ABSTRACT
Organizations typically devote substantial information security resources to the prevention of attacks on computer systems. Strong authentication is used, with passphrases that change regularly, tokens, digital certificates, and biometrics. At some point in time, nearly every organization must respond to a serious computer security incident. Consequently, a well-written computer incident response plan is an extremely important piece of the information security management toolbox. Management might believe that recovering from a security incident is a straightforward exercise that is part of an experienced system administrator’s job. All computer systems are vulnerable to attack. Attacks by internal users, attacks by outsiders, low-level probes, direct attacks on high-privilege accounts, and virus attacks are only some of the possibilities. No matter how good an incident response plan is, periodic simulations or walkthroughs will identify flaws in the plan and reveal where the plan has not kept pace with changes in the automation infrastructure.
