Chapter 23 Incident Notification

7860/8932 DOD systems broken into, 390 detected, 19 reported

users notice something wrong: info missing, altered, unavailable, "running funny".
reported as system problems by user to help desk or operations who should be trained to recognize security incidents.

incident notification procedures should be prearranged.
who, when, how (out-of-band communications)
response team
incident manager
log of events
inform management

Internal security incident management group.

CERT coordinate commnumication among experts during security emergency to prevent future incidents.

Most attacks are over a network and, once into a system, a hacker will use the network to broaden his control.

Partners affected: inform them, work with them:
upstream site: involved in intrusion before yours. attack coming from.
downstream site: involved in intrusion after yours. attack going to.

Law enforcement involvement as a business decision (unless required). Needed if other companies involved, or legal steps to identify hacker (eg. wire taps), collect evidence for prosecution. Know the laws and the agencies.

News media need skilled handling by trained public affairs office. Security incidents often handled quietly to avoid negative image, loss of business or reputation.