In this article, Anna Johnson suggests a model for contingency planning and handling breaches of security.

Emergency Response Guidelines

Following is an outline of an appropriate response procedure:

Overview

Establish the goals and objectives in handling the incident. Select which approach - Protect and Proceed or Pursue and Prosecute - will be undertaken.

Evaluation

Evaluate the seriousness and extent of the incident.

Notification

Notify everyone who should be involved in handling the incident and everyone who is likely to be affected by the incident.

Legal/Investigative Implications

Establish what needs to be done in order to meet all legal and investigative obligations - possible legal liability, evidence requirements.

Response

Work out, and undertake, the appropriate response.

Documentation

Document all actions undertaken in dealing with the incident - for the organisation's benefit in conducting a post-event evaluation and for evidentiary purposes.

Managing a Security Incident

How you manage a particular security incident depends on both the nature of the incident and your organisation's goals in dealing with that, and all other, incidents.

Goals and Incentives

Your goals, in a certain order of priority, might be any or all of the following:
� Ensure the continued operation of (life) critical systems.
� Maintain and restore data.
� Find out why and how the incident happened.
� Identify who perpetrated the security breach.
� Contain the damage.
� Avoid negative publicity.

Collect evidence for a prosecution.

Type of Incident

You need to determine the type, source, seriousness and scope of the problem. If it is a breach of your computer network, you may be able to use detection software, audit trail information, or other detection tools to identify and evaluate the problem. Note that a security breach may be accidentally or intentionally caused. Intentional attacks pose greater danger. Indications that it a breach is intentional are as follows (although they might also result from normal or accidental conditions):
� System crashes
� New user accounts
� High activity on an account which was previously inactive
� New files (with strange file names)
� Accounting discrepancies
� Changes in file lengths or dates
� Attempts to write to system
� Data modification or deletion
� Denial of service
� Unexplained, poor system performance
� Anomalies
� Suspicious probes
� Suspicious browsing

Identifying the scope and impact of the incident will also help you determine its overall priority in the context of the organisation. That is, how many resources should be allocated to the task of dealing with the incident. Some of the points to consider in evaluating the scope of the incident are:

� Is it confined to one organisational site or multiple sites?
� Are all computers on the network affected?
� Are mission critical computers affected?
� Is sensitive information or data vulnerable?
� Where did the incident start?
� What was the last area affected by the incident?
� What is the potential damage of the incident?
� How long will it take to stop the breach or the effects of the breach?

What resources are needed to handle the incident?

Response

There are four crucial steps in responding to an incident:

1) Containment
a) Limit the extent of the attack.
b) Notify appropriate authorities and users.

2) Eradication
a) Eradicate the cause of the problem.

3) Recovery
a) Return the system to normal.
b) Install patches and fixes for any vulnerabilities identified.

4) Post-Event Evaluation
a) Analyse what, where, when, who, how and why in relation to the security incident.
b) Apply the "lessons learned" to modify your security system (including the Security Policy).

Documentation

Record all the details of incident procedure. Document all system events (audit records), all actions taken (including the time it took) and all communications (between members of the response team, with the media, etc).

Such documentation will help you revise your emergency response procedure for future incidents. It will also help you estimate the cost of the damage and to prepare evidence for any legal actions that might arise (brought by or against the organisation).

The Aftermath

After an incident has been dealt with it is essential to re-evaluate your security system. Just because it has happened once, does not mean it will not happen again. So take the opportunity to improve your security to prevent similar attacks from occurring in the future.
� Take an inventory of your assets and ascertain the total damage incurred.
� Use the "lessons learned" to revise your Security Policy. Perform a new risk analysis and re-evaluate your choice of security controls.
� Remove the vulnerabilities and implement more effective controls, including those controls designed to detect breaches.

If you desire, investigate and prosecute the perpetrators of the breach.