Incident Response & Contingency PlanningCase JournalDocument Transcript
Incident Response and Contingency Planning Journal Incident Response and Contingency Planning Journal By Brittany M Gilstrap ITEC 4341-01 Fall 2011 Macon State College
Incident Response and Contingency Planning Journal 1Journal Entries for Week One 08/22/11 to 08/28/11Journal Entry One: There is an incident in which someone on the inside of HAL is trying to get inside e-mailserver by using several different accounts, but is failing to do so (Whitman & Mattord, 2007).There are multiple attacks, and even though they are using a proxy, and recently moved theirservers into the DMZ, the question is who is creating such a disturbance, why are they trying toget into the e-mail server, and how are the attempting this incident (Whitman & Mattord, 2007).This would qualify as a deliberate act of trespass because it is an attempt by an unauthorizedemployee for informational access in the e-mail server (Whitman & Mattord, 2007). Riskidentification would be to plan out this process, the system components being threatened is the e-mail server which could contain confidential information, depending on how critical thisinformation is, it is an important asset to the company, and should be protected (Whitman &Mattord, 2007). Identifying the treat is in internal personnel trying to break into the e-mail serverusing other people’s log in information, but failing to get through (Whitman & Mattord, 2007).Lastly, in risk identification, the vulnerable assets are the e-mails on this server that couldpotentially be read by prying eyes that are not allowed to see, and possibly threatening criticalinformation about business operations (Whitman & Mattord, 2007). Next is to do a riskassessment, and to determine how to value the assets on this e-mail server, it would depend onhow highly critical the information is that is being stored there (Whitman & Mattord, 2007).There is a high likelihood of attack on the vulnerabilities because it is already in place thatsomeone is trying to get into this e-mail server, and apparently is using others e-mail accounts totry to hack in, but is unable to (Whitman & Mattord, 2007). In the end, there will need to be a
Incident Response and Contingency Planning Journal 2decision on risk control to decide what the best route is to protect the server, and to protect theseaccounts (Whitman & Mattord, 2007).Journal Entry Two: The first question asks who Paul should invite to this meeting to discuss this incident(Whitman & Mattord, 2007). Obviously Paul will be bringing himself, Amanda whose accountwas being used to try to access the e-mail server, and because she is Paul’s boss (Whitman &Mattord, 2007). Jonathon is the senior systems administrator who recognized these many failedattempts at being able to get through the proxy, and Paul also asked him to grab Tina who is thesenior network administrator (Whitman & Mattord, 2007). I believe that Richard Xavier, chiefoperations officer, William Freund, manager of systems, and Roberta Briscoe, manager ofcorporation security, should be present because it did ask for senior personnel to be at thismeeting, and their fields each give them some insight on what to do, and how to approach thisincident (Whitman & Mattord, 2007). Richard would be able to provide potential directions tofollow in this incident, and help to plan for a recovery afterwards to better train employs, and putpolicies in place to protect against this kind of incident. William would be able to provideinformation on the systems within the organization, and how such an attempt could havemanifested. Roberta would be able to provide information on security needs within theorganization, and would be able to point them in the right direction for protecting the e-mailserver from this attack.Journal Entry Three: The second question asks what other information Paul and his team can use to track downthis incident (Whitman & Mattord, 2007). For Paul and his team to track down this incident, it
Incident Response and Contingency Planning Journal 3would be most beneficial to see all the accounts in which the personnel was using to hack intothe e-mail server, also it would help to get all the IP addresses of the computers being used inthis attack, so that they can identify possibly which personnel is making this attack. Also, theycould install software on any IP addresses that show up, so that the computer can track all useractivity, and they would be able to review the personnel in the process of attacking. They couldalso possibly find potential giveaways from what the personnel uses the computer for, such as:social networking, personal interests, etc. They may be able to find out who is causing theincident.Journal Entries for Week Two 08/29/11 to 09/04/11Journal Entry One: There are twelve categories of threats facing information security, and the most recent topthreats listed in the Computer Security Institute’s Computer Crime and Security Survey fall intothe most of the twelve categories, but not all (Richardson, 2011). First, act of human error orfailure