Introduction
One of the insidious features of Information Technology is diagnostic work. Diagnostic work can be said to be the process involving identifying and categorizing problems associated with Information Technology Security Management.
In addition, diagnostic work involves defining the scope of the remedies that an organization should put in place to correct any problems and prevents some form occurring in the future. The principal duty of security practitioners in the Information Technology field is diagnosis (Botta et al. 106).
Despite diagnosis being a prominent activity in the field of response, it is still in its initial stages (Killcrece et al). To support this argument on diagnosis being in its infancy stages, comparisons have been drawn with the worm incident in 1998 and the state of IT security in 2003. Conclusions have been made that, security related aspects have gone from bad to worse during that period (Spafford, 220).
Of most importance as highlighted by Spafford, there has been an inadequacy by the security community in Information Technology to learn the vital role played by communication during incident response. Spafford suggestion to the security community in Information Technology is that, there should be better ways to distribute and coordinate information during an incident related to Information Technology.
While some organizations have been able to provide procedures to guide them to respond to such incidents, there exist a few pragmatic investigations on responses by the security community (Goodall et al, 1424). This research seeks to fill this gap left by the inadequate responses available that organizations should use to respond to such incidents.
The purpose of this project is to examine how the security community in the Information Technology sector responds to security incidents. Furthermore, the project will examine the initial phase of preparation, detection of the incidents, and analysis of the anomalies. Werlinger et al. identified nine activities that required an interaction between security practitioners and other stakeholders (107).
One of these nine activities proposed by Werlinger is security incident response. The research is going to expand these results in the following ways: analyzing security incident response based on an extensive point of view, to a certain extent focusing on interactions only.
In addition, the research will go a step ahead to identify the aspects during interactions that are involved when preparing, detecting, and investigating security incidents (114).
The contributions of the findings form this research will be important to the security community. Of important to note, the findings will be of twofold importance based on the analysis to be provided in the research. First, there will be a clear analysis and description of the roles, skills, strategies to be used and tools needed by the security community to diagnose the security incidents in Information Technology.
In addition, following the analysis explained, the findings will go an extra mile in enhancing the research community’s appreciating the diagnostic work involved during the response to security incidents. Secondly, the research to be carried out will identify opportunities for the direction to which future research should take.
Such research will go a step ahead to identify ways and methods to which security tools to be used in the intervening during security incidents. Most security tools in Information Technology however advanced still require some customization to fit to the specific needs of a certain organization.
In addition, current security tools are not supportive when it comes to customization to suit the needs of the organization that is using them. Future research would go a step ahead to designing ways to fit the tools into individual organization needs.
Literature Review
There are challenges in management of security incidents, there are guidelines existing however that provide support for the incident response process (Casey, 256). In recent times, a study conducted by Mitropoulous et al in 2006 gathered information from the various standards and research already done and put forward an all-purpose incident response management structure (356).
To some extent these various efforts might be providing some support for the incident response process. Bailey et al. suggests that the best practices and the prescribed standards for Information Technology tend to fall in two maxims.
In the first one, they tend to be so high level that they will end up giving minimal assistance on work practices. On the other end, they tend to fall in a low level that they are not elastic to the changes that are rapid in Information and Technology (3).
One of the security tools that have been designed to help security practitioners in Information Technology is known as an intrusion detection system. Past studies have been relying on different measures in designing this kind of tool. For example, Thompson et al. in 2006 relied on data two semi-structured interviews identifying the phases of infringement detection work.
In another example, Werlinger et al analyze data from a total of nine interviews that were conducted with stakeholders in Information Technology to identify perceptions by the security community regarding the pros and cons of intrusion detection system.
In addition, they also analyzed data based on their own observations on the way intrusion detection system use was hindered by lack of technical resource and expertise in organizations that used them (110).
Other past research has had their focus on case studies describing examples in real life that were related to security incidents. For example, Gibson presented a case study of an intrusion that caused a denial of services in his company in 2001. The diagnosis of the problem involved troubleshooting and interaction with other stakeholders in the Information Technology department (qtd. in Riden).
In a study conducted by Riden in 2006, a progression of security incidents are reported. Amongst the key factors that contributed to these incidents was ineffective communication and cooperation amongst the organizations’ security community more so in information technology.
This factor, he adds led to inconsistency in taking measures were preventative and ultimately denying the organizations to timely notification of intrusions. On the other hand, another study by Schultz in 2007 describes a diversity of sources of information that had to be gathered in order to diagnose incidents in an organization (14).
