Create a response team now

As most people realize, emergencies are not conducive to clear-headed analysis and planning. When seconds count, it’s hard to weigh options rationally, discuss alternatives coolly, run simulations and make the best judgment. Far better is to plan for emergencies with plenty of time and practice so that response during the emergencies themselves can be fast, effective and efficient.

Your computer-emergency response team (CERT) needs to analyze the types of attacks and targets most likely to be significant to the organization. The goals of planning are to minimize damage and to maximize the options for flexible response. For example, it should be possible to decide quickly whether to:

* Shut off access to the services (or the systems) under attack.

* Observe the attack for purposes of learning and future security improvements.

* Gather evidence for possible prosecution.

Creating a CERT is a complex process that must involve people from throughout the organization. In particular, in addition to the technical staff one would naturally see in such a team, the CERT should include experts from the human resources department, the public relations group, and from the corporate counsel’s office. Here’s why:

* Computer emergencies can require instant access to personnel records if an insider attack is discovered.

* There may be repercussions if information is leaked to the media or if rumors start spreading about an attack.

* It may be necessary to gather evidence and keep a careful chain of custody over it for civil lawsuits or for liaison with law enforcement authorities if criminal prosecutions are anticipated.

Chain of custody requirements demand that there be credible reason to trust the evidence presented in court. Therefore, all evidence – especially digital evidence, which is potentially changeable – must be safeguarded with visible and verifiable measures to prevent loss and tampering. For example, CERT investigators should ensure that data gathering is performed by at least two people at all times. These investigators should keep meticulous records of all their actions showing who did what when and should sign such records (physically if on paper – and use a bound log book with numbered pages while you’re at it – and digitally if in electronic notes).

All records should be safeguarded using bit-for-bit images copied onto CD-ROM (not CD-RW media) and stored securely under lock and key with two signatures required for release of the evidence.

For further reading:

Cowens, B. & M. Miora (2002). Computer emergency quick-response teams. Chapter 40 in _Computer Security Handbook, 4th Edition_.

Bosworth, S. & M. E. Kabay (2002), eds. _Computer Security Handbook, 4th Edition_. Wiley (New York). ISBN 0-471-41258-9. 1184 pp. Index.