The Policy Must Include an Incident Response Plan for Security Breaches

Any network has the potential of being compromised. Complex networks are more difficult to protect and can be more difficult to monitor. It is important to identify when your network is under attack and when the attack has resulted in a system or network breach. It is also important to develop an incident-response plan so that the security personnel know how to react to the compromise. Although the ultimate goal is to discover all breaches, some might go unnoticed. The policy must state the actions to take upon discovery of a breach. Most policies differentiate between breaches occurring from within the organization and those originating externally, such as from the Internet. The difference is because it is normally less difficult to identify the offending host if the attack originated from within the network and not from an internal resource that was exploited by an external source. Most organizations implement a stronger exterior-facing security perimeter, which greatly restricts the activity of a potential intruder. This design presents an additional risk because of a lack of internal controls, making it easier for an attacker on the internal network.

A sample policy section follows:

Response to Internal Denial-of-Service (DoS) Attacks: Upon discovery of a DoS attack originating within the local-area network (LAN), the administrator will record and document the discovery for future forensics use. A secure machine should be utilized to track all packets originating from the source computer.

The administrator will attempt to isolate the offending machine from the LAN. Next, the network segment where the attack is originating will be isolated.

0 0

Post a comment