The National Institute of Standards and Technology (NIST) has published for public comment a draft update to a guide for organizations managing their responses to computer security incidents such as hacking attacks. The authors cast a wide net to gather best practices from industry, government agencies and academia for the Computer Security Incident Handling Guide (NIST Special Publication 800-61, Revision 2).
As much as every government agency works to keep its computer systems operating smoothly and safely, they are regularly threatened. And this trend is growing. Events such as botnets that cause a "denial of service" to a government web server or employees being tricked into opening emails that harbor malware, are regularly in the news.
Having a well-designed computer security incident response plan to follow during an attack provides structure to a possibly chaotic situation and allows the appropriate actions in the correct order, such as informing law enforcement officers or other agencies or departments that need to know, to be performed in a timely way. Incident response plans can assist in minimizing loss or theft of information, and service disruptions after a problem is identified.
Government agencies are required by the Federal Information Security Management Act (FISMA) to establish incident response capabilities and designate points of contact with the U.S. Computer Emergency Readiness Team (US-CERT) office within the U.S. Department of Homeland Security.
The revised guide is designed to help both established and newly formed incident response teams to create an incident response policy and plan. The plan should have a mission, strategies and goals, an organizational approach to incident response, metrics for measuring the response capability, and a built-in process for updating the plan as needed.
The revised publication reflects the changes in threats and incidents. Unlike many threats several years ago, which tended to be short-lived, fast-paced, and comparatively easier to detect, many of today's threats are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time and eventually leading to loss of sensitive data.
The NIST guidance recommends that a review of each incident should be conducted. Reviewing the incident response after an attack permits an agency to prepare for future incidents and to provide stronger protection for systems and data. "This revised version encourages incident teams to think of the attack in two ways," explains Paul Cichonski, lead author. "One is by method—what's happening and what needs to be fixed. The other is to consider an attack's impact by measuring how long the system was down, what type of information was stolen, and what resources are required to recover from the incident."
Copies of SP 800-61, Revision 2, Computer Security Incident Handling Guide, are available at http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf. NIST requests comments on the draft by March 16, 2012. Please submit comments to 800-61rev2-comments [at] nist.gov with "Comments SP 800-61" in the subject line.