Chapter 4: Incident Management

What happens if your defenses are breached? What should you do? How do you respond to an attack? These are all valid questions, and they all have answers that have been learned the hard way by those in the trenches who have fought the battle and passed on their experiences to others. In this chapter, we discuss the evolutionary development process for site security, starting with the granddaddy of all security manuals, the Site Security Handbook , or RFC 2196 [1]. Much has been learned since the RFC was published initially, and those lessons should be heeded by those of us responsible for protecting corporate assets. This chapter shows you how to respond to an incident and manage each stage of the incident professionally. You will learn what is necessary for the composition and management of an incident response team and what expectations you should have of their work. We also discuss how to counter cyberattacks and show you some real-world examples of how failing to do so can affect enterprises .

4.1 Overview of RFC 2196 ( Site Security Handbook )

Request for Comment (RFC) 2196 is the most recent update of RFC 1244 (developed in July 1991). RFC 2196 was issued in September 1997 and was intended to guide systems administrators and network security personnel in setting computer security policies and procedures for sites connected to the Internet. RFC 2196 lists specific issues and discusses certain factors that a site must consider when setting security policies. It is a framework for setting security policies and procedures within an organization. Historically, it is important to remember that this document preceded the Information Assurance Technical Framework (IATF) and was among the first definitive sets of recommendations for dealing with security issues in a hybrid network/Internet environment. In the mid-1980s, before the days of browser-based Internet access, RFC 1244 was the reference du jour for network security.

At that time, the Internet was used mainly by government and academic institutions. It was viewed as a privileged access tool for passing information from one location to another and for allowing geographically dispersed teams to share and collaborate on documents and projects using text-based interfaces and the File Transfer Protocol (FTP). Eventually, RFC 1244 was made obsolete by RFC 2196. This change was made partly to reflect the ever-growing use of the Internet outside of the academic and government user communities and partly because of the increasing number of security issues that followed from broadened individual and commercial usage. As more people gained access to the Internet, even more security vulnerabilities began to crop up. These new security problems were posing serious risks to organizations. This situation was new to many systems and network administrators, and they sought guidance in resolving those matters from many resources. It quickly became apparent that standards were needed.

RFC 2196 provided guidance to system and network administrators on how to deal with issues such as risk management, establishment of policies for security, basic architectures for protecting the boundary region of a networked environment, firewalls, and security services. It also provided some recommended procedures to follow for incident handling and follow-up. It presented recommendations on the most basic aspects of good security procedures in use today. Although the RFC stated in the first paragraph that it was not a standard, RFC 2196 became the de facto standard employed for site security. It is used as such even unto this day. It is worthwhile for the reader to consult RFC 2196 to gain a detailed perspective on basic site security issues. The RFC is a bit dated, however, so this book attempts to take the reader from the beginnings of security to models in use today.