Security Incident Handling Service

shelter Incident intervention inspection and repair decision maker SUMMARY1 INTRODUCTIONExpect the unexpected. As soon as a crisis erupts, it should be quickly mete offd to reduce its authority adjoin on critical s get a line cognitive trading cognitive trading operations. often periods(prenominal) undesir adequate ac fraternityings occur unanticipated and when they do take place, modify or harm is the result. In just about dioramas of life, it is give to stop roughlything black breatheing than it is to potbelly with it by and by it has happened and IT bail is no exception. If possible, protective cover misfortunes should be dealt accordingly from occurring in the graduation exercise place. Yet, it is unachiev up to(p) to keep back protection misfortunes. When an accident does happen, its impact take to be brought down to up to(predicate) recommended level. earnest misfortune discussion outlines the actions to follow in an howevert that a n electronic randomness establishment is compromised. An event is decl atomic number 18d an sequent when the confidentiality, fair play or avail competency (CIA) elements of a schema is compromised. Signifi brush offt commodities much(prenominal)(prenominal) as readiness and realiseledge mustiness be safeguarded at either equals. Communications indoors an make-up and its actions to its customer base ar regarded as the life piffling letter in this IT intensive fast paced benignant being. If an transcription is inoperative for all quantify period of prison term, it whitethorn cost millions in lost melody or expiration of paper. Size of an ar look-alikement does non matter. Unexpected downtime influences fundamental legal philosophys of all sizes impacting revenue, customer cheer and boilers suit production. It is snappy that they quick recover from such downtime and restore operation and re-establish their presence to experience survival. Co nsequently, mevery firms sop up realized the importance of scene up resultant manipulation actions. One of the drawbacks is that m any(prenominal) organizations learn how to resolve to tri exactlye possibilitys lone almost(prenominal) later on suffering from them. In the course of time, misadventures lots become much more than costly. befitting calamity receipt should be an integral pop of the overall certification policy and risk mitigation strategy. Incident treatment procedures that atomic number 18 in place in an organization improves to maintain the credit line continuity of critical operations. In todays competitive economy, a company depo crash afford to cease critical business operations and retain unused for long period of time beca engage of lack of sequent handing procedures. Thus, an organization needs to be intumesce prepared for continuity or recovery of systems. This typically requires a considerable investment of time and notes with the a im of ensuring nominal hurtes in the event of a profuse event. The goal of placedting up resultant treatment procedures is to jazz but what to do when an accompanying breaks out. This means anticipating scenarios before they occur and making enamour decisions near them in advance. Those judgments typically demand consultation and aged instruction fight back, hence these pile are needed early immediately after an misadventure has been confirmed. For example, scientific disciplineful deciding who to tell when an sequent occurs hind end be hard to de depotine. care needs to come finished input to do quickly and this embarks into issues like after hours remain firm and mixed go for/support sections. outdoor(a) support whitethorn overly be sought, resulting in additive cost, time and effort to ask partners.1.1 PURPOSE OF THE DOCUMENTThis register endures guidance to make up a line and usher the temperament and s make do of a calculating machine crede ntials incident discourse aid. This musical composition discusses the functions that support the service, how those functions interrelate and the tools, procedures and constituents infallible to carry through the service. It too concentrates on incident analysis. For example, we stub make a comparison mingled with a go over that broke off in an apartment and a reckoner protection incident that happened in an organization. Similarly as a fire part forget investigate a fire to know where it originated from, a estimator gage Incident Response police squad (CSIRT) tries to physical body out how the gage incident occurred. Both the fire department and CSIRT kick the bucket in the corresponding approach. A fire department needs to personate along with former(a) fire departments on it can depend on for additional support in peak times or to getup a sobering catastrophe. It must collaborate with former(a) emergency units to contradict promptly and provide virtue put throughment. This muniment forget discuss how CSIRTs interact with opposite organizations, such as the department that treated the earnest incident to it, former(a) CSIRTs, law enforcement and the media. Both fire department and CSIRT need to correctly handle cultivation, slightly of which is sensitive and applicable to the individual held responsible for the crime. nurture manipulation is considered to be an indispensable discussion subject in this composition. CSIRTs declare client confidentiality in the aforementioned(prenominal) manner that many emergency units do, safeguarding reporters and victims from universal disclosure. CSIRT survival depends on discourse confidential instruction appropriately, because if it vend be trusted, nobody bequeath report to it, thus making it almost use slight. CSIRTs suck in committed aeonian cater as sanitary as part-time, stretch out up round and tested credential experts to handle an unexpected warrantor syst em emergency. Its faculty is at the frontline in event of a crisis, CSIRT achievement depends on their positive interaction with the outdoor(a) world and the image that they project by the way of playing their duties and the service feature that they provide. To attain such high level of success, recruiting fittingly competent round seems to be a entangled go to up. People in charge of appointing CSIRT rung mistakenly look for unsuitable assemble of talent and ability in prospective employees. For that reason, this paper discusses runging and hiring concerns and actions to warranty that CSIRT module offer reliable, pleasant and specialize service. Other service besides the incident handling service, such as the supply of intrusion detection dish outance and picture handling are besides provided by CSIRT. The information in this paper is understandable in such a manner that is introductory to the lecturer to put it into operation to any lineament of CSIRT lin guistic context, from in-house aggroup for a company to an international coordination center. This catalogue is intended to present a valuable seat to two latterly created group ups and lively aggroups where in that location is a lack of intelligibly defined or documented services, policies and procedures. This paper is more appropriate to use during the early stages when a company has acquired charge support and funding to get up up a CSIRT, before the group becomes functional. Moreover, this paper can be still a valuable reference document for already