A senior security engineer at Ohio State University has joined with a director of security operations for a Fortune 500 company to explain how businesses can create such teams. The book is The Effective Incident Response Team (Addison-Wesley 2004, ISBN 0-201-76175-0).
Brian Moeller of Ohio State said he and coauthor Julie Lucas wrote the book primarily for office managers -- the people who often bear the responsibility of creating and supervising a computer incident response team (CIRT), even though they may have no technical background in the area.
As a result, the book offers step-by-step details ranging from how to protect a computer network from attack, to how to write an effective computer use policy for employees.
For readers who want to persuade upper management to invest in computer security, the book makes a convincing case. One chapter outlines the costs of computer crime, including a 2002 survey by the Computer Security Institute and the FBI that found that such crime has cost American businesses nearly $1.5 billion since 1997.
Computer security threats can come from inside or outside a company, and vary from unauthorized access to information to denial-of-service attacks that shut down a network, Moeller explained. And theft of business intelligence or lost hours of operation can end up costing a business more than just money.
"The big lessons here are that preventing computer attacks is really worthwhile, and having clear policies that employees can follow is worthwhile, too. Those things sound very easy, but it's sometimes a challenge to actually implement them," Moeller said.
Other chapters cover a wide variety of CIRT issues, such as how to form a CIRT team, define its mission, and work with law enforcement. The book offers lessons in security terminology, walks readers through a typical security incident, and includes copies of relevant federal codes for cyber crime.
Still, the book isn't meant only for managers who don't know a packet sniffer from a port scan. (The former is a program that eavesdrops on the activity in a computer network; the latter is similarly malicious software that probes the outskirts of a network for points of weakness and, ultimately, illegal entry.) Even businesses with established CIRT teams can still have something to learn, Moeller said.
For instance, one question managers face when budgeting for a CIRT is which security tasks to perform in house, and which ones to outsource.
One job that companies may want to outsource is computer forensics, Moeller said. Just as the police rely on forensic scientists for crime scene investigation, so should businesses when an employee has used a computer to commit an illegal act. In that case, evidence must be carefully gathered from the computer and the area around it -- and that takes expertise.
"When you don't have incidents that require forensics very often, it's hard to keep up with forensics technology," Moeller said. "So if you can't justify the expense of maintaining a full-time forensics capability, it may be more cost effective to outsource."
Years as a computer security consultant have helped Moeller formulate some general advice.
"What people really need to do is look at their information technology infrastructure and think about what's important to them," he said. "They should make sure they're backing up their data, patching their networks, and managing users."
Moeller says many common mistakes are easily solved. For instance, many companies don't automatically cancel an employee's access to the network after the employee has left the company.
"I've worked with companies that have never removed a user, even after they've been gone for years," he said.
Contact: Brian Moeller, (614) 247-7136, moe@net.ohio-state.edu
Written by Pam Frost Gorder, (614) 292-9475; Gorder.1@osu.edu