When an incident has really happened.

["Curt Shaffer" <cshaffer () gmail com>]

I just wanted to post this as a question to those on this list. I had a
discussion with a security admin the other day. They wanted me to take a
look at their incident handling document. This document outlined the steps
that they would take in the case of an incident. Now don't get me wrong, the
document was spot on I believe. It was well written and you can tell a
proper balance of technical and informational data was put together. What
this did bring up in my mind is; When has an incident, specifically a
compromise, happened that a process like this needs to be put into action?

I realize there is a balance that needs to happen because if we did this
same routine for every system infected with a virus, management would
probably start to not trust things are going well (little boy crying wolf).
What about a bot though? Long story short, as we all know, bots are used to
control systems. The problem that I see is that a lot of companies downplay
the significance of a bot, even some IPS systems I have put in place call
them low threats! Just because at this time that bot is only popping up ads
on your PC doesn't mean the attacker has any less than full control of your
system. In my mind, a party outside of your network, often unknown to you,
has full control of one of your systems. That sounds like a compromise or
incident to me. It only takes one update from the bot's command and control
center to turn it into something much more horrifying.

Now there are controls in place like IDS and IPS systems which can often
block and alert of the existence of such a software. This is a good thing.
The question is though, should this be treated like an incident of
compromise or should it be quietly removed and cleaned up because it was
caught so early? I guess a third option would be to have a non management
alerted incident handling process in place as well. Not that we want to
cover these tracks, but for the security admin to keep track of but possibly
release at some quarterly meeting saying "we had x many major incidents and
y many minor incidents". It's an interesting thought to find that balance. I
would love to hear some opinions.

Curt



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------