is an accident of the user by deleting files on the desktop, deleting files on the server,releasing important information, modification of files, and unauthorized software installations,but there were no threats found in the survey for this category (Whitman & Mattord, 2007).Second, compromise of intellectual property consists of piracy, information leaks outside ofpolicy, and violation of copyright material (Whitman & Mattord, 2007), from the survey “insiderabuse of internet access or email (pornography, pirated software, etc.) falls within this category(Richardson, 2011). Third, deliberate acts of trespass consists of unauthorized access of logicaland physical counterparts of an organization (Whitman & Mattord, 2007), from the survey “theftor unauthorized to intellectual property/PII/PHI due to mobile device theft/loss and all other
Incident Response and Contingency Planning Journal 4causes, password sniffing, system penetration by an outsider, unauthorized access or privilegeescalation by insider, exploit of wireless network/DNS server/user’s social network profile/clientweb browser/public facing website”, fall within this category (Richardson, 2011). Fourth,deliberate acts of information extortion consist of blackmailing for assets (Whitman & Mattord,2007), from the survey “extortion or blackmail associated with threat of attack or release ofstolen data”, falls within this category (Richardson, 2011). Fifth, deliberate acts of sabotage orvandalism consist of modification or destruction of information or physical assets (Whitman &Mattord, 2007), from the survey “website defacement and instant messenger abuse”, fall withinthis category (Richardson, 2011). Sixth, deliberate acts of theft consist of stealing assets from anorganization (Whitman & Mattord, 2007), from the survey “financial fraud and laptop or mobiledevice theft or loss”, fall within this category (Richardson, 2011). Seventh, deliberate softwareattacks consist of phishing, email viruses, viruses, worms, malicious coding, DoS, and DDoS,from the survey “malware infection, bots/zombies within the organization, DoS, and fraudulentlyrepresented as sender of phishing messages”, fall within this category (Richardson, 2011).Eighth, forces of nature consists of threats from hurricanes, tornadoes, fire, floods, ESD,humidity, dust, mudslide, solar flare, and earthquake, there were no threats from the survey thatwould have been listed in this category (Whitman & Mattord, 2007). Ninth, quality of servicedeviations from service providers consist of power blackouts, surges, spikes, sags, and networkoutages, there were no threats from the survey that would have been listed in this category(Whitman & Mattord, 2007). Tenth, technical hardware failures or errors consist of devicefailures or defects; there were no threats from the survey that would have been listed in thiscategory (Whitman & Mattord, 2007). Eleventh, technical software failures or errors consist ofbugs or coding problems and trapdoors, there were no threats from the survey that would have
Incident Response and Contingency Planning Journal 5been listed in this category (Whitman & Mattord, 2007). Twelfth, technological obsolescenceconsist of outdated technology, there were no threats from the survey that would have been listedin this category (Whitman & Mattord, 2007).Journal Entry Two: Reviewing the 2010-2011 Computer Crime and Security Survey, there is a lot of greatinformation that supports the importance of security against these threats. After the previousthreats were established, there are ways that were implemented to prevent or fix these threats,which is the most important thing to do, fix any security problems. The top most implementedaction taken after a threat was to patch any software vulnerabilities, this is very importantbecause security flaws in software can cause major problems, and can potentially leave abackdoor open for anyone to get into your system (Richardson, 2011). Next few actions that aretaken after threats: patched hardware, additional security installed, forensics investigation,awareness training, and policy changes (Richardson, 2011). Two reasons why people did notreport these incidents to enforcement is because they did not believe that enforcement could helpor that the incident was not major enough to need to report (Richardson, 2011). The top elevensecurity technologies used for protection that is over a 50% rating, starting from the highestpercentage is: anti-virus, firewall, anti-spyware, VPN, patch management, encryption of databeing transferred, IDS, encryption of data being stored, URL filtering, application firewall, andintrusion prevent system (Richardson, 2011). The top five ways to evaluate security include frommost to least: internal audits, automated tools, web monitoring, external audits, and internalpenetration testing (Richardson, 2011). These are all important statistics that could help anorganization see what areas they may need to focus in to fix their security problems or how theycan measure the protection they’re really getting out of their security tools.
