N ote note be careful not to confuse incident

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: s at the analysis stage where computer forensics comes into play. Management must decide if law enforcement should be brought in to carry out the investigation, if evidence should be collected for the purposes of prosecution, or if the hole should just be patched. Most companies do not have a forensics team on staff to carry out these tasks. In such situations, if a suspected crime has occurred and management does not want law enforcement involved but does want a forensics investigation carried out, external forensics experts need to be called in. We’ll go over computer forensics in detail in the next section. For now, it’s important to know that an investigation must adhere to company policy as well as applicable laws and regulations. N OTE NOTE Be careful not to confuse incident response with computer forensics. Although they are both investigative in nature, the terms are not synonymous. Computer forensics has a higher standard of proof than incident response because the assumption is that the evidence must be admissible in a court of law and is handled accordingly. The next stage is containment. In the medical world, if you were found to have tuberculosis, you would be put in an isolation room because no one wants to catch your ch10.indd ch10.indd 884 12/4/2009 11:39:10 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 Chapter 10: Legal, Regulations, Compliance, and Investigations 885 cooties. In the containment phase, the damage must be mitigated. In the computer world, this could mean that an infected server is taken off the network, firewall configurations are changed to stop an attacker, or the system that is under attack is disconnected from the Internet. A proper containment strategy buys the incident response team time for a proper investigation and determination of the incident’s root cause. The containment strategy should be based on the category of the attack (that is, whether it was internal or external), the assets affected by the incident, and the...
View Full Document

This note was uploaded on 06/01/2013 for the course NET 125 taught by Professor Hurst during the Fall '12 term at Wake Tech.

Ask a homework question - tutors are online