The question is incomplete, Below is the complete question.
Brody had been enjoying a nice, calm shift in HAL's network operations center. The calmness of the evening was interrupted, however, when a pop-up notification appeared on his monitor. The NIDS had detected malicious traffic on a brance network in Tuscaloosa, Alabama, specifically targeting the branch Web server. As Brody picked up the telephone to contact the on-call network tech for that office, the NIDS displayed another pop-up notification, this time reporting malicious traffic on a branch network in Mobile. In short order, it also displayed notifications for branches in Athens, Columbia, Auburn, and Starkville. Even more alarming, the NIDS indicated that the traffic was all coming from other branches within the company.
Brody immediately recognized that this was different from the typical attacks he'd seen in his time with the company and decided to call his boss, Nick Shula. It was 3:30 AM when he made the call.
"Hello?" said Shula, groggy with sleep.
"Boss, it's Brody," Brody said. "Sorry to be calling like this, but i think we've got a problemm. The NIDS is showing that Web servers in multiple branch offices are under attack, and the traffic is coming from inside our network. What do you want me to do?"
Shula, suddenly awake, thought back to the proposal that was sitting on his desk, concerning the creation of an incident response team for the company. Shula had een so busy with other things that he hadn't been able to consider the proposal at all. Mentally kicking himself, he muttered into the phone, "Why didn't I look at that proposal?"
"What was that, boss?" Brody said.
"Never mind," Shula said. He had to think quickly in order to guide Brody through the situation. "Call the firewall guy on duty," he said, "and have him put in a temporary rule on the DMZ firewall to block all inbound traffic to the Web servers from internal IP addresses." After all, it was the middle of the night, and very few, if any, employees would be doing any work that involved the Web servers. Shula figured he would jsut get up a little early and have the rule removed before normal working hours; hopefully, by then the attack would have stopped.
"OK boss, will do. Get back to sleep, now," Brody said.
Shula headed back to bed, thinking everything was OK. But as soon as his eyes closed, the phone rang again. He took a look at the caller ID and blanched. It was Mal Bryant,, the company CEO.
"Nick, it's Mal," Mal said. "Listen, I'm in Belgium and attached to the corporate network via the VPN. For some reason, I can't get to our internal Web server. You have ny idea what's going on?"
Shula sighed as he realized it was going to be a long night...
Two weeks later, Brody got an e-mail from Nick Shula inviting him to attend a meeting during the day shift later in the week. The meeting was being called to discuss the formation fo the company's new CSIRT.
Brody would be one of the employees identified to perform specific actions when events became incidents and the response plans were activated. As a front-line watch stander in the network operations center, Brody would play a critical role. In addition to his role as a key memeber of the response team, Brody was going to be invited to help develop the plans and procedures and would then be trained in how to be a first responder.
Discussion Questions:
A) From what you know of the company so far, what will be among the various constituencies that the CSIRT will serve?
B) Will the company need to hire more employees to meet the needs of the CSIRT, or would you suggest it outsource some of that effort?
ANSWER;
A) When we talk of CSIRT, it typically mean computer security incident response team.
It will actually help employees report,discuss and disseminate information as it regards computer security related information across the entire organization and it's various verticals.
CSIRT will actually help in timely response that is 24/7 and a coordinated effort in the handling of incident.
The department of information technology and other departments to that are partly or heavily making use of it's systems would actually be the ones typically affected by the formation of this body.
B) For CSIRT to be efficiently constructed,the organization should also outsource the work initially in majority.
However,in the later stages, once the employees are well trained,the company can then build upon it as in house department much more effectively and efficiently.
Also,the company should have at least a part of the work outsourced to have access continuously to the respective systems at all times. This will be required mainly because information security is a fast moving technology and the company as well as it's employees need to be updated regularly and also informed of external threats.
