Skip to main content

Summary: NIST SP 800-61 Rev 2

On another note, with respect to incident response management, the purpose is to provide a plan for a clear path of resolving a security breach. According to the Special Publication NIST 800-61 Rev. 2, the first thing that an organization should do is establish a clear organizational meaning of the word “incident”. It provides a guide to incident handling and recommends establishing response capabilities, incident response policies, an IR plan, procedures, information sharing mechanisms, team structure and even collaboration with external groups. The team’s structure, the services they provide along with the policies and procedures are established. This team consists of: internet service providers, incident reporters, law enforcement agencies, software and support vendors, customers and media as well as other teams.

The recommended incident handling procedure consists of: preparation, detection and analysis, containment, eradication and recovery. During the preparation phase, the selection of team members, necessary training, tools and resources are acquired.  There are various attack vectors that attackers can use to exploit a vulnerability, hence systems should be in place to detect and alert when there is a potential attack. Once at event is considered an attack, the team should immediately start documenting the facts concerning the incident. At the same time, notifications should be sent out alert relevant facets of the team. Then, the first action should be an attempt to contain the incident from spreading to other systems, after which eradication and recovery of compromised systems should occur. A critical step, is post activity where the team can learn from the incident and report to other organizations. Moreover, there should be some level of evidence containment for a period of time. NIST SP 800-61 Rev. 2 also provides an incident handling checklist which can be very useful to organizations adopting a similar approach. As can be see, incident response provides a clear, consistent, systematic approach to dealing with events that attempt to wreak havoc on the daily operations of a business. 
Labels:

Comments

  1. Marriya25 February 2018 at 12:02

    Wow... NIST really done a great job for incident response.I really find this blog post very informative on NIST incident response. Thanks for sharing

    ReplyDelete

Post a Comment

Popular posts from this blog

Summary: NIST SP 800-64 Rev 2

Although there may be numerous methodologies available today for developing software whether it is based on a sequential, prototyping or even iterative model, the absence of security at each phase will render applications being vulnerable and easily exploitable when deployed. NIST 800-64 Rev. 2 provides a guide that incorporates security into a sequential model of a SDLC. Currently, at my organization this type of model is preferred since there are small development teams. One of the first recommendations made by is NIST 800-64 Rev. 2 is based on policy and guidelines. It states that there should be a written SDLC policy tailored to suit whether the business develops its own software or outsources software development and even maintenance. At my organization, there is a mesh of both. Large complex enterprise systems are usually outsourced while smaller manageable applications are developed in-house where there may not be an alternative available at a low cost. For example, human re...
1 comment
Read more

Book Summary: Tallinn Manual on the International Law Applicable to Cyber Warfare

This is a summary of book entitled 'Tallinn Manual on the International Law Applicable to Cyber Warfare'.   In 2008, the NATO CCD COE brought together a group of independent International Group of Experts to produce a manual to clarify the ambiguities surrounding cyber operations, particularly focusing on applications of jus ad bellum and just in bello. The book identified the international law and its applicability to cyber warfare and produces 95 rules to govern cyber conflicts. Each rule is supported with commentary provided by the experts and observers.  Its scope is in relation to cyber-to-cyber operations only. The book can be viewed here for free:  Tallinn Manual
Post a Comment
Read more