Length: 1 Day

OVERVIEW

Incident response is becoming an increasingly important area within the field of information security because systems, applications, and networks have become more complex and diverse and are thus increasingly difficult to defend. 50 percent of all respondents to the 1998 FBI/Computer Security Institute Survey reported experiencing at least one significant security-related incident.

This two-day course teaches attendees what an incident is, the rationale for having an effective incident response capability, the types of incidents that occur and complications in dealing with them, how to detect incidents, how to use a structured methodology for dealing with evidence, how to trace network intrusions, and considerations involved in forming and managing an incident response capability. Case studies from the instructor’s experience as founder and manager of the U.S. Department of Energy’s Computer Incident Advisory Capability (CIAC) are included throughout the course.

The course covers a variety of technical, procedural, and managerial information, and is thus appropriate for attendees with both technical and non-technical backgrounds.

OUTLINE

• An introduction to incident response
• Risk analysis
• A methodology for incident response
• Tracing network intrusions
• How to form and manage an incident response team
• Legal issues

The last half day is dedicated to a stimulating and highly popular simulation on responding to incidents. Participants (who will work in small teams) will play the role of network administrators who have a limited number of resources to invest in security controls. Probes and intrusion attempts (generated by a random event generator) occur constantly. When incidents occur, each team must determine an appropriate course of action, giving participants the opportunity to apply what they have learned in the course.