In a study conducted in 2003 by Yamauchi et al. there is a clear description of problem-solving practices suggested. The findings of the study propose a variety of suggestions.
Amongst them is that, there is a problem by most technicians in Information Technology to follow instructions from documents in existence. However, the technicians as proposed by the study seemed to follow information derived from other sources like colleagues, documents that are not formal and systems (87).
All in all, these case studies provide information that is useful. However, the case studies it is important to point out, give only a single organization. In short, they do not rely on evaluation methodologies that are formal to collect and analyze data.
As far as this research is concerned and aware of, the only studies those are formal and inexistence today, only investigate a small fraction of security incident response. This response investigated is what is known as intrusion detection system as proved and illustrated by the above literature.
Methodology
The research is going to be based on the following three research questions: What is the procedure for performing a diagnostic work in Information Technology? What are tools required to perform the diagnostic? And finally, in what ways can these diagnostic tools be improved to increase the chances of dealing with intrusions?
The interview schedule is then going to be structured to fit those research questions explained above. The identification of the interview participants is going to be carried from the stakeholders in the Information Technology sector. These participants will be drawn form organizations such as; the Financial sector, education sector, telecommunications, Information Communication consulting firms and Telecommunications.
The main participants from each sector are going to be the Information Technology experts and especially those that are charged with security. Each interview with these participants is expected to last for a period of an hour. The interviews are going to be semi-structured and for this reason then, it is expected that, each participant will not be asked the same kind of questions.
The research is going to use qualitative description (Sandelowski, 334-340) to analyze data. First, the interview transcriptions will be analyzed to identify information containing diagnostic work, primarily focusing on work related to security incidents.
Such incidents are those that have an effect on the security of computer systems or networks. Secondly, the research will organize and represent the data in different themes that will describe how the security community performs their roles in diagnostic and the kind of challenges that they do encounter.
Works Cited
Bailey, J., Kandogan, E., Haber, E. and Maglio, P. (2007), “Activity-based management of it service delivery”, CHIMIT ’07: Proceedings of Symposium on Computer Human Interaction for the Management of Information Technology, Cambridge, MA, pp. 1-5.
Botta, D., Werlinger, R., Gagne, A., Beznosov, B., Iverson, L., Fels, S. and Fisher, B. (2007), “Towards understanding IT security professionals and their tools”, Proceedings of Symposium on Usable Privacy and Security (SOUPS), Pittsburgh, PA, pp. 100-11.
Casey, E. (2005), “Case study: network intrusion investigation – lessons in forensic preparation”, Digital Investigation, Vol. 2 No. 4, pp. 254-60.
Goodall, J.R., Lutters, W.G. and Komlodi, A. (2004), “The work of intrusion detection: rethinking the role of security analysts”, Proceedings of Americas Conference on Information Systems (AMCIS), New York, NY, pp. 1421-7.
Killcrece, G., Kossakowski, K., Ruefle, R. and Zajicek, M. “State of the practice of computer security incident response teams (CSIRTs)”. 2003. Web. <www.cert.org/archive/pdf/03tr001.pdf >
Mitropoulos, S., Patsos, D. and Douligeris, C. (2006), “On incident handling and response: a state of the art approach”, Computers and Security, Vol. 25 No. 5, pp.351-70.
Riden, J. (2006), “Responding to security incidents on a large academic network” 2006. Web. < www.infosecwriters.com/text_resources/>
Sandelowski, M. (2000), “Whatever happened to qualitative description?” Research in Nursing & Health, Vol. 23 No. 4, pp. 334-40.
Schultz, E.E. (2007), “Computer forensics challenges in responding to incidents in real life setting”, Computer Fraud & Security, Vol. 12, pp. 12-16.
Spafford, E.H. (2003), “A failure to learn from the past”, Annual Computer Security Applications Conference (ACSAC), Las Vegas, NV, December 8-12, pp. 217-33.
Werlinger, R., Hawkey, K., Muldner, K., Jaferian, P. and Beznosov, K. (2008), “The challenges of using an intrusion detection system: is it worth the effort?”, Proceedings of Symposium on Usable Privacy and Security (SOUPS), Pittsburgh, PA, pp. 107-16.
Yamauchi, Y., Whalen, J. and Bobrow, D.G. (2003), “Information use of service technicians in difficult cases”, CHI ’03: Proceedings of Human Factors in Computing Systems, Fort Lauderdale, FL, April 5-10, pp. 81-8.