Summary

This chapter sets the stage for the rest of this book."Incident response" means responding to "incidents," events that happen in computing systems and networks that threaten security."Security" has traditionally translated to the need for confidentiality, integrity and availability (CIA), so in the most fundamental sense, incidents involve some kind of compromise of CIA.

Security-related incidents have become substantially more diverse in nature, however; incidents such as reconnaissance attempts, repudiation of transactions, organized crime activity, subversion, extortion attempts, and hoaxes are becoming more common. Incident response has become increasingly important because of the growing difficulty of securing systems and networks, the proliferation of security- related vulnerabilities, the need to minimize loss and disruption when incidents occur, legal considerations, and other important reasons. Although traditional methods such as risk analysis can be used to find some kinds of risk, and although security countermeasures can be deployed to protect against these risks, traditional strategies are in and of themselves insufficient to counter the many current threats and risks.

Incident response is now a necessary component of a successful computer and network security life cycle that includes countermeasures, detection, and response. A successful incident response effort requires considerable organization and planning, starting with the appropriate provisions in an organization's information security policy and then building from there. Developing a suitable incident response architecture, planning resource needs, planning use of technology, creating incident response procedures, forming cooperative relationships with other teams and organizations, and creating appropriate metrics are also essential elements in planning and organizing for incident response.