Build a response team

A computer incident response team, or CIRT, is a lot like a firefighting crew – both are composed of individuals trained to respond quickly to specific incidents with the goal of limiting damage and reducing recovery time and costs.

“Like a fire department, you can use [CIRTs] for actual incident response and for cleanup, for education and for drills,” said Richard Mogull, an analyst at GartnerG2 in Stamford, Conn.

A CIRT may be activated by virus or hacker attacks, internal sabotage or even suspicious activity, such as successive attempts to gain access to a system or transactions that fall outside preset boundaries – such as a money transfer exceeding US$1 million.

Incident response at companies that don’t have a CIRT tends to be expensive and ad hoc, said Steve Romig, manager of the network security group at Ohio State University in Columbus.

And there’s more than money on the line. Companies that fail to react quickly to security incidents stand to suffer damage to their reputations and lose customers.

A CIRT’s key mission, therefore, is to orchestrate a speedy and organized company-wide response to computer threats. The following are some tips for building that capability:

Know your constituency. Decide which computers, address ranges and domains will be monitored for incidents, Romig said. Know what services the CIRT will provide and to whom. Develop policies for when to disclose security breaches and when to report an incident to law enforcement agencies, Romig said. And be sure to advertise contact information for the CIRT throughout the company.

Assemble the team. Figure out which department the CIRT should be in and who should head it. Many companies put the team within the IT group, although others add the CIRT to the security or audit group, or make it a stand-alone function, said Georgia Kilcrece, a member of the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.

“Wherever it sits, [a CIRT] will not succeed without management support,” she said, because the team may require cooperation among multiple departments, such as legal and human resources.

The incident response team at the University of Wisconsin-Madison has a process for calling in its legal department and local law enforcement when incidents involve activities such as computer-related harassment, said Kim Milford, information security manager at the university.

Companies that can afford it sometimes maintain a formal team of specialists whose sole task is to respond to external and internal security breaches.

For example, one financial services firm has a core incident response team of 12 full-time specialists. Additional members are pulled in from the company’s human resources and legal departments to assist this core team if necessary, said the company’s IT director, who requested anonymity.

The University of Wisconsin-Madison has entrusted the task of coordinating incident response to one full-time worker. That person acts as a central point of contact for reporting and responding to incidents. Along with the university’s IT security group, the employee is responsible for assessing the scope, priority and threat level of an incident, as well as for suggesting a response, Milford said.

Create a SWAT team. Maintaining a full-time incident response team can be expensive, so many companies choose to have an ad hoc incident response team that can come together quickly when needed, said Mogull.

Providence Health System creates SWAT teams to respond to specific incidents, such as virus infections, said David Rymal, director of technology at the Seattle-based health care provider.

“We use pager alerts and call an incident response meeting of the functional groups designated to respond to such incidents. In that meeting, we’ll set a plan of action and a communication plan” for dealing with the threat, Rymal said.

But, he said, Providence Health System doesn’t have formal methods of maintaining a CIRT beyond knowing the key players and who responds to which types of incidents.

Get organized. Have written policies and procedures and assign responsibilities upfront, said the financial services firm’s IT director. “We maintain a formal list with names, cell phone numbers and beeper [numbers] of people who can be called in to assist the core team,” he said.

Figure out what equipment you’ll need, where you’ll house it and how you’ll protect the CIRT function. You don’t want unauthorized people accessing information that a CIRT may uncover during a response, Kilcrece said.

None of this does any good if the plan merely sits on a shelf. Conduct frequent drills and mock exercises, especially for ad hoc teams, the financial services IT director said, adding, “Remember, it is a process that you have to do right but hope you never have to use.”