‚ < ‚ Free Open Study ‚ > ‚ |
One of the major advantages of a virtual team is that members stay current on technology through their normal operations jobs. A full-time team, if there aren't sufficient incidents (or the incidents do not impact certain systems or applications), can become out of touch as new technology is deployed within the company. No incident response team member can possibly know a system as well as the people responsible for maintaining it on a daily basis. If the focus of the team members is on daily operations, however, they might not consider that many things change during an incident. For example, a systems administrator will think nothing of logging in as root to investigate a malfunctioning server. If the server has been compromised, however, logging on directly can destroy evidence or trigger logic bombs installed by the attacker. The team will, as a minimum, require periodic training in evidence-handling procedures. This is perhaps the most dramatic difference between normal operations and incident response. Team members must be aware of the proper steps to take when securing digital evidence. If a team member is also the administrator for those systems, the problem is even greater. He or she must be reminded that his or her responsibilities change after an incident is formally declared. It might even be preferable to have another team member collect the evidence as a check and to prevent the appearance of impropriety or a conflict of interest. If the team consists of full-time members, they must constantly strive to remain current and technically competent. Some teams do this by having team members conduct training or by issuing technical advisories. Although this might be a good method for maintaining proficiency, it is even more vital that the members be accurate. Issuing a technical advisory to operational units that contains errors will quickly undermine the credibility of the team and its members. Technical inaccuracy during training and awareness sessions will do the same. Unfortunately, there are no easy answers to these issues. However, some practices have proven valuable in other organizations.As covered in Chapter 4,"Forming and Managing an Incident Response Team," training in the form of attendance at technical conferences, bringing in outside speakers and resources, making technical journals and books available, and having staff engage in operations with other incident response teams are well established types of training. However, as you organize for incident response, you might find that these types of training are insufficient for the variety of training needs that exist. Thus, the following types of training might also be appropriate:
|
‚ < ‚ Free Open Study ‚ > ‚ |