Page 1191 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1191
with root cause analysis.
The quicker an organization can respond to an incident, the better
chance they have at limiting the damage. On the other hand, if an
incident continues for hours or days, the damage is likely to be greater.
For example, an attacker may be trying to access a customer database.
A quick response can prevent the attacker from obtaining any
meaningful data. However, if given continued unobstructed access to
the database for several hours or days, the attacker may be able to get
a copy of the entire database.
After an investigation is over, management may decide to prosecute
responsible individuals. Because of this, it’s important to protect all
data as evidence during the investigation. Chapter 19, “Investigations
and Ethics,” covers incident handling and response in the context of
supporting investigations. If there is any possibility of prosecution,
team members take extra steps to protect the evidence. This ensures
the evidence can be used in legal procedures.
Computers should not be turned off when containing an
incident. Temporary files and data in volatile random access
memory (RAM) will be lost if the computer is powered down.
Forensics experts have tools they can use to retrieve data in
temporary files and volatile RAM as long as the system is kept
powered on. However, this evidence is lost if someone turns the
computer off or unplugs it.
Mitigation
Mitigation steps attempt to contain an incident. One of the primary
goals of an effective incident response is to limit the effect or scope of
an incident. For example, if an infected computer is sending data out
its network interface card (NIC), a technician can disable the NIC or
disconnect the cable to the NIC. Sometimes containment involves
disconnecting a network from other networks to contain the problem
within a single network. When the problem is isolated, security
personnel can address it without worrying about it spreading to the
