Responding to Intrusions.
Abstract
Most organizations are not adequately prepared to deal with intrusions. They are likely to address the need to prepare and respond only after a breach occurs. The result is that when an intrusion is detected, many decisions are made in haste and can reduce an organization's ability to * understand the extent and source of an intrusion * protect sensitive data contained on systems * protect the systems, the networks, and their ability to continue operating as intended * recover systems * collect information to better understand what happened. Without such information, you may inadvertently take actions that can further damage your systems. * support legal investigations Even if you have sophisticated prevention measures in place, intrusions can happen. In this module, we describe practices to be implemented independent of the size, type, or severity of an intrusion or of the methods used to gain access. The key event is that an intruder has gained access to your systems or data. You need a strategy for handling intrusions effectively that includes preparation, detection, and response. The practices in this module identify steps you must take to respond to and recover from a detected intrusion. This module is a companion module to CMUISEI-SIM-O05 Preparing to Detect Signs of In trusion and CMU!SEI-SIM- 001 Detecting Signs of Intrusion.
Document Details
- Document Type
- Technical Report
- Publication Date
- Feb 01, 1999
- Accession Number
- ADA360500
Entities
People
- Christopher J. Alberts
- Cory Cohen
- Gary A. Ford
- Julia H. Allen
- Klaus-peter Kossakowski
Organizations
- Carnegie Mellon University