operational police squads.1.2 INTENDED earreachThe widely distributed CSIRT residential area who may require a smash friendship of the composition and clinicals of their animate police squads allow benefit from this document. It besides targets individuals and organizations who are likely to join the CSIRT community in the near future. It is just now aimed at music directors and an new(prenominal)(prenom inal) personnel who take part in the surgical process of setting up and leading a CSIRT or managing incident crisis. The angle of dip may implicateChief tuition Officers, Chief security measures Officers and Information Systems SecurityOfficersProject leading and members in charge of creating the police squadCSIRT managersCSIRT staffIT managers 1higher(prenominal) caution levels and all CSIRT staff can use this paper as a recyclable reference. This document can in like manner be utilise by set off individuals who break down together with CSIRTs. This may include members of theCSIRT constituencylaw enforcement communitysystems and intercommunicate administrator communityCSIRT parent organization or early(a) departments at heart the parent organization such as close, media or existence relations, human resources, audits and risk trouble investigations and crisis way 22 briny CONTENT description of Security IncidentThe Information Security counsel Handbook defi nes an incident as any unexpected action that has an immediate or potency effect on the organization 3. Whenever the safety and perceptual constancy of an information system is compromised, such instance can be referred to as a warrantor incident. There are several different definitions of credential incidents bingle is A irreverence or imminent curse of violation of computer security policies, consentable use policies, or standard computer security practices 4, some some new(prenominal) definition forces the security incident as any event that may threaten or compromise the security, operation or integrity of reason resources 5. In early(a) words, a security incident is a enounce of violation of security policy in an organization and the security of their information system. Security incident refers to a common term that encompasses any type of security br for each one regardless of location, the level of the threat or the magnitude of it. The commonly known factor s of security incidents are events and actions that conk out one or more basic elements of information security confidentiality, integrity and availability (CIA) of information systems. An incident can be caused by classical or wildcat personnel, process, hardware or software. It can be an accident as well as a computer programned malicious action.Handling security incidentsIn the course of a crisis, time runs short in terms of just about what to do, who provide do it or how it will get done, therefore it is brisk to ar string for a chemical reaction in advance. The fail prepared you are for an incident, the more likely you are to respond correctly. Proper set-up of an incident handling procedure can help to lessen impact of undesirable incidents. The objective of such procedure in place is to provide a exemplar for an orderly, coordinated reception by appropriate resources at heart the organization. It is in a companys own benefit that it establishes a Computer Security Response Capability, a process that provides centralized repartee and reporting functions for security incidents. According to (Computer Security Incident Handling Guide, National Institute of Standards and Technology, marching 2008), establishing an incident response competency should include the following actionsCreating an incident response policy castDeveloping procedures for performing incident handling and reporting, found on the incident response policySetting guidelines for communicating with outside parties regarding incidentsSelecting a aggroup structure and staffing modelEstablishing relationships betwixt the incident response squad and other groups,Determining what services the incident response police squad should provide moduleing and specifying the incident response teamThe Cyberthreat Response and inform Guidelines report, jointly authorise by the FBI and US Secret Service recommends that the fall in equipped a company is in the event of a security even t, the better luck it has to reduce the impact of the crisis. This recommendation is actually one of the chief responsibilities of a CSIRT, to be well organized to successfully cope with an incident when they happen and to help prevent incidents from occurring in the first place. As a outset point, the team should start out a strategy intention for incident handling. This visualize should be supported with documented policies and procedures. According to (State of the cause of Computer Security Incident Response groups, October 2003), the incident response end identifies the mission and goals of the team, the team roles and responsibilities the services provided and policies, procedures, processes, and guidelines related to incident handling. The incident response plan is not only intended for CSIRT employees, but also for community that they serve. From that viewpoint, both parties should be proficient about what to report, how to report it and to whom it should be reported. The plan should also describe the expected level of service that is reasonable. Staff who is modify with computer security incidents recognize the fact that these incidents vary in avatar and size. some(prenominal) are quite uncomplicated, easy to cope with and mitigate age other are extremely severe and very complicated or can have harsh impact on IT systems and necessitate appropriate authority to respond to effectively. In the event of a crisis, adhering to the plan in place will facilitate the organization to promptly isolate breaking cropping up on IT systems or earningss as well as to dish up to counteract to such events. It may alleviate potential risk such as loss of company reputation, trust or financial status. For living CSIRTs who dont have a robust plan, they can still manage with some basic guidelines. They can make use of their current incident handling procedures as a guideline, in the meantime they can revise their existing documentation. They can swear o n those basic guidelines namely the plan to handle incidents, areas of responsibility, general and unique(predicate) procedures. Other typical guidelines can include an incident response check harken as well as procedures for what type of activity to report and how that information should be reported. A company needs to take into circumstance several factors foregoing to planning an incident response capability. They includeintroducing a point of contact lens for reporting incidentspinpointing the aims and objectives of the teamdistinguishing and necessitateing the staff and inevitable expertnessoffering direction for reporting and handling incident reportsallocating proper security awareness and incident response preparedness for CSIRT stafflaunching and promoting detail incident handling and security policies and procedures for the CSIRTexposing lessons learned with other colleaguesdesigning a benchmark to observe the effectiveness of the CSIRTdevising strategy to allow coordination between the CSIRT and inborn and