What is an incident?

Incident handling is a generalized term that refers to the response by a person or organization to an attack. An organized and careful reaction to an incident can mean the difference between complete recovery and total disaster. Incidents involving viruses, worms, spy-ware and other forms of malicious code have disrupted or damaged millions of systems and networks around the world. Heightened concerns about national security and exposure of personally identifiable information are also raising awareness of the possible effects of computer based attacks. These events indeed call for responding quickly and efficiently when computer security defences are breached. As such, the concept of computer security Incident Handling has become widely accepted in most enterprises.

In general, information security incident is a violation of computer security policies, acceptable use policies, or standard computer security practices.

Examples of information Security incidents are:

•  A distributed denial of service attack against a public Web server

•  A worm that infects hundreds of workstations on a network and effectively shuts down the network

•  An attacker who gains remote administrator-level access to an email server

•  A user who downloads password cracking tools

•  A user who defaces another organization's public Web site.

What is incident handling?

Incident handling is the process of detecting and analyzing incidents and limiting the incident's effect. For example, if an attacker breaks into a system through the Internet, the incident handling process should detect the security breach. Incident handlers will then analyze the data and determine how serious the attack is. The incident will be prioritized, and the incident handlers will take action to ensure that the progress of the incident is halted and that the affected systems return to normal operation as soon as possible.