<
Problem
With
so many security incidents occurring, many IT decision makers are unclear
as to who they should notify, and what steps they should take if their
network or systems are breached. There is a good chance that local and
Federal law enforcement agencies will likely not be skilled enough to
conduct a proper investigation. Is there anyone else you should notify?
Where do you begin and what should you look for?
Enlisting
the Process and Reporting
Every
organization should have a process for dealing with Security Incidents,
which represent one of the most visible security risks, but only a small
part of a larger corporate security policy. As well, there should be an
IT decision maker whose job it is to make sure that the process is followed
and carefully executed.
Depending upon how your organization is structured, the right person to
be held accountable for the management of this process could be the Director
of Information Security, the Director of Information Technology, the Chief
Information Officer, or Chief Security Officer. The Security Incident
Manager (the person being held accountable for the management of the
process) is the first person that should be notified when a security breach
occurs.
The
Security Incident Manager should be the focal point of contact
for all communications dealing with the Security Incident, and should
enlist the assistance of a previously decided upon Incident Management
Team as necessary. If the affected site is involved in processing
life support systems (hospitals or air traffic control centers for example),
or financial transactions, it is important that the Security Incident
Manger be reachable at all times by either pager or cell phone, 24
hours a day, 365 days a year. When people's lives or financial transactions
are at risk, proper Security Incident handling is of extreme importance.
Recording
the Details
It
is important to record the details of the security breach, on a form,
or in a database. A typical Security Incident Handling Form should
include fields to fill in and should try to answer as many of the below
questions as possible:
- Has this incident been reported to the Incident Manager?
- Date and time of first notice should be recorded. What are the symptoms
of the problem?
- Who reported the problem? Obtain all contact information.
- Where is the problem manifesting itself? List all IP addresses, hostnames,
and logfiles.
- Is this a multi-site incident?
- How long has the problem existed? Is this a single incident or an
organized attack?
- What chronology, if any, can be determined?
- What is the entry point of the incident?
- What is the potential for damage from the incident?
- Have law enforcement officials been notified? List all contacts.
- Incident Goals: Proceed and Protect, Pursue and Prosecute,
or both?
In
all cases, protection of human life and safety should be given first priority.
Establishing monetary damages above a certain threshold (in the FBI's
case $5000.00) is often required by law enforcement agencies before they
are able to launch an investigation. Subsequently, protection should be
ensured for:
- Sensitive or proprietary data.
- System data (root directories) and log files.
- User, application, and program data.
- Mitigation of disruption to Information Resources
If
one of the Incident Goals is to pursue and prosecute, note that it is
very important not to tamper with the evidence. This means that log files
cannot be edited, and access and creation dates and times cannot be changed
on any files, applications, or data resources. If data is overwritten,
transferred to another system, or sent across unencrypted network links,
it will make it very difficult for a prosecuting attorney to create a
case worth pursuing. Access to the offended systems should be immediately
restricted.
Often,
proceeding and protecting can conflict with pursuing and prosecuting.
If you have customer systems that need to be repaired according to a certain
timeframe, and do not have standby disks, reformatting and reinstalling
a disk most assuredly tampers with and destroys the evidence. Most likely
a transfer of affected files from disk to tape, or writeable CD, will
not stand up in court as permissible evidence. More often than not, most
companies decide that proceeding and protecting is more advantageous than
pursuing and prosecuting.
Contain,
Eradicate, and Recover
The
Security Incident Manager needs to determine if the incident should be
handled internally, or if an outside consultancy should be enlisted to
provide assistance. In all cases, the response should include containment,
eradication, and recovery from the incident. To contain the incident,
if it is possible to do so without disruption of necessary services, the
affected systems should be isolated logically by pulling the plug on their
network interfaces to avoid further tampering by cybercriminals.
If
containment and eradication is slow, it is advisable to enlist the assistance
of your vendors in resolving the issues. Call your router and switch vendors
and inform them of the status of the incident and ask them for recommendations.
Making Appropriate Access List (ACL) changes on your router is often one
way to contain the problem, and your router vendor should be able to assist
you with this.
Similarly,
your Internet Service Provider (ISP) or Applications Service Provider
(ASP) may be able to assist. Your service provider should have contacts,
resources, and procedures for Security Incident handling - if they don't,
it is time to get a new service provider.
If
a system has been compromised by root, administrator, or security officer
privileges, the box is owned, and not by you. Typically one of the first
things a cybercriminal will do is install Trojan Horses to conceal their
identity. Trojan Horses are files that look like normal system files,
but are actually programs that hide trespasser activity. Picking apart
a system to find all system files replaced by Trojan Horses typically
takes far longer than simply reinstalling the entire system and recovering
from backup. Therefore, it has become almost standard practice to simply
reinstall the entire system, or bring up a new one, after a security incident
instead of trying to clean up the old one.
If
the system is a development system, simply recompiling and relinking the
code is not good enough since you don't know whether the compiler or the
libraries it uses have been sabotaged. You need to completely rebuild
the system, reinstalling the operating system, compilers, and any supporting
libraries and applications.
Recommendations
for Prevention
Whether
or not law enforcement agencies are able to assist you, the following
organizations are interested in knowing about your security incidents:
CERT, FIRST, SANS, SecurityFocus, and Cybersnitch. Cybersnitch has an
online reporting system that is available at their website. The other
organizations can be reached respectively at the following addresses:
intrusion@sans.org
cert@cert.org
first-sec@first.org
incidents@securityfocus.com
Publishers
of child pornography commonly use compromised systems to launch their
publications. If the incident does involve child pornography, please contact
Condemned.org through their online reporting system on their website.
Note that by Federal law, all child pornography cases mandate a jail sentence
if the perpetrator is caught, and enough evidence is presented to convict
them.