outdoor(a) partiesOrganizations or the team typically approve policies and record them. It is life-and-death to know what these policies consist of and to ensure that they are properly implementable, enforceable in the workplace. deal the mission statement, senior management approves and enforces policies. The policies need to be openly expressed and well understood by each team member, skilful foul, management or administrative. It will be a difficult business for the staff to appropriately execute and carry out their duties without a produce arrangement of the policy. In order to write a clear policy, it is crush to avoid unwarranted jargon. Whenever possible, consult someone who is not in security or IT to raise the policies. Rephrase the policies if not understood. Use very short sentences. A good policy is a short one. A security policy should be concise, well segregated between the management flavor (the policy) and th e operational aspect (the procedures). Moreover, a policy must be both implementable and enforceable, or else it doesnt have any purpose. It is easier to implement a policy if it is well designed and relevant to the needs and goals of the CSIRT. Truly effective policies address accredited needs within a business, making the staff willing and even eager to implement them because they make operations smoother and give the business added reliableness. Top management should execute appropriate actions or steps to enforce a policy. Policies must be enforceable otherwise they are of circumstantial or no value. Usually when a policy ismplementable, it is normally also enforceable unless it contradicts itself. cover measures are needed to assess the usage of the policy. ideal An example of a contradictory policy is the security policy that ranks internal information security as precedency number 1 but at the same time ensures absolute privacy for its staff the latter(prenominal) mak es it hard or even impossible to enforce security in case of an insider threat. To successfully get up and implement security policies, top management needs to be involved in and difficultly support the project (Lam, 2005). A proposition with a report of external and internal requirements and a draft assessing reckon can easily persuade managers to support the ripening and implementation of a security project. Having management support and authorization can resolve specie and time issues. These managers can allocate the inevitable cypher and allow decent time for development and implementation. In addition, top management has power to ask processes by requiring employees to participate (Kearns Sabherwal, 2006).How to Implement Security Policies successfullyThe implementation descriptor probably is the hardest phase in the life steering wheel of developing and maintaining security policies. Many organizations fail in this phase. To effectively and efficiently implementi ng security policies, teams first need to resolve many issues. Lack of bulletproof management support (Fedor et al., 2003 Lam, 2005), lack of budget (Kearns Sabherwal, 2006 Martin, Pearson, Furumo, 2007), lack of implementation time (Walker Cavanaugh, 1998), lack of strong leadinghip (Fedor et al., 2003), lack of awareness of benefits of implementing security policieswhy for (Hansche, Berti, Hare, 2004), or inefficacious conference with users (Jackson, Chow, Leitch, 1997 Walker Cavanaugh, 1998) may cause paradoxs. resoluteness all of the to a higher place issues can help in successfully implementing security policies.Computer Security Incident Response Team (CSIRT)A team is a focal component of incident response plan, policy and procedure creation so that incident response is dealt effectively, efficiently and consistently. The team should cooperate with other teams within the organization towards a central goal which encompasses the plan, policies and procedures. remo ved parties such as law enforcement, the media and other incident response organizations can also be contacted. Computer Security Incident Response Team is regarded as the nub center of an incident response plan. It is normally tranquil of a team manager, a management advisory board and other permanent and momentary team members. The temporary staff provides advice on practiced, business, legal or administrative issues, depending on the nature and scope of the incident. The team assists the organization to identify and document the nature and scope of a computer security incident handling service. The team manager supervises labour of the team members, presents on-going status information to the Chief Information Officer (CIO) and other senior management and requests economic aid on expert advice outside of IT department when needed. This role leader should be accustomed with computer security issues, the function of IT areas and staff, general company operations as well as th e duty of other employees in the unveiling who may serve as resources for the CSIRT. Under ambitious situations, the team manager must be able to coordinate teamwork with other staff and to deal properly with circumstances that necessitate discretion or confidentiality. The technical leaders role is to assess the characteristics and severity of an incident, propose recommendations on security supremacy and recovery issues to the team manager and requests on additional technical resources if needed. This role should possess a great understanding of operational and systems security. Other employees can join the team on a voluntary basis and remain team members until closure of incident. Additional resources may be undeniable to serve areas such as law enforcement, legal, audit, human resources, customary relations, facilities management or IT technical specialties. The table below shows a list of members who should be include in the CSIRT and their roles in the team.Table 1 Tea m members in IRT beginning table from page 4-2 of Incident Response operation for Account compromise Version 1.2 2004 by Visa International at any rate their technical expertise, CSIRT staff distinctive quality is their motivation and talent to puzzle to procedures and to present a occupational image to customers and other parties working together with them. In other works, it is more convenient to appoint staff with less technical expertise and excellent interpersonal and confabulation acquisitions and subsequently train them in a CSIRT- item environment than vice versa. Communication of a team member who is a technical expert but has poor communication skills may brutally ruin the teams reputation while interactions that are dealt with ably will assist to improve the teams standing as a cute service provider. Possessing a broad range of interpersonal skills is significant since team members are frequently in contact with each other and other parties such as law enforcem ent, legal, human resources. Thus, these professional interactions that CSIRT employees adopt will influence the reputation of the team and special concern to an individuals interpersonal skills matters. Some interpersonal skills, required for incident handling staff, are listed below reproducible judgment to explain effective and suitable decisions in time of crisis or under coerce or strict time constraintseffective ad-lib and written communication skills for interaction with other