Incident Response and Contingency Planning Journal 6Journal Entry Three: An important matter that organizations should use to better protect themselves from thepotential threat of an attack is to do a business impact analysis which would determine how badof an impact an attack would be for an organization (Whitman & Mattord, 2007). This helps withplanning for threats allowing you to prioritize what would be most important to deal with firstover others that may just be an annoyance than a real threat (Whitman & Mattord, 2007). Thefirst step is to identify threats to the organization and prioritize them, and then a business unitanalysis determines how different parts of the organization would be affected by treats (Whitman& Mattord, 2007). Next, scenarios should be developed to establish how a threat would behandled in a real situation listing information such as: possible vulnerabilities, threat agent,activities related to the attack, assets in trouble, and follow ups (Whitman & Mattord, 2007).Next, a potential damage assessment should be done, and this helps identify a worse, best, andmost likely scenario for an attack including what would happen, the risk with it, the cost to theorganization, and probability of it spreading (Whitman & Mattord, 2007). Lastly, a subordinateplan classification will use the different plans drawn together to establish the aftermath of ascenario (Whitman & Mattord, 2007).Journal Entries for Week Three 09/05/11 to 09/11/11Journal Entry One: Scripted attacks are not as bad as live attacks because they are set up to do whatever thescript says, so it will continuously be doing the same thing over and over. This would be more ofan annoyance than anything, but it makes it a lot worse when a live person is doing the attacksbecause it would be for a more rewarding gain like stealing information than just being
Incident Response and Contingency Planning Journal 7annoying. A live person attempting these attacks would be able to adapt to whatever defenses theorganization throws up in its path which is what was happening in the scenario. They wereblocking out the ports it was using, which if this was a scripted attack then it would have stoppedthis incident, but it didn’t (Whitman & Mattord, 2007). Paul decided to view the logs of thenetwork, and found out that it was using a certain range of addresses, so they blocked this rangeto prevent this attacker from getting into the system (Whitman & Mattord, 2007). It is veryimportant to take incidents like this as serious even when it may not pose a serious threat in theend because you never know how dangerous it is until something catastrophic happens that couldjeopardize important business assets, and possibly put the company in some trouble. Neverunderestimate an attack no matter how simple it may seem because it could cost you more thanyou reckon.Journal Entry Two: This live attack was more of an annoyance than it was a real incident because attackerwas performing the same attack over and over which eventually led him to being found out, andblocked from getting through (Whitman & Mattord, 2007). It would have been more of anincident if he was hiding his ports so that they wouldn’t be found out, if he used moresophisticated strategies to get through, and if he used a different range of ports that were not soeasily blocked out by the range Paul had used (Whitman & Mattord, 2007). Had he used a portscanner to find a weakness in the defenses, and used that to exploit the system, I think hewould’ve had better chances of getting through (Whitman & Mattord, 2007). Regardless anannoyance or real incident, they should both be treated seriously because you never really knowwhat could possibly happen, and it is better to be overprotective of your assets than risk them.
Incident Response and Contingency Planning Journal 8Journal Entry Three: The importance of the chapter that correlates to this case study is how to prepare,organize, and prevent incidents from occurring (Whitman & Mattord, 2007). This is typicallydone by the security incident response team (SIRT) which “is a set of policies, procedures,technologies, people, and data necessary to prevent, detect, react, and recover from an incidentthat could potentially damage the organization’s information” (Whitman & Mattord, 2007).There are three different ways of making up these SIRTs: centralized is one group maintainingthe whole organization, distributed is several teams split up into different portions of theorganization, and coordinating is a advice team that helps the others teams out without managingover them (Whitman & Mattord, 2007). The company should probably have a distributed SIRTset up to maintain the different portions of the organization, so that if problems arise in this largecompany, there are enough teams to handle it (Whitman & Mattord, 2007). These should beinside employees from the IT department doing these SIRTs, I don’t believe that outsourcing isnecessary because it does not seem they are suffering too bad to maintain their own incidents(Whitman & Mattord, 2007). Services that are offered by SIRT include: reactive(alerts/warnings, incident/vulnerability/artifact handling), proactive (audits, announcements,maintenance, intrusion detection systems, and configuration), and security management (riskanalysis, evaluation/certification, business continuity/disaster recovery planning, and training)(Whitman & Mattord, 2007). These are all very important services that will come in handy tobetter prepare the organization for incidents, and the SIRT will definitely be beneficial to theimprovement of incident response and contingency planning (Whitman & Mattord, 2007).
