An intrusion or attack can be scary, frustrating, maddening as with a physical attack on one s person, the emotional reactions can make it difficult to exercise good judgment and make the correct decisions about how to respond. This situation is made easier if you have properly prepared for it. Many companies, taking the proactive approach, form incident response teams called computer incident response teams, or CIRTs made up of individuals who train together (much like a military unit or police SWAT team) in how to handle anticipated incidents. The goal is to be able to swing into action when an actual incident occurs, with each team member covering a preassigned area of responsibility and thus decreasing the amount of damage and increasing the likelihood of apprehending the perpetrator of the incident.

In their book Incident Response: Investigating Computer Crime, Chris Prosise and Kevin Mandia define an incident as an event that interrupts normal operating procedure and precipitates some level of crisis. The CERT guidelines define specific incidents, including violation of security policy, attempts to gain unauthorized access, unwanted denial of service/resources, unauthorized use, and changes made to system or data without the owner s knowledge, instruction, or consent. An incident can be anything from an attack that crashes all the servers and cuts off all network communications to an intrusion that causes no actual damage but demonstrates the vulnerability of the organization s systems. The various types of attacks described in Chapter 6 (for example, the many varieties...