Unformatted text preview: and business processes face many types of threats, each requiring a specialized type of recovery. However, an incident response team should draft
and enforce a basic outline of how all incidents are to be handled. This is a much better
approach than the way many companies deal with these threats, which is usually in an
ad hoc, reactive, and confusing manner. A clearly defined incident-handling process is
more cost-effective, enables recovery to happen more quickly, and provides a uniform
approach with certain expectation of its results.
Incident handling should be closely related to disaster recovery planning and
should be part of the company’s disaster recovery plan, usually as an appendix. Both ch10.indd
ch10.indd 881 12/4/2009 11:39:10 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 CISSP All-in-One Exam Guide 882
are intended to react to some type of incident that requires a quick response so the
company can return to normal operations. Incident handling is a recovery plan that
responds to malicious technical threats. The primary goal of incident handling is to
contain and mitigate any damage caused by an incident and to prevent any further
damage. This is commonly done by detecting a problem, determining its cause, resolving the problem, and documenting the entire process.
Without an effective incident-handling program, individuals who have the best intentions can sometimes make the situation worse by damaging evidence, damaging
systems, or spreading malicious code. Many times, the attacker booby-traps the compromised system to erase specific critical files if a user does something as simple as list
the files in a directory. A compromised system can no longer be trusted because the
internal commands listed in the path could be altered to perform unexpected activities.
The system could now have a backdoor for the attacker to enter when he wants, or
could have a logic bomb silently waiting for a user to start snooping around only to
destroy any and all evidence.
Incident handling s...
View Full Document
This note was uploaded on 06/01/2013 for the course NET 125 taught by Professor Hurst during the Fall '12 term at Wake Tech.
- Fall '12