Many organizations think they don’t need to worry about incident management. They think their data is not interesting enough, or they are too small – no one will find them, or they have a firewall – so they feel secure. Unfortunately, none of these things are true. In 2008, the FBI reported that 43% of the companies they surveyed had sustained a breach in the prior 12 months. This is scary, particularly given the fact that if 43% actually had a breach, it is like that nearly 100% of the companies had an attempted breach.
Now is the time to prepare for an incident. Industry best practice incident management begins with being well prepared. Some things to keep in mind:
- Know who will handle the incident – either have someone internally selected, or have a relationship with an outside person or organization who has expertise and can be available when you need them.
- Develop incident handling instructions – if you will be handling the incident yourself, you should document procedures. In the midst of an intrusion or virus outbreak is not the right time to be deciding how the organization wants to handle critical things like whether or not we can unplug servers during business hours.
- Be sure you are gathering information all the time – keep event logs for at least one year. Windows boxes will often not dedicate enough space to the event logs, and they will get over written quickly. Be sure to configure your systems to have enough space to keep them longer. Consider installing an intrusion detection system (IDS) like snort (www.snort.org). These systems will analyze packets and not only notify you of potential problems, but also give you data once a problem has occurred. Consider installing a host based intrusion detection system (HIDS) as well. Something like Samhain is easy to use and lets you know if important system files have been changed.
- Use time synchronization – it’s a good idea to have all your hosts synchronize to the same clock. This way when you do have a problem, there is not a question of when it occurred because no matter which host or device records an event, you know it was accurate.
Incident management certainly requires a lot of work after an incident has occurred, but being prepared ahead of time will improve your chances of handling it in the best possible way, with the best possible outcome.
![[Slashdot]](/wp-content/plugins/slashdot.ico){kind=small}
![[Digg]](/wp-content/plugins/digg.ico){kind=small}
![[Reddit]](/wp-content/plugins/reddit.ico){kind=small}
![[del.icio.us]](/wp-content/plugins/delicious.gif){kind=small}
![[Technorati]](/wp-content/plugins/technorati.ico){kind=small}
![[StumbleUpon]](/wp-content/plugins/stumbleupon.ico){kind=small}
Leave a Comment