Security Breach: Now What?



With so many security incidents occurring, many IT decision makers are unclear as to who they should notify, and what steps they should take if their network or systems are breached. There is a good chance that local and Federal law enforcement agencies will likely not be skilled enough to conduct a proper investigation. Is there anyone else you should notify? Where do you begin and what should you look for?

Enlisting the Process and Reporting

Every organization should have a process for dealing with Security Incidents, which represent one of the most visible security risks, but only a small part of a larger corporate security policy. As well, there should be an IT decision maker whose job it is to make sure that the process is followed and carefully executed.

Depending upon how your organization is structured, the right person to be held accountable for the management of this process could be the Director of Information Security, the Director of Information Technology, the Chief Information Officer, or Chief Security Officer. The Security Incident Manager (the person being held accountable for the management of the process) is the first person that should be notified when a security breach occurs.

The Security Incident Manager should be the focal point of contact for all communications dealing with the Security Incident, and should enlist the assistance of a previously decided upon Incident Management Team as necessary. If the affected site is involved in processing life support systems (hospitals or air traffic control centers for example), or financial transactions, it is important that the Security Incident Manger be reachable at all times by either pager or cell phone, 24 hours a day, 365 days a year. When people's lives or financial transactions are at risk, proper Security Incident handling is of extreme importance.

Recording the Details

It is important to record the details of the security breach, on a form, or in a database. A typical Security Incident Handling Form should include fields to fill in and should try to answer as many of the below questions as possible:

  • Has this incident been reported to the Incident Manager?

  • Date and time of first notice should be recorded. What are the symptoms of the problem?

  • Who reported the problem? Obtain all contact information.

  • Where is the problem manifesting itself? List all IP addresses, hostnames, and logfiles.

  • Is this a multi-site incident?

  • How long has the problem existed? Is this a single incident or an organized attack?

  • What chronology, if any, can be determined?

  • What is the entry point of the incident?

  • What is the potential for damage from the incident?

  • Have law enforcement officials been notified? List all contacts.

  • Incident Goals: Proceed and Protect, Pursue and Prosecute, or both?

In all cases, protection of human life and safety should be given first priority. Establishing monetary damages above a certain threshold (in the FBI's case $5000.00) is often required by law enforcement agencies before they are able to launch an investigation. Subsequently, protection should be ensured for:

  • Sensitive or proprietary data.

  • System data (root directories) and log files.

  • User, application, and program data.

  • Mitigation of disruption to Information Resources

If one of the Incident Goals is to pursue and prosecute, note that it is very important not to tamper with the evidence. This means that log files cannot be edited, and access and creation dates and times cannot be changed on any files, applications, or data resources. If data is overwritten, transferred to another system, or sent across unencrypted network links, it will make it very difficult for a prosecuting attorney to create a case worth pursuing. Access to the offended systems should be immediately restricted.

Often, proceeding and protecting can conflict with pursuing and prosecuting. If you have customer systems that need to be repaired according to a certain timeframe, and do not have standby disks, reformatting and reinstalling a disk most assuredly tampers with and destroys the evidence. Most likely a transfer of affected files from disk to tape, or writeable CD, will not stand up in court as permissible evidence. More often than not, most companies decide that proceeding and protecting is more advantageous than pursuing and prosecuting.

Contain, Eradicate, and Recover

The Security Incident Manager needs to determine if the incident should be handled internally, or if an outside consultancy should be enlisted to provide assistance. In all cases, the response should include containment, eradication, and recovery from the incident. To contain the incident, if it is possible to do so without disruption of necessary services, the affected systems should be isolated logically by pulling the plug on their network interfaces to avoid further tampering by cybercriminals.

If containment and eradication is slow, it is advisable to enlist the assistance of your vendors in resolving the issues. Call your router and switch vendors and inform them of the status of the incident and ask them for recommendations. Making Appropriate Access List (ACL) changes on your router is often one way to contain the problem, and your router vendor should be able to assist you with this.

Similarly, your Internet Service Provider (ISP) or Applications Service Provider (ASP) may be able to assist. Your service provider should have contacts, resources, and procedures for Security Incident handling - if they don't, it is time to get a new service provider.

If a system has been compromised by root, administrator, or security officer privileges, the box is owned, and not by you. Typically one of the first things a cybercriminal will do is install Trojan Horses to conceal their identity. Trojan Horses are files that look like normal system files, but are actually programs that hide trespasser activity. Picking apart a system to find all system files replaced by Trojan Horses typically takes far longer than simply reinstalling the entire system and recovering from backup. Therefore, it has become almost standard practice to simply reinstall the entire system, or bring up a new one, after a security incident instead of trying to clean up the old one.

If the system is a development system, simply recompiling and relinking the code is not good enough since you don't know whether the compiler or the libraries it uses have been sabotaged. You need to completely rebuild the system, reinstalling the operating system, compilers, and any supporting libraries and applications.

Recommendations for Prevention

Whether or not law enforcement agencies are able to assist you, the following organizations are interested in knowing about your security incidents: CERT, FIRST, SANS, SecurityFocus, and Cybersnitch. Cybersnitch has an online reporting system that is available at their website. The other organizations can be reached respectively at the following addresses:

Publishers of child pornography commonly use compromised systems to launch their publications. If the incident does involve child pornography, please contact through their online reporting system on their website. Note that by Federal law, all child pornography cases mandate a jail sentence if the perpetrator is caught, and enough evidence is presented to convict them.

comments powered by Disqus