editione1.0.0
Updated October 9, 2023confusion Two of the most commonly misused words in security are incident and disaster. They are often used interchangeably, with every “incident” described as a “disaster” for the business. While we all love a good bit of hyperbole, in this chapter and the resulting plans and processes it yields, we need to make sure we have these two events defined clearly.
Definition Incidents are any form of event or occurrence in our organization, system, or processes. While they are typically perceived as negative events, an incident without context or investigation is simply a marker that something has happened. The cause and overall impact of an incident is unknown until a full investigation is carried out.
Incidents are not unique to security. They are categorized in many different ways, in many different fields.
Incident types that growing companies will typically encounter include:
systems or tool outage
performance issue on an application or system
bug identified in production code
unauthorized access to a system or account
loss or theft of a computing device
office alarm triggered outside of working hours.
Some of these are clearly security-related issues, such as alarm system issues and authorization alerts. Others are quite general; while they may have a security impact or association, this may not be immediately obvious without investigation.
Definition Disasters are a category of event that has a confirmed large scale impact on the organization, its systems, people, processes, and property. Like incidents, not all disasters are security related but there are definitely categories of disaster that are security aligned.
Disaster types that growing companies may encounter include:
earthquakes and natural disasters
fires
pandemics
loss of production databases or equipment.
In the case of these disasters, the scope and impact of the event is clear from the start. It’s likely assumed that the situation is bad and that systems, people, processes, or property have been harmed, destroyed, or otherwise rendered useless.
Incident response focuses its early activity on investigation and evidence gathering, later deciding on appropriate recovery actions. Disaster recovery focuses on the removal of immediate danger, protection of remaining assets, and restoration of that which has been damaged.
If someone steals the last cookies from the cupboard, this is an incident. First you’re going to investigate, then you will respond. You do not respond until you are sure of the facts.
If the kitchen, its cupboards, and the cookie jar are on fire, this is a disaster. First you will clear the area and trigger your fire safety plans, then you (or a trained professional) will extinguish the fire and check everyone is safe. Only later will you investigate the cause of the fire and plan for repairing and replacing the kitchen.
Whether we have an incident or a disaster on our hands, it’s crucial that we have a plan in place for how to respond. Let’s start with incidents, and in the next chapter we’ll dive deeper into disasters.
Incident response is a well-established practice in the technology space and there has been a lot written about it. This introduction gives you a high-level overview of how incident response processes work and the typical actions and considerations that are associated with every stage.
The first thing to note is that for the most part, incident response is not linear. An incident response is a triggered process that will loop between a number of stages until all evidence and impact of the incident is resolved.