Incident Response and Contingency Planning Journal 9Journal Entries for Week Four 09/12/11 to 09/18/11Journal Entry One: This case study consists of a new way to protect the organization from security threatsthat firewalls, intrusion detection systems, and scanners are doing, but this can be a pretty costlyexpense for the company because of yearly subscription fees, and hardware costs (Whitman &Mattord, 2007). JJ had mentioned a better way to save money, and protect the company the sameway that all these technologies had that he learned from a meeting at another company (Whitman& Mattord, 2007). His approach was to use open source software which would save a lot ofmoney in the long run, but could prove costly up front because they would either have to hiresomeone who is trained for this software or send their own employees off for training (Whitman& Mattord, 2007). It is important for companies to try to save as much money as possiblebecause they do have to cover very large costs, but they shouldn’t cut money in a very importantpart of the company because securing the systems from any attacks should be top priority(Whitman & Mattord, 2007). It could prove to be more costly if this newer approach doesn’twork as well as they think because an attack could cost the company its business if it were toocatastrophic, and did more damage than repairable. Management would need to weigh the optionof sticking with what they have because they know it works or trade it out for the new opensource approach to see if it can cover what the other approach was doing, and save them theexpected amount of money (Whitman & Mattord, 2007).Journal Entry Two: JJ suggested that the intrusion detection system should be dropped from being network-based to being host-based instead; Paul agrees that this will be a great idea, and asks for
Incident Response and Contingency Planning Journal 10technology to be found for this suggestion (Whitman & Mattord, 2007). Easily enough, a host-based intrusion detection system would be the solution because rather than it being placed on thenetwork, and monitoring everything over the network (network-based IDS), it actually is placedon one host, and only monitors everything happening on that host (Whitman & Mattord, 2007).HIDS basically monitors any alterations, deletions, or creations in the system files and systemconfiguration of the host computer (Whitman & Mattord, 2007). “The HIDS triggers an alert oralarm when one of the following changes occurs: file attributes change, new files are created, orexisting files are deleted” (Whitman & Mattord, 2007). The HIDS can determine if an attack isgoing to happen, if it has happened, or is going on, and can tell if it was successful at its attempt,but fortunately keeps its own log file of everything that has happened to better identify whathappened (Whitman & Mattord, 2007). The advantages to implementing HIDS is specific to thehost computer that it is on, so it is capable of detecting things on that host that slipped by aNIDS, not affected by switched networks, and by comparing audit files to the current files, theHID can detect problems (Whitman & Mattord, 2007). The disadvantages of implementingHIDS is that it takes a lot more managing because it resides on each host rather than a wholenetwork, unable to defend against direct attacks or operating system targeted attacks, onlycapable of monitoring that one sole device, vulnerable to DOS, requires large amounts of storagefor audit logs, and reduction in performance of the host computer (Whitman & Mattord, 2007). Ithink host-based IDS would be beneficial to implement because it does solely target that hostcomputer, and can protect it better than just a network wide IDS that could have things slipthrough if there is a lot of traffic over the network (Whitman & Mattord, 2007). The only reasonI would not suggest doing a host-based IDS is that it does require a lot of additional attention toeach host with this software because it isn’t watching over the whole network, just whichever
Incident Response and Contingency Planning Journal 11devices you decide to install it on, so if problems arise, you may have to go to each computer todetermine the problem (Whitman & Mattord, 2007).Journal Entry Three: JJ is looking for more information on open source software, and training for it, so I founda company that offers both OpenLogic.com. “OpenLogic provides enterprises with open sourcesupport, scanning, provisioning and governance solutions to safely and efficiently leverage opensource software. OpenLogic gives enterprises the choice, confidence, and control necessary tomitigate open source risks while maximizing cost savings” (OpenLogic, Inc., 2011). OpenLogicprovides open source software packages with support in developer or production options(OpenLogic, Inc., 2011). The developer support is offered with more than 500 Linux packages,but only supports during business hours (five days a week, twelve hours each) with a four hourresponse, and can work through phone, email, or online support (OpenLogic, Inc., 2011). Theproduction support is offered with more than 500 Linux packages, and supports all day every daywith a one hour response, and can work through phone, email, or online support (OpenLogic,Inc., 2011). For all packages, OpenLogic offers updates for all bugs or security vulnerabilities tokeep software up to date, and keep your systems protected (OpenLogic, Inc., 2011). One of thegreat aspects of this open source option is that it does offer training depending on the package,for example: open source build and test tools range from two to ten days per each subtopic, andopen source clustering lasts three days, but also offers package training for: apache HTTP server,application framework/servers, databases, Java, PHP, and web services (OpenLogic, Inc., 2011).I would recommend this HAL because it is open source as they wanted, it does focus packagesaround Linux, it offers training for particular packages, and I think this would be a beneficial intheir search for open source software (OpenLogic, Inc., 2011).
