This preview shows page 1. Sign up to view the full content.
Unformatted text preview: ted by automated security
controls, the first stage carried out by the incident response team should be triage. Triage in this sense is very similar to triage conducted by medics when treating people who
are injured. The crux of it is, “Is this person really hurt?” “How bad is this person hurt?”
“What type of treatment does this person need (surgery, stitches, or just a swift kick in
So that’s what we do in the computer world too. We take in the information available, investigate its severity, and set priorities on how to deal with the incident. This
begins with an initial screening of the reported event to determine whether it is indeed
an incident and whether the incident-handling process should be initiated. A member
of the incident response team should be responsible for reviewing an alert to determine
if it is a false positive. If the event is a false positive, then it is logged and the incident ch10.indd
ch10.indd 883 12/4/2009 11:39:10 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 CISSP All-in-One Exam Guide 884
response process for this particular event is complete. However, if the event is determined to be a real incident, it is identified and classified. Incidents should be categorized according to their level of potential risk, which is influenced by the type of
incident, the source (whether it’s internal or external), its rate of growth, and the ability to contain the damage. This, in turn, determines what notifications are required
during the escalation process, and sets the scope and procedures for the investigation. Once we understand the severity of the incident taking place, we move on to the
next stage, which is investigation. Investigation involves the proper collection of relevant data, which will be used in the analysis and following stages. The goals of these
stages are to reduce the impact of the incident, identify the cause of the incident, resume operations as soon as possible, and apply what was learned to prevent the incident from recurring. It i...
View Full Document
This note was uploaded on 06/01/2013 for the course NET 125 taught by Professor Hurst during the Fall '12 term at Wake Tech.
- Fall '12