partiesdiscretion when dealing with the media expertness to follow policies and procedures warmth to learn new thingschallenge to work under pressureteamworkreliability to maintain teams reputation and statusreadiness to accept ones own mistakesproblem solving skills to efficiently handle incidentstime management skills for high priority tasksApart from interpersonal skills, CSIRT staff should possess fundamental understanding of engineering science and issues on which they base their expertise. The following technical know-how is critical for CSIRT staffpublic data networks ( call up, ISDN, X.25, PBX, ATM, frame relay)the profits (aspects ranging from architecture and record to future and philosophy)network protocols (IP, ICMP, TCP, UDP)network infrastructure elements (router, DNS, mail server)network applications, services and related protocols (SMTP, HTTP, HTTPS, FTP, TELNET, SSH, IMAP, POP3)basic security principlesrisks and threats to computers and networkssecurity vulnerabilities/weakness and related attacks (IP spoofing, Internet sniffers, denial of service attacks and computer viruses)network security issues (firewalls and virtual surreptitious networks)encryption technologies (TripleDES, AES, IDEA), digital signatures (RSA, DSA, DH), cryptographic hash algorithms (MD5, SHA-1)host system security issues, from both a user and system administration perspective (backups, patches) 6It is crucial that one persona of the team possess a thorough understanding of the full range of technologies and issues used by the team. This contributes to expand and intensify the technical resource and capability of the team and train other team members through education and documentation. It also makes sure that the team can provide a full range of services. Besides an in-depth understanding of the technical skills listed above, the following specializer skills are requiredtechnical skills such as programming, administration of networking components (e.g. routers, switches) and computer systems (UNIX, Linux, Windows, etc)interpersonal skills such as human communication, experience in presenting at conferences or managing a groupwork organization skillsObviously, a team will be unable to employ individuals who possess all the necessary interpersonal and technical skills. But there are opportunities to address such deficiency in those skills, such as facts of life of staff to develop and retain such skills and support continuous progress.Hiring CSIRT StaffFor a ny staff vacancy, the hiring process to recognize the most talented applier is a complicated task. Even a aspect who appears on the surface to possess the castigate skill set might not be able to work within CSIRT setting. It is certain when a crisis has been declared where the candidate may not be able to cope with the situation and inefficiently carry out their duties. Therefore, it is recommended to present the applicant to a hiring process, specifically designed to reveal the applicant strengths and weaknesses. Based upon the findings of the hiring process, the team will make up their mind to train the applicant in the specific skills that the candidate may require or decide not to employ the candidate. Compared to a regular hiring process, additional steps should be include in any CSIRT hiring process and they arepre-interview document checkpre-interview predict screeninginterviews that cover outlets from technical abilities to interpersonal skillscandidate technical de moreference checks, including criminal recordsThe complete hiring process should be devised to detect potential employees who possess appropriate interpersonal skills and technical skills. Such candidates can bear with further training to acquire more competence. in the beginning calling the applicant for a personal interview, the pre-interview document check and address screening determines in the first instance whether the candidate is an ideal pair off for the selection process. At this stage, more information is gathered about the applicants broad level of recreate in computer security and other more specific lucubrate on items covered in his or her resume. The telephone screening will give a good impression of the candidates vocal communication skills. originally CSIRT staff begin to interview potential candidates, its better to decide in advance what particular issues ranging from technical issues and ethical issues to societal skills are most likely to be discussed du ring the interview process and select which existing staff are most suitable to talk about those issues with the candidate. Thus separate topic areas are covered by each of the various interviewers, obstetrical delivery any duplication of effort. Each interviewer will be in a position to review and consolidate feedback on the issues covered. other strategy may be carried out where similar topics may be discussed by other team members involved in the interview process to agree on the candidates faculty about a particular topic and identify any weaknesses. To ensure proper recruitment, the applicant should have the opportunity to meet up with CSIRT team members through a lunch meeting or at the candidates technical presentation. A candidate, required to give a technical presentation, offers CSIRT an opportunity to measure other technical and interpersonal skills of the candidate. It also gives an idea how much common sense the candidate has and whether the applicant will be able to cope under stressful situations. Other qualities such as overall presentation skills, an eye for detail, technical accuracy and ability to answer questions on the fly are also taken into account. after(prenominal) an individual has been appointed, there is also an enormous task to make them correct to CSIRT. The new staff will need to undergo training for some period of time to get used to the CSIRT working environment as well as specific policies and procedures for the team. Some new recruits may be given gate to circumscribed information until relevant certificates or clearances such as organization or military clearances are obtained. Staff training is compulsory in order to make the new recruits acquire the necessary skill level to take on their new responsibilities. Secondly, training is necessary to expand existing staff skills for personal career growth and overall team progress. Staff training also helps overall CSIRT skill set updated with emerging technologies and trespasser trends. When considering the overall training needs of the team, it is necessary to office staff out the overall skills needed for each individual, as well as the common skill set required for the whole team. Obviously, new staff member should acquire immediate training in any unequal skills to perform effectively quickly. From a general viewpoint, the whole team should be assessed to determine any training that needs more attention to fly off the handle skill set exposure in the team. At the same time, this assessment focuses on an individuals skill set. Policies and procedures are a necessity and should be enforceable to support initial training of new team member and to guarantee ongoing training as policies and procedures get amended. Besides the interpersonal and technical skills discussed earlier, each team member should be trained in areas specific to the incident