In cyber security, incident management is the process of monitoring and detecting events related to security on a computer network and initiating appropriate responses. Essentially, the primary purpose of incident management is to develop clear responses to events that could result in disasters such as remote intrusions. The incident response process detects and evaluates threats and determines their severity, before following the pre- determined incident response plan. In case of incidents that cannot be contained or resolved, other aspects of the contingency plan are implemented, as stipulated the plan. According to Whitman, Mattord, and Green (2013), the incident response process comprises of several stages, which include preparation, detection and analysis, containment, eradication, and recovery, and post- incident activity. This process is crucial in ensuring that the integrity of a network is maintained.
One of the crucial portions of the incident response process is determining the steps that are taken during, after, and prior to the occurrence of an incident. The incident response plan team typically considers every attack scenario and determines the steps. After all feasible attack scenarios are assessed by the incident response team, the team focuses on the steps that should be taken to react to an incident. In all attacks, there is always a trigger, which is caused by a wide range of issues. Some common triggers include loss of connectivity in the network, device malfunctions, complaints from users, notification from an unrecognized device on the network, or unusual traffic in the network (Whitman, Mattord &Green, 2013). Essentially, such triggers let the systems administrator know there is an anomaly in the network that could be an incident.
Notably, upon the occurrence of an incident, it is imperative to react swiftly with a clear plan of action. It is typically up to the incident response duty officer to determine what aspect of the incident response plan to implement. It is also important to note that different attacks require employees with different skills sets. For instance, the skills required to tackle a DDoS attack may not the same, as those need to handle a network virus (Whitman, Mattord & Green, 2013). When an incident occurs, the reaction processes should be preceded by a clear determination of a plan of action. For instance, in the event of a virus on the network, the first step would be to check the logs, virus scanners, as well as other systems designed to monitor unusual activity (Thompson, 2018). The next step would be to ascertain the scope of the infestation by checking all devices on the network and placing the infected ones under quarantine.
Part of planning for incidents involves knowing ones’ enemy by identifying an organizations assets, weaknesses, and vulnerabilities. This means that one must examine and understand the threats that pose a risk to the organization (Thompson, 2018). In doing so, the organization can identify possible controls, safeguards, and most importantly, countermeasures that would reduce the risk posed by various threats. Some of the measures that a company can implement include providing additional security training to employees, awareness programs, and investing in security technologies such as advanced virus scanners and firewalls (Whitman, Mattord &Green, 2013). In some cases, an organization may terminate an asset by removing it from a risky environment. This is often the case if the cost of protecting the asset exceeds the value of the asset.
What are some of the scenarios where the cost of protecting an asset may not be justified by its value to an organization?
Thompson, E. C. (2018). Cybersecurity incident response: How to contain, eradicate, and recover from incidents. New York, NY : Springer.
Whitman, M. E., Mattord, H. J., & Green, A. (2013). Principles of Incident Response and Disaster Recovery. Boston, MA: Cengage Learning.