Incident Response and Contingency Planning Journal 12Journal Entries for Week Five 09/19/11 to 09/25/11Journal Entry One: The Fourth Amendment states “the right of the people to be secure in their persons,houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, andno warrants shall issue, but upon probable cause, supported by the Oath or affirmation, andparticularly describing the place to be searched, and the persons or things to be seized”(Whitman & Mattord, 2007). The Fourth Amendment is very important to a company becauseyou never know when a disaster could happen that an employee caused, you have to wonder howthe best way is to prove it, and that is through the legal use of search warrants (Whitman &Mattord, 2007).Journal Entry Two: The Fourth Amendment may protect against unlawful searches and seizures without awarrant, but there are ways to get around this, there are seven exceptions to the FourthAmendment, they include: “consent, plain view, exigent circumstance, inventory search, bordersearch, international issues, and search incident to a lawful arrest” (Whitman & Mattord, 2007).The two most prominent exceptions are consent and plain view; consent states that the person ofinterest allows for law enforcement to search their personal belongings without refusal, and plainview states that an item is observable without having to change anything in the environment tohave access to it (Whitman & Mattord, 2007). Now two problems arise with consent, if consentis given how much consent is truly given to search the environment or just a small piece of it,and the other refers to who can actually give consent to search something (Whitman & Mattord,2007). This relates to the class material because you may need to search an employee’s
Incident Response and Contingency Planning Journal 13computer, and you need to know the best way to do that, even if you have to follow one of theseexceptions to do it.Journal Entry Three: It is rough determining what is pushing passed the limit, and what isn’t whether theyrequire a warrant or just probable cause to search someone (Whitman & Mattord, 2007). The1976 Copyright Act was created to help protect not only physical property, but intellectualproperty as well (Whitman & Mattord, 2007). Though it may be a person’s property, if they areat work, and they decide to store their personal information on a computer leased to themthrough the company, then they are set to stand by the polices of the company because it is thecompany’s property (Whitman & Mattord, 2007). The Electronic Communications Privacy Actof 1986 states the regulation of wire, electronic, and oral interceptions, this includes: disclosure,distribution, possession, confiscation, authorization, and reports of these interceptions (Whitman& Mattord, 2007). The Privacy Protection Act of 1980 states that journalists do not have toforfeit their work to law enforcement until it is published for the public to view (Whitman &Mattord, 2007).Journal Entries for Week Six 09/26/11 to 10/02/11Journal Entry One: Due to the anthrax scare the mailroom had, there are other catastrophes that could takeplace in the mailroom that could cause problems for company (Whitman & Mattord, 2007). Ithink the next obvious scare in the mailroom that is related to the anthrax scare would be apackage with a bomb inside, that could cost many lives, or even disrupt business for a very longtime (Whitman & Mattord, 2007). Another catastrophe that could possibly happen is the mailing
Incident Response and Contingency Planning Journal 14of an electronic device such as a jump drive that someone may put in their computer, and it startsinfecting the system, then the network, putting everything at risk of being compromised(Whitman & Mattord, 2007). Business operations need to be careful in order to protect humanlives, but also the company itself because a catastrophe could put the business out for weeks ormonths, maybe even forever depending on how drastic it is (Whitman & Mattord, 2007).Journal Entry Two: I believe the most important goal when planning for the resumption of critical businessfunctions at an alternate site for four weeks would be to plan to be back at the primary site assoon as possible, and only take what is absolutely necessary for work with them to the alternatebecause it is not a long term standing (Whitman & Mattord, 2007). If instead it lasted for thirtyweeks, I would suggest just focusing on maintaining business to the utmost, and takingeverything that you can easily enough, so that it is readily available in case you need it (Whitman& Mattord, 2007). With it being such a long time, the business continuity plan would be used tohelp keep everything flowing smoothly because it helps with business functions for long periodsof time, and would work concurrently with the disaster recovery plan (Whitman & Mattord,2007). For devices you are unable to move off-site there is the option to do remote journalingwhere it would transfer data from the primary site to the off-site, so that it is still available(Whitman & Mattord, 2007).Journal Entry Three: The contingency planning management team (CPMT) is normally involved with settingup alternate sites in the case of a disaster, and they generally focus on the cost that is acceptablefor what has happened (Whitman & Mattord, 2007). There are five sites that are capable of
