Handbook
for Computer Security Incident Response Teams (CSIRTs) - CERT/CC
(233 pages)
This document provides guidance on forming and operating a computer
security incident response team (CSIRT). It details the functions
that make up the CSIRT, how to handle sensitive information and
the tools, procedures, and roles necessary to implement the program.
In addition, operational and technical issues are covered, such
as equipment, security, and staffing considerations.
6
Phases of Incident Handling - Texas A&M University
Computer security incident handling can be divided into six phases:
preparation, identification, containment, eradication, recovery,
and follow-up. Understanding these stages, and what can go wrong
in each, facilitates responding more methodically and avoids duplication
of effort.
Recovering
from an Incident - CERT/CC
If you believe that your site may have suffered a break-in or
other type of incident, the CERT/CC has some documents that can
help you.
Checking
Windows for Signs of Compromise - University College London
One of the main aims of this document is to address the lack of
documentation concerning concrete actions to be taken when dealing
with a compromised Microsoft system. A secondary goal is an explanation
of methods of examining this information via tools.
Checking
UNIX/LINUX Systems for Signs of Compromise - University College
London
One of the main aims of this document is to address the lack of
documentation concerning concrete actions to be taken when dealing
with a compromised *nix system. The document will try to be as
generic as possible, so you may find tools for specific platforms
are better suited. A secondary goal is an explanation of methods
of examining this information via tools.
CSIRT
Case Classification (Example for enterprise CSIRT) - FIRST
This document provides the guidelines needed for CSIRT Incident
Managers (IM) to classify the case category, criticality level,
and sensitivity level for each CSIRT case. This information will
be entered into the Incident Tracking System (ITS) when a case
is created. Consistent case classification is required for the
CSIRT to provide accurate reporting to management on a regular
basis. In addition, the classifications will provide CSIRT IM’s
with proper case handling procedures and will form the basis of
SLA’s between the CSIRT and other Company departments.
