Dealing with External Computer Security Incidents

Dealing with computer security incidents is extremely difficult. There are many ways that incidents can occur and many types of impact they can have on an organization. There are no complete solutions, and the partial solutions that exist are expensive and resource intensive. However, the alternative–not dealing with security incidents–is yet more expensive, and using weak methods for dealing with incidents may only compound the damage that incidents cause. What is required is a long-term commitment to develop the capability to deal with security incidents, not just make short-term fixes of selected problems.

A security incident is the act of violating an explicit or implied security policy at a single site or across multiple organizations. An external security incident is one caused by an individual or group not part of the organizations that are violated. This paper discusses some of the effort required to deal with external security incidents on an organization’s hosts (computers) and network. We look at both responsive actions to incidents and proactive actions to mitigate the risk of such incidents. Because of inherent weaknesses in many of the current network protocols and vulnerabilities in widely used software, external security incidents are inevitable to any organization with a connection to a wide-area public network, even a narrow and limited connection.

Download the paper in PDF format here.