handling functions in a normal CSIRT work environment. nurture should cover up the following issue snew technical developmentsCSIRT team policies and proceduresincident analysis keep of incident recordsunderstanding and identifying intruder techniqueswork make full distribution and organizational techniquesInitial training is conducted through on-the-job training. Since incident handling profession is different in work nature from other professions, there is no formal educational path for CSIRT staff and limited documentation in the literature. Most printed materiSecurity Incident Handling ServiceSecurity Incident Handling ServiceEXECUTIVE SUMMARY1 INTRODUCTIONExpect the unexpected. As soon as a crisis erupts, it should be immediately handled to reduce its potential impact on critical business operations. Such undesirable incidents occur unanticipated and when they do take place, damage or harm is the result. In most aspects of life, it is better to stop something disastrous happening than it is to deal with it after it has happened and IT security is no exception. If possible, security incidents should be dealt accordingly from occurring in the first place. Yet, it is unachievable to prevent security incidents. When an incident does happen, its impact needs to be brought down to adequate recommended level. Security incident handling outlines the actions to follow in an event that an electronic information system is compromised. An event is declared an incident when the confidentiality, integrity or availability (CIA) elements of a system is compromised. Significant commodities such as information and knowledge must be safeguarded at all costs. Communications within an organization and its interactions to its customer base are regarded as the life blood in this IT intensive fast paced world. If an organization is inoperative for any period of time, it may cost millions in lost business or loss of reputation. Size of an organization does not matter. Unexpected downtime influences organizations of all sizes impacting revenue, customer satisfaction and overa ll production. It is vital that they quickly recover from such downtime and restore operation and re-establish their presence to ensure survival. Consequently, many firms have realized the importance of setting up incident handling procedures. One of the drawbacks is that many organizations learn how to respond to security incidents only after suffering from them. In the course of time, incidents often become much more costly. Proper incident response should be an integral part of the overall security policy and risk mitigation strategy. Incident handling procedures that are in place in an organization improves to maintain the business continuity of critical operations. In todays competitive economy, a company cant afford to cease critical business operations and remain idle for long period of time because of lack of incident handing procedures. Thus, an organization needs to be well prepared for continuity or recovery of systems. This typically requires a considerable investment of time and money with the aim of ensuring minimal losses in the event of a disruptive event. The goal of setting up incident handling procedures is to know exactly what to do when an incident breaks out. This means anticipating scenarios before they occur and making appropriate decisions about them in advance. Those assessments typically demand consultation and senior management support, hence these people are needed early immediately after an incident has been confirmed. For example, just deciding who to tell when an incident occurs can be hard to determine. Management needs to provide input to respond quickly and this embarks into issues like after hours support and mixed project/support roles. External support may also be sought, resulting in additional cost, time and effort to select partners.1.1 PURPOSE OF THE DOCUMENTThis document provides guidance to identify and record the nature and scope of a computer security incident handling service. This paper discusses the functions th at support the service, how those functions interrelate and the tools, procedures and roles necessary to implement the service. It also concentrates on incident analysis. For example, we can make a comparison between a fire that broke off in an apartment and a computer security incident that happened in an organization. Similarly as a fire department will investigate a fire to know where it originated from, a Computer Security Incident Response Team (CSIRT) tries to figure out how the security incident occurred. Both the fire department and CSIRT operate in the same approach. A fire department needs to get along with other fire departments on it can depend on for additional support in peak times or to tackle a serious catastrophe. It must cooperate with other emergency units to react promptly and provide law enforcement. This document will discuss how CSIRTs interact with other organizations, such as the department that reported the security incident to it, other CSIRTs, law enforce ment and the media. Both fire department and CSIRT need to properly handle information, some of which is sensitive and relevant to the individual held responsible for the crime. Information handling is considered to be an indispensable discussion subject in this paper. CSIRTs propose client confidentiality in the same manner that many emergency units do, safeguarding reporters and victims from public disclosure. CSIRT survival depends on handling confidential information appropriately, because if it cant be trusted, nobody will report to it, thus making it almost useless. CSIRTs have committed permanent staff as well as part-time, volunteer staff and reliable security experts to handle an unexpected security emergency. Its staff is at the frontline in event of a crisis, CSIRT achievement depends on their interaction with the outside world and the image that they project by the way of performing their duties and the service quality that they provide. To attain such high level of succ ess, recruiting suitably competent staff seems to be a complicated process. People in charge of appointing CSIRT staff mistakenly look for unsuitable set of talent and ability in prospective employees. For that reason, this paper discusses staffing and hiring concerns and actions to guarantee that CSIRT staff offer reliable, pleasant and specialized service. Other services besides the incident handling service, such as the supply of intrusion detection assistance and vulnerability handling are also provided by CSIRT. The information in this paper is understandable in such a manner that is basic to the reader to put it into operation to any type of CSIRT setting, from in-house team for a company to an international coordination center. This document is intended to present a valuable foundation to both recently created teams and existing teams where there is a lack of clearly defined or documented services, policies and procedures. This paper is more appropriate to use during the earl y stages when a company has acquired management support and funding to set up a CSIRT, before the team becomes operational. Moreover, this paper can be still a valuable reference document for already operational teams.1.2 INTENDED AUDIENCEThe general CSIRT community