Career Opportunities in Incident Response

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

1) Preparation & Training: This includes methods to prevent attack, as well as how to respond to a successful one. In order to minimize the potential damage from an attack, some level of preparation is needed. These practices include backup copies of all key data on a regular basis, monitoring and updating software on a regular basis, updating anti-virus software and creating and implementing a documented incident response policy.

Training is another step that is crucial for the execution of the incident response plan. "The training, in my opinion, should be provided in two forms at a minimum -- what I call a walk-through drill and a tabletop exercise," says Sims.

A walk-through drill is where one would get all of the participants that would be involved in an incident response into a room, create a breach scenario and then walk through and actually tell them what they are supposed to do and what the expectations of them are.

A tabletop exercise is where one gathers all of the incident response players around a table and walk through a breach scenario, asking the different folks who are required to do certain actions to chime in and play the role that they would in the incident response.

2) Identification: While preparation is vital for minimizing the effects of an attack, the first post-attack step in Incident handling is the identification of an incident. Identification of an incident includes knowledge of the fact that an attack is occurring, its effects on local and remote networks and systems and from where it originates.

3) Containment: Once an attack has been identified, steps must be taken to minimize the effects of the attack. Containment allows the incident responder to protect other systems and networks from the attack and limit damage. The response phase details the methods used to stop the attack. Once the attack has been contained, the final phases are recovery and analysis.

4) Recovery and Analysis: The recovery phase allows users to assess what damage has been incurred, what information has been lost etc. Once the user can be assured that the attack has been contained, it is helpful to conduct an analysis of the attack. Why did it happen? Was it handled promptly and properly? Could it have been handled better? The analysis phase allows the users and responders to determine the reason the attack succeeded and the best course of action to protect against future attacks.

An incident handling and response team should be trained to handle "these normal emergencies" that happen day-to-day on the job as well as escalate to a learning and protective mode and secure business and systems at any organization, says Allor. "We need help now, not tomorrow," he states "That is why incident response as a profession is very high among people's wish list."

Necessary Skills