This preview shows page 1. Sign up to view the full content.
Unformatted text preview: he middle of the night because a system is acting “weird.” The
reasons could be that a deployed patch broke something, someone misconfigured a
device, or the administrator just learned a new scripting language and rolled out some
code that caused mayhem and confusion.
When a company endures a computer crime, it should leave the environment and
evidence unaltered and contact whoever has been delegated to investigate these types
of situations. Someone who is unfamiliar with the proper process of collecting data and
evidence from a crime scene could instead destroy that evidence, and thus all hope of
prosecuting individuals and achieving a conviction would be lost. Companies should
have procedures for many issues in computer security such as enforcement procedures,
disaster recovery and continuity procedures, and backup procedures. It is also necessary
to have a procedure for dealing with computer incidents because they have become an
increasingly important issue of today’s information security departments. This is a direct result of attacks against networks and information systems increasing annually.
Even though we don’t have specific numbers due to a lack of universal reporting and
reporting in general, it is clear that the volume of attacks is increasing. Just think about
all the spam, phishing scams, malware, distributed denial-of-service and other attacks
you see on your own network and hear about in the news.
Unfortunately, many companies do not have a clue as to who to call or what to do
right after they have been the victim of a cybercrime. Therefore, all companies should
have an incident response policy that indicates who has the authority to initiate an incident response, with supporting procedures set up before an incident takes place. This
policy should be managed by the legal department.
The incident response policy should be clear and concise. For example, it should
indicate if systems can be taken offline to try to save evidence or if systems have to continue functioning at the risk of destroying evidence. Each system and functionality
should have a priority assign...
View Full Document
This note was uploaded on 06/01/2013 for the course NET 125 taught by Professor Hurst during the Fall '12 term at Wake Tech.
- Fall '12