  

Incident response is defined as the actions taken to protect and restore the normal operating condition of computers and the information stored in them when an adverse event occurs.

Why is an Incident response plan needed
Incidents are an unfortunate fact of life in any systems environment. They can be extremely visible and disruptive (eg: widespread virus outbreaks) or entirely unnoticed but extremely damaging (eg: loss of confidential growth plans). Incidents are also likely to occur at the least convenient time when the right people are not available.

The intention of having incident response procedures is to know what to do when an incident occurs. This means anticipating scenarios before they happen, and making many decisions about them in advance.

Preparation is the key to successful incident response. While technology plays an important role in information security, more than half of security is dependent on successful policies and procedures – efforts that are most effective when implemented before an attack occurs. For e.g., consider an organization that has deployed an Intrusion Detection System (IDS), a tool configured to send alerts and notifications when an intrusion is detected. In the event of receipt of an alert or during a security incident, lack of an incident response procedure would mean that users and administrators would not know what to do, whom to contact and who has authorization to take certain actions (such as pulling the plug on a critical server).

Irrespective of the approach, the goals of incident response will remain:

• Helping the organization recover quickly from security incidents
• Minimizing impact due to loss or theft of information or disruption of critical services
• Responding systematically, following proven procedures
• Collecting data and evidence for prosecution, if required
• Taking actions to decrease the likelihood of re-occurrence of similar incidents in the future
• Dealing with legal issues

(In Part-II of this article, the author will discuss the steps that an organization can follow to formulate an incident response plan.)