Incident Response and Contingency Planning Journal 15supporting a company at an alternate, and there are three agreements that can also be considered(Whitman & Mattord, 2007). If cost is a big deal then the CPMT would go with a cold site whichwould have long term setup time, but does not have hardware or telecommunications (Whitman& Mattord, 2007). If cost isn’t too important then a warm or hot site would be used; a warm sitewould offer partial hardware and telecommunications for a medium setup of time, and a hot sitewould offer full hardware and telecommunications, and a short setup time (Whitman & Mattord,2007). If cost just doesn’t matter at all then the CPMT could choose to go with mobile ormirrored sites which are costly; a mobile site is hardware, telecommunications, and setup timedependent, so it would need to be researched if they are capable of making this mobile, and amirrored site would have full hardware and telecommunications, with no setup time because it isalready setup (Whitman & Mattord, 2007). Three agreements that a company can decide on aretimeshare, service bureaus, and mutual agreements where a company basically signs a contractwith another business, and in different manners, they offer portions or full facility space to takein a company that has suffered from a disaster (Whitman & Mattord, 2007). Subject area expertsare just that, experts in their particular fields that can decide what is best for their field and whatall they will need to make it possible to continue work in their field (Whitman & Mattord, 2007).Summary: Some of the most important findings covered in these case studies relate directly to theoverall objective of this class: risk management, business impact analysis, incident responseplan, disaster recovery plan, business continuity plan, and the threats that make these veryimportant pieces of any business (Whitman & Mattord, 2007).
Incident Response and Contingency Planning Journal 16 The main goal of all of this is to protect the confidentiality, integrity, and availability ofinformation in an organization (Whitman & Mattord, 2007). There are twelve threat categories(previously listed in a journal entry) that threaten the CIA of information, and this is the mostimportant asset in the company (Whitman & Mattord, 2007). Risk management protects the CIA of information by finding the vulnerabilitiesthreatening information systems, and a thorough plan to follow for mitigating these risks(Whitman & Mattord, 2007). Risk management uses risk identification, risk control, and riskassessment in handling risks threatening the information systems (Whitman & Mattord, 2007). A business impact analysis is beneficial to help assess what different risks can pose to thecompany’s day to day business, whether one threat doesn’t do anything to disrupt business, butanother one could threaten the livelihood of the business (Whitman & Mattord, 2007). Thisprioritization of threats help to identify what is the worst risk to the company that should betaken care of before something that is not as risky (Whitman & Mattord, 2007). The incident response plan is the next step taken when a threat actually attacks anorganization; this plan helps to identify what it is, and what should be done to manage the threatat the time it is attacking (Whitman & Mattord, 2007). The incident response plan “focuses onintelligence gathering, information analysis, coordinated decision making, and urgent actions”(Whitman & Mattord, 2007). The disaster recovery plan helps with recovering the business fromany disaster that strikes, and this can be beneficial in lowering the chances of loss (Whitman &Mattord, 2007). The disaster recovery plan “focuses on preparations completed before and actions takenafter the incident” (Whitman & Mattord, 2007). Lastly, the business continuity plan helps
Incident Response and Contingency Planning Journal 17identify ways to continue business at alternates for long periods of time until business can run atthe primary site (Whitman & Mattord, 2007). In conclusion, these are all very important pieces in taking care of the business to protectit from threats, and to plan for actions to take if there is a disaster that threatens the livelihood ofa company (Whitman & Mattord, 2007).
Incident Response and Contingency Planning Journal 18 ReferenceOpenLogic, Inc. (2011). Openlogic: Helping enterprises use open source software. Retrieved from http://www.openlogic.com/index.php.Richardson, Robert. (2011). 2010/2011 computer crime and security survey. New York, NY: Computer Security Institute. Retrieved from http://gocsi.com/survey.Whitman, M. E., & Mattord, H. J. (2007). Principles of incident response and disaster recovery. Boston, MA: Course Technology, Cengage Learning.