who may require a better knowledge of the composition and objectives of their existing teams will benefit from this document. It also targets individuals and organizations who are likely to join the CSIRT community in the near future. It is precisely aimed at managers and other personnel who take part in the process of setting up and leading a CSIRT or managing incident crisis. The list may includeChief Information Officers, Chief Security Officers and Information Systems SecurityOfficersProject leaders and members in charge of creating the teamCSIRT managersCSIRT staffIT managers 1Higher management levels and all CSIRT staff can use this paper as a useful reference. This document can also be utilized by other individual s who work together with CSIRTs. This may include members of theCSIRT constituencylaw enforcement communitysystems and network administrator communityCSIRT parent organization or other departments within the parent organization such as legal, media or public relations, human resources, audits and risk management investigations and crisis management 22 MAIN CONTENTDefinition of Security IncidentThe Information Security Management Handbook defines an incident as any unexpected action that has an immediate or potential effect on the organization 3. Whenever the safety and stability of an information system is compromised, such instance can be referred to as a security incident. There are several different definitions of security incidents one is A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices 4, another definition describes the security incident as any event that may threaten or compromise the security, operation or integrity of computing resources 5. In other words, a security incident is a state of violation of security policy in an organization and the security of their information system. Security incident refers to a common term that encompasses any type of security breach regardless of location, the level of the threat or the magnitude of it. The commonly known factors of security incidents are events and actions that expose one or more basic elements of information security confidentiality, integrity and availability (CIA) of information systems. An incident can be caused by authorized or unauthorized personnel, process, hardware or software. It can be an accident as well as a planned malicious action.Handling security incidentsIn the course of a crisis, time runs short in terms of about what to do, who will do it or how it will get done, therefore it is vital to arrange for a response in advance. The better prepared you are for an incident, the more likely you are to respond correctly. Proper set-up of an incident handling procedure can help to lessen impact of undesirable incidents. The objective of such procedure in place is to provide a framework for an orderly, coordinated response by appropriate resources within the organization. It is in a companys own benefit that it establishes a Computer Security Response Capability, a process that provides centralized response and reporting functions for security incidents. According to (Computer Security Incident Handling Guide, National Institute of Standards and Technology, March 2008), establishing an incident response capability should include the following actionsCreating an incident response policy planDeveloping procedures for performing incident handling and reporting, based on the incident response policySetting guidelines for communicating with outside parties regarding incidentsSelecting a team structure and staffing modelEstablishing relationships between the incident response team and other groups,Determining what services the incident response team should provideStaffing and training the incident response teamThe Cyberthreat Response and Reporting Guidelines report, jointly approved by the FBI and US Secret Service recommends that the better equipped a company is in the event of a security event, the better probability it has to reduce the impact of the crisis. This recommendation is actually one of the chief responsibilities of a CSIRT, to be well organized to successfully cope with an incident when they happen and to help prevent incidents from occurring in the first place. As a starting point, the team should have a strategy plan for incident handling. This plan should be supported with documented policies and procedures. According to (State of the Practice of Computer Security Incident Response Teams, October 2003), the incident response plan identifies the mission and goals of the team, the team roles and responsibilities the services provided and policies , procedures, processes, and guidelines related to incident handling. The incident response plan is not only intended for CSIRT employees, but also for community that they serve. From that viewpoint, both parties should be proficient about what to report, how to report it and to whom it should be reported. The plan should also describe the expected level of service that is reasonable. Staff who is accustomed with computer security incidents recognize the fact that these incidents vary in shape and size. Some are quite uncomplicated, easy to cope with and mitigate while other are extremely severe and very complicated or can have harsh impact on IT systems and necessitate proper authority to respond to effectively. In the event of a crisis, adhering to the plan in place will facilitate the organization to promptly isolate disruption cropping up on IT systems or networks as well as to assist to counteract to such events. It may alleviate potential risk such as loss of company reputatio n, trust or financial status. For existing CSIRTs who dont have a robust plan, they can still manage with some basic guidelines. They can make use of their current incident handling procedures as a guideline, in the meantime they can revise their existing documentation. They can rely on those basic guidelines namely the plan to handle incidents, areas of responsibility, general and specific procedures. Other typical guidelines can include an incident response checklist as well as procedures for what type of activity to report and how that information should be reported. A company needs to take into consideration several factors prior to planning an incident response capability. They includeintroducing a point of contact for reporting incidentspinpointing the aims and objectives of the teamdistinguishing and selecting the staff and necessary expertiseoffering direction for reporting and handling incident reportsallocating proper security awareness and incident response training for C SIRT stafflaunching and promoting specific incident handling and security policies and procedures for the CSIRTexposing lessons learned with other colleaguesdesigning a benchmark to monitor the effectiveness of the CSIRTdevising strategy to allow coordination between the CSIRT and internal and external partiesOrganizations or the team typically approve policies and record them. It is crucial to know what these policies consist of and to ensure that they are properly implementable, enforceable in the workplace. Like the mission statement, senior management approves and enforces policies. The policies need to be openly expressed and well understood by each team member, technical, management or administrative. It