business continuity plan for natural disaster which is less likely than security incident.
3 response philosophies:
1. watch & warn: passive, no action taken except notification. simple
2. repair & report: attempt to close the incident quickly,
automatically. Block the attack, repair the vulnerability, disconnect
& clean affected systems.
3. pursue & prosecute: collect evidence, law & legal involvement.
determine attack origin. involves other organizations (ISPs,
telephone)
Incident reponse plan: make management procedures & responsibilities
to ensure a quick, effective, orderly response to security
incidents.
Documentation of intruder & responder activities.
Determination that incident is underway.
Notification of appropriate personnel.
Containment: minimizing impact of incident is primary goal of response
plan.
Assessment of scope of damage to isolate compromised systems &
data.
Eradication of cause.
Recovery: return to normal state. patch vulnerability, restore
backup.