R: incident response - management approach

[H C <keydet89 () yahoo com>]

> Therefore I would to welcome any suggestions, links
or articles
> what an organisation should do after a minor, medium
or major
> incident has happened in a company (not only
cyber-crime)?


Why are you focusing on what happens afterwards? Why
not start preparing before an incident occurs?  Harden
systems so that it's difficult to break in or cause
damage.  At the very least, you want attempts to make
"noise" and fill log files. 

Also, have you even bothered to do a search?  There
are several good books on IR...the ones by Gene
Schultz and Rick Forno provide a lot of really good
management-level info, and the one by Mandia and
Prosise provides excellent investigator-level
information.  There are also articles on SF itself.

> When to contact the law enforcement agencies:

It really depends on your business, and what
senior-level management says...once they are educated.
 Do the cops need to be called for everything?  No. 
One company I worked at had a memo from Legal Counsel
stating that only three things would be reported
outside of the company (gambling, CP/KP, potential
copyright infringement)...and these three were
required by federal law.  

> what consequences should they bare in mind when
doing that.

Loss of control.  Potential media involvement (look at
what was leaked early on in the spree sniper
investigation going on in the Metro DC area...Chief
Moose has expressed anger on more than one occaision
regarding information leaked to the media), which will
lead to embarassment and possibly loss of customer
confidence.

On the flip side, though, LEO involvement can be a
good thing, particularly if the culprit is caught.  It
can boost customer confidence and act as a deterrent
if the person is caught and punished. 

> ... Even incident response perhaps is partially a
> top management activity?

Wrong!  IR is TOTALLY a top-level management activity.
 Or perhaps a better word is responsibility.  IR
activities need to have the endorsement and oversight
of senior-level management b/c you need things like:

1.  Funding to support incident preparation, training,
etc.
2.  Interaction w/ legal counsel, and in the case of
anything involving an employee of the company, HR.
3.  Team members come from so many different sections
of the company that you need someone senior to act as
an overall point of responsibility and decision
making.
4.  You DO NOT want the techies who actually do the
investigations to interface w/ the customer/public. 
All information needs to go through someone who
understands the business and how such information can
effect it.  Too many techies aren't even capable of
sticking to just the facts (let alone finding the
facts)...in more than one case, the admin
investigating an incident has made wholy incorrect
assumptions about the incident w/o any facts to back
it up (don't believe me?  Read this list and the
Incidents list for a couple of weeks...you'll see).

Questions?  Comments?

__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/