will be a difficult task for the staff to appropriately execute and carry out their duties without a clear understanding of the policy. In order to write a clear policy, it is best to avoid excessive jargon. Whenever possible, consult someone who is not in security or IT to ex amine the policies. Rephrase the policies if not understood. Use very short sentences. A good policy is a short one. A security policy should be concise, well segregated between the management aspect (the policy) and the operational aspect (the procedures). Moreover, a policy must be both implementable and enforceable, or else it doesnt have any purpose. It is easier to implement a policy if it is well designed and relevant to the needs and goals of the CSIRT. Truly effective policies address genuine needs within a business, making the staff willing and even eager to implement them because they make operations smoother and give the business added reliability. Top management should execute appropriate actions or steps to enforce a policy. Policies must be enforceable otherwise they are of little or no value. Usually when a policy ismplementable, it is normally also enforceable unless it contradicts itself. Concrete measures are needed to assess the usage of the policy. Example An exa mple of a contradictory policy is the security policy that ranks internal information security as priority number 1 but at the same time ensures absolute privacy for its staff the latter makes it hard or even impossible to enforce security in case of an insider threat. To successfully develop and implement security policies, top management needs to be involved in and strongly support the project (Lam, 2005). A proposal with a report of external and internal requirements and a draft assessing budget can easily persuade managers to support the development and implementation of a security project. Having management support and authorization can resolve money and time issues. These managers can allocate the required budget and allow sufficient time for development and implementation. In addition, top management has power to affect processes by requiring employees to participate (Kearns Sabherwal, 2006).How to Implement Security Policies SuccessfullyThe implementation phase probably is the hardest phase in the life cycle of developing and maintaining security policies. Many organizations fail in this phase. To effectively and efficiently implementing security policies, teams first need to resolve many issues. Lack of strong management support (Fedor et al., 2003 Lam, 2005), lack of budget (Kearns Sabherwal, 2006 Martin, Pearson, Furumo, 2007), lack of implementation time (Walker Cavanaugh, 1998), lack of strong leadership (Fedor et al., 2003), lack of awareness of benefits of implementing security policieswhy for (Hansche, Berti, Hare, 2004), or ineffective communication with users (Jackson, Chow, Leitch, 1997 Walker Cavanaugh, 1998) may cause problems. Resolving all of the above issues can help in successfully implementing security policies.Computer Security Incident Response Team (CSIRT)A team is a focal component of incident response plan, policy and procedure creation so that incident response is dealt effectively, efficiently and consistently. The team should cooperate with other teams within the organization towards a central goal which encompasses the plan, policies and procedures. Outside parties such as law enforcement, the media and other incident response organizations can also be contacted. Computer Security Incident Response Team is regarded as the nerve center of an incident response plan. It is normally composed of a team manager, a management advisory board and other permanent and temporary team members. The temporary staff provides advice on technical, business, legal or administrative issues, depending on the nature and scope of the incident. The team assists the organization to identify and document the nature and scope of a computer security incident handling service. The team manager supervises labour of the team members, presents ongoing status information to the Chief Information Officer (CIO) and other senior management and requests assistance on expert advice outside of IT department when needed. This role lead er should be accustomed with computer security issues, the function of IT areas and staff, general company operations as well as the duty of other employees in the institution who may serve as resources for the CSIRT. Under challenging situations, the team manager must be able to coordinate teamwork with other staff and to deal properly with circumstances that necessitate discretion or confidentiality. The technical leaders role is to assess the characteristics and severity of an incident, propose recommendations on security control and recovery issues to the team manager and requests on additional technical resources if needed. This role should possess a broad understanding of operational and systems security. Other employees can join the team on a spontaneous basis and remain team members until closure of incident. Additional resources may be required to serve areas such as law enforcement, legal, audit, human resources, public relations, facilities management or IT technical spec ialties. The table below shows a list of members who should be included in the CSIRT and their roles in the team.Table 1 Team members in IRTSource table from page 4-2 of Incident Response Procedure for Account Compromise Version 1.2 2004 by Visa International Besides their technical expertise, CSIRT staff distinctive quality is their motivation and talent to stick to procedures and to present a professional image to customers and other parties working together with them. In other works, it is more convenient to appoint staff with less technical expertise and excellent interpersonal and communication skills and subsequently train them in a CSIRT-specific environment than vice versa. Communication of a team member who is a technical expert but has poor communication skills may brutally ruin the teams reputation while interactions that are dealt with competently will assist to improve the teams standing as a valued service provider. Possessing a broad range of interpersonal skills is s ignificant since team members are frequently in contact with each other and other parties such as law enforcement, legal, human resources. Thus, these professional interactions that CSIRT employees adopt will influence the reputation of the team and special concern to an individuals interpersonal skills matters. Some interpersonal skills, required for incident handling staff, are listed belowlogical judgment to formulate effective and suitable decisions in time of crisis or under pressure or strict time constraintseffective oral and written communication skills for interaction with other partiesdiscretion when dealing with the mediaaptitude to follow policies and proceduresenthusiasm to learn new thingschallenge to work under pressureteamworkreliability to maintain teams reputation and statusreadiness to accept ones own mistakesproblem solving skills to efficiently handle incidentstime management skills for high priority tasksApart from interpersonal skills, CSIRT staff should posse ss fundamental understanding of technology and issues on which they base their