Preparing for an Incident – CompTIA Security+ SY0-401: 2.5


What happens when there’s an incident? In this video, you’ll learn about the industry best practices and some strategies for preparing for (and perhaps preventing) an incident.

<< Previous Video: Big Data AnalysisNext: Incident Identification >>


When a security incident occurs it’s very important to have a set of processes and procedures in place. This way you’ll be able to know exactly what to do to get your systems back up and running again. And you’ll also know what you can do to help avoid this problem in the future.

One of the first significant steps after a security incident has occurred is to get your systems back up and running again. This may be something as simple as restoring access to the device. But of course this also may resolve cleaning out any issues that still may be on those systems due to this security incident. So it may require bringing in some specialization or people that have gone through the resolution of these problems before.

Why you’re restoring your systems you want to be very careful not to remove any evidence. If this is a malicious incident and you want to prosecute this person you’re going to need to have as much evidence as possible. You also want to understand exactly how this incident occurred. By analyzing this you’ll have a better idea of how to prevent these incidents in the future. This may be something relatively simple, like updating an operating system or patching an application, or it may require a large change to processes and procedures in your organization. If you’d like to read more on how to handle computer security incidents you can go to the National Institute of Standards and Technology website and search for NIST Special Publication 800-61. This is the computer security incident handling guide and it gives you a process and procedures of how to handle these particular incidents. It starts with the preparation before an incident occurs, goes through the detection and analysis phase, eradicate and recover your systems, and ultimately what you can do after the incident has occurred.

The preparation process is critical to handling these incidents. You want to be sure that you have every communication method available to you, and the ways that people need to be contacted. So you should already have a contact list for everybody who will be handling this incident. And you want to be sure that you have the proper methods in place, so that you can contact everybody on your list.

During the incident analysis you may need specialized hardware and software to be able to understand what occurred during that incident. So you may need a specialized laptop, you may need your own cameras to be able to photograph and capture information that occurred during the incident, or you may need specialized software that will allow you to do forensics or perform disk images of hard drives. These incidents might occur anywhere in your organization so you need to have as much documentation, as possible, so that you understand where hardware may be located or what the network diagram might look like. Might be useful, as well, to understand some baselines or have some critical file hashes, so that you can compare a before and after and understand it any changes occurred during that security incident.

If you’re cleaning up after the incident you may need to completely wipe the slate and begin fresh. So it’s also nice to have installation media for your operating systems, or to have images of applications, or pre-built systems. That way you can get up and running as quickly as possible. And ultimately, there should be a set of policies and procedures. Everyone should have a set of jobs to do, and everyone should understand, exactly, what needs to be accomplished to resolve this particular security incident. Of course, the best possible scenario is to avoid the incident entirely. So it might be useful to go through some preventive steps that you can use to help prevent these incidents from occurring in the first place. One of these might be performing a risk assessment. This is something you can do periodically to understand if all of your systems are properly patched, and understand if there are any security issues associated with the devices, the hardware, and the software in your organization.

Operating systems can be especially vulnerable. So you may want to have some documentation and procedures on how to harden the operating system you use in your environment. You also want to be sure that you’re updating this operating system with security patches. And of course, monitor the operating system to see if you can notice any anomalies with the operation of that system.

From a network security perspective, you should have hardware and software in place to be able to protect the flows of traffic going through your network, and to analyze those flows to see if there might be anything malicious inside of that. It’s very common to have a firewall, to check for traffic, that may be traversing two different networks. Virtual private networks can be used if people are connecting from outside of the network. And intrusion prevention systems can stop the malicious software directly on the network, so that it never reaches the end users. It’s also very common to run anti-malware software on our end point devices. That way if any malware does find its way to the desktop, we can stop it from executing in the operating system itself. It’s also common to do this in our operating systems, running on our file servers and our email servers, so that we can stop the malware in these central infrastructure devices. And of course, we want to train our users and make sure they know exactly what the latest security techniques might be. By using all of these methods we cannot only protect when a security incident has occurred, but we may be able to prevent one from ever occurring in the first place.