ABSTRACT

As technology grows more complex, the gap between those who understand technology and those who view it as magic is getting wider. The few who understand the magic of technology can be separated into two sides — those who work to protect technology and those who try to exploit it. The first are information security professionals, the latter hackers. To many, a hacker’s ability to invade systems does seem magic. For security professionals — who understand the magic — it is a frustrating battle where the numbers are in the hackers’ favor. Security professionals must simultaneously protect every single possible access point, while a hacker only needs a single weakness to successfully attack a system. The life cycle in this struggle is:

• Protection • Detection • Response • Investigation • Prosecution

First, organizations work on protecting their technology. Because 100 percent protection is not possible, organizations realized that if they could not completely protect their systems, they needed to be able to detect

when an attack occurred. This led to the development of intrusion detection systems (IDSs). As organizations developed and deployed IDSs, the inevitable occurred: “According to our IDS, we’ve been hacked! Now what?” This quickly led to the formalization of incident response. In the beginning, most organizations’ response plans centered on getting operational again as quickly as possible. Finding out the identity of the attacker was often a low priority. But as computers became a primary storage and transfer medium for money and proprietary information, even minor hacks quickly became expensive. In attempts to recoup their losses, organizations are increasingly moving into the investigation and prosecution stages of the life cycle. Today, while protection and detection are invaluable, organizations must be prepared to effectively handle the response, investigation, and prosecution of computer incidents.