Worse than having an incident is having an incident and not knowing it.
IDS intrusion detection system: monitor activity & notify
need to distinguish normal from mailicious activities
Intruder motives: needs: financial, social/political, personal: fun or revenge
insiders (know systems, value of info, already have access & authorization) vs. outsiders
Intrusion methods: technical, social, physical
path of least resistance / maximum payoff taken
Detection methods: profiles of normal activity vs attacks
offline: configuration errors & vulnerabilities
online: detect intruder during attack by effects of intrusion, or after the incident: lock out intruder or keep him busy while being tracked down
Difference between an incident and a disaster is detection.