expertise. The following technical know-how is crucial for CSIRT staffpublic data networks (telephone, ISDN, X.25, PBX, ATM, frame relay)the Internet (aspects ranging from architecture and history to future and philosophy)network protocols (IP, ICMP, TCP, UDP)network infrastructure elements (router, DNS, mail server)network applications, services and related protocols (SMTP, HTTP, HTTPS, FTP, TELNET, SSH, IMAP, POP3)basic security principlesrisks and threats to computers and networkssecurity vulnerabilities/weakness and related attacks (IP spoofing, Internet sniffers, denial of service attacks and computer viruses)network security issues (firewalls and virtual private networks)encryption technologies (TripleDES, AES, IDEA), digital signatures (RSA, DSA, DH), cryptographic hash algorithms (MD5, SHA-1)host system security issues, from both a user and system administration perspective (backups, patches) 6It is crucial that one division of the team possess a thorough understanding of the full range of technologies and issues used by the team. This contributes to expand and intensify the technical resource and capability of the team and train other team members through education and documentation. It also makes sure that the team can provide a full range of services. Besides an in-depth understanding of the technical skills listed above, the following specialist skills are requiredtechnical skills such as programming, administration of networking components (e.g. routers, switches) and computer systems (UNIX, Linux, Windows, etc)interpersonal skills such as human communication, experience in presenting at conferences or managing a groupwork organization skillsObviously, a team will be unable to employ individuals who possess all the necessary interpersonal and technical skills. But there are opportunities to address such deficiency in those skills, such as training of staff to develop an d retain such skills and support continuous progress.Hiring CSIRT StaffFor any staff vacancy, the hiring process to select the most talented applicant is a complicated task. Even a candidate who appears on the surface to possess the right skill set might not be able to work within CSIRT setting. It is true when a crisis has been declared where the candidate may not be able to cope with the situation and inefficiently carry out their duties. Therefore, it is recommended to present the applicant to a hiring process, specifically designed to reveal the applicant strengths and weaknesses. Based upon the findings of the hiring process, the team will make up their mind to train the applicant in the specific skills that the candidate may require or decide not to employ the candidate. Compared to a regular hiring process, additional steps should be included in any CSIRT hiring process and they arepre-interview document checkpre-interview telephone screeninginterviews that cover topics from technical abilities to interpersonal skillscandidate technical presentationreference checks, including criminal recordsThe complete hiring process should be devised to detect potential employees who possess appropriate interpersonal skills and technical skills. Such candidates can undergo further training to acquire more competence. Before calling the applicant for a personal interview, the pre-interview document check and telephone screening determines in the first instance whether the candidate is an ideal match for the selection process. At this stage, more information is gathered about the applicants broad level of interest in computer security and other more specific details on items covered in his or her resume. The telephone screening will give a good impression of the candidates oral communication skills. Before CSIRT staff begin to interview potential candidates, its better to decide in advance what particular issues ranging from technical issues and ethical issues to socia l skills are most likely to be discussed during the interview process and select which existing staff are most suitable to talk about those issues with the candidate. Thus separate topic areas are covered by each of the various interviewers, saving any duplication of effort. Each interviewer will be in a position to review and consolidate feedback on the issues covered. Another strategy may be carried out where similar topics may be discussed by other team members involved in the interview process to agree on the candidates faculty about a particular topic and identify any weaknesses. To ensure proper recruitment, the applicant should have the opportunity to meet up with CSIRT team members through a lunch meeting or at the candidates technical presentation. A candidate, required to give a technical presentation, offers CSIRT an opportunity to measure other technical and interpersonal skills of the candidate. It also gives an idea how much common sense the candidate has and whether t he applicant will be able to cope under stressful situations. Other qualities such as overall presentation skills, an eye for detail, technical accuracy and ability to answer questions on the fly are also taken into account. After an individual has been appointed, there is also an enormous task to make them adapt to CSIRT. The new staff will need to undergo training for some period of time to get used to the CSIRT working environment as well as specific policies and procedures for the team. Some new recruits may be given access to limited information until relevant certificates or clearances such as government or military clearances are obtained. Staff training is compulsory in order to make the new recruits acquire the necessary skill level to take on their new responsibilities. Secondly, training is necessary to expand existing staff skills for personal career growth and overall team progress. Staff training also helps overall CSIRT skill set updated with emerging technologies and intruder trends. When considering the overall training needs of the team, it is necessary to spot out the overall skills needed for each individual, as well as the common skill set required for the whole team. Obviously, new staff member should acquire immediate training in any deficient skills to perform effectively quickly. From a general viewpoint, the whole team should be assessed to determine any training that needs more attention to enlarge skill set exposure in the team. At the same time, this assessment focuses on an individuals skill set. Policies and procedures are a necessity and should be enforceable to support initial training of new team member and to guarantee ongoing training as policies and procedures get amended. Besides the interpersonal and technical skills discussed earlier, each team member should be trained in areas specific to the incident handling functions in a normal CSIRT work environment. Training should cover up the following issuesnew technical develo pmentsCSIRT team policies and proceduresincident analysismaintenance of incident recordsunderstanding and identifying intruder techniqueswork load distribution and organizational techniquesInitial training is conducted through on-the-job training. Since incident handling profession is different in work nature from other professions, there is no formal educational path for CSIRT staff and limited documentation in the literature. Most printed materi