ABSTRACT
As technology grows more complex, the gap between those who understand technology and those who
view it as magic is getting wider. The few who understand the magic of technology can be separated into
two sides-those who work to protect technology and those who try to exploit it. The first are
information security professionals, the latter hackers. To many, a hacker’s ability to invade systems does
seem magic. For security professionals-who understand the magic-it is a frustrating battle where the
numbers are in the hackers’ favor. Security professionals must simultaneously protect every single
possible access point, but a hacker only needs a single weakness to successfully attack a system. The
lifecycle in this struggle is:
† Protection
† Detection
† Response
† Investigation
† Prosecution
First, organizations work on protecting their technology. Because 100 percent protection is not possible,
organizations realized that if they could not completely protect their systems, they needed to be able to
detect when an attack occurred. This led to the development of intrusion detection systems (IDSs). As
organizations developed and deployed IDSs, the inevitable occurred: “According to our IDS, we’ve been
hacked! Now what?” This quickly led to the formalization of incident response. In the beginning, most
organizations’ response plans centered on getting operational again as quickly as possible. Finding out
the identity of the attacker was often a low priority. But as computers became a primary storage and
transfer medium for money and proprietary information, even minor hacks quickly became expensive.
In attempts to recoup their losses, organizations are increasingly moving into the investigation and
prosecution stages of the life cycle. Today, although protection and detection are invaluable,
organizations must be prepared to effectively handle the response, investigation, and prosecution of
computer incidents.
