Exercise 65: Maryland Programming

The first order of business is to begin protecting any and all data that points to the intrusion. It is necessary to follow proper procedures and begin documenting everything in order to

• Have any chance of prosecution

• Be able to prevent a similar incident in the future

• Identify everything that has been affected

An Incident Response Plan (IRP) should exist and be referenced immediately to see what steps should be followed after an incident has occurred. A chain of custody should be established and documented for all evidence gathered. The escalation policies, hopefully spelled out in the IRP, should be followed in order to notify the appropriate managers, IT personnel, and law enforcement, if necessary.

After investigating the incident, and documenting as much as possible, the next order of business should be to restore the data and repair the damage. Depending on the level of the security breach, this could simply be a matter of copying a couple of files from backup media, or it could involve reformatting and reinstalling the entire operating system.

To be fully prepared for such incidents, fake events should be conducted from time to time to make certain that all who should be involved know how to respond accordingly. Sites such as cert.org should be closely monitored for recommendations on how to respond and to be kept abreast of new threats.