Responding to IT Security Incidents

Introduction

How prepared is your information technology (IT) department or administrator to handle security incidents? Many organizations learn how to respond to security incidents only after suffering attacks. By this time, incidents often become much more costly than needed. Proper incident response should be an integral part of your overall security policy and risk mitigation strategy.

There are clearly direct benefits in responding to security incidents. However, there might also be indirect financial benefits. For example, your insurance company might offer discounts if you can demonstrate that your organization is able to quickly and cost-effectively handle attacks. Or, if you are a service provider, a formal incident response plan might help win business, because it shows that you take seriously the process of good information security.

This document will provide you with a recommended process and procedures to use when responding to intrusions identified in a small- to medium-based (SMB) network environment. The value of forming a security incident response team with explicit team member roles is explained, as well as how to define a security incident response plan.

To successfully respond to incidents, you need to:

·         Minimize the number and severity of security incidents.

·         Assemble the core Computer Security Incident Response Team (CSIRT).

·         Define an incident response plan.

·         Contain the damage and minimize risks.

Before You Begin

System administrators spend a lot of time with network environments, and are very familiar with networks. They document the environments and have backups in place. There should be an auditing process already in place to monitor performance and utilization. There should be a level of awareness already achieved prior to implementing an incident response team.

No matter how much detail you know about the network environment, the risk of being attacked remains. Any sensible security strategy must include details on how to respond to different types of attacks.

Minimizing the Number and Severity of Security Incidents

In most areas of life, prevention is better than cure, and security is no exception. Wherever possible, you will want to prevent security incidents from happening in the first place. However, it is impossible to prevent all security incidents. When a security incident does happen, you will need to ensure that its impact is minimized. To minimize the number and impact of security incidents, you should:

·         Clearly establish and enforce all policies and procedures. Many security incidents are accidentally created by IT personnel who have not followed or not understood change management procedures or have improperly configured security devices, such as firewalls and authentication systems. Your policies and procedures should be thoroughly tested to ensure that they are practical and clear and provide the appropriate level of security.

·         Gain management support for security policies and incident handling.

·         Routinely assess vulnerabilities in your environment. Assessments should be done by a security specialist with the appropriate clearance to perform these actions i.e. (bondable and given administrator rights to the systems).

·         Routinely check all computer systems and network devices to ensure that they have all of the latest patches installed.

·         Establish security training programs for both IT staff and end users. The largest vulnerability in any system is the inexperienced user ? the ILOVEYOU worm effectively exploited that vulnerability among IT staff and end users.

·         Post security banners that remind users of their responsibilities and restrictions, along with a warning of potential prosecution for violation. These banners make it easier to collect evidence and prosecute attackers. You should obtain legal advice to ensure that the wording of your security banners is appropriate.

·         Develop, implement, and enforce a policy requiring strong passwords. You can learn more about passwords in "Enforcing Strong Password Usage Throughout Your Organization" in the Security Guidance Kit.

·         Routinely monitor and analyze network traffic and system performance.

·         Routinely check all logs and logging mechanisms, including operating system event logs, application specific logs and intrusion detection system logs.

·         Verify your back-up and restore procedures. You should be aware of where backups are maintained, who can access them, and your procedures for data restoration and system recovery. Make sure that you regularly verify backups and media by selectively restoring data.

·         Create a Computer Security Incident Response Team (CSIRT) to deal with security incidents. You can learn more about CSIRT in the following section of this document.

Assembling the Core Computer Security Incident Response Team

The CSIRT is the focal point for dealing with computer security incidents in your environment. Your team should consist of a group of people with responsibilities for dealing with any security incident. Team members should have clearly defined duties to ensure that no area of your response is left uncovered.

Assembling a team before an incident occurs is very important to your organization and will positively influence how incidents are handled. A successful team will:

·         Monitor systems for security breaches.

·         Serve as a central communication point, both to receive reports of security incidents and to disseminate vital information to appropriate entities about the incident.

·         Document and catalog security incidents.

·         Promote security awareness within the company to help prevent incidents from occurring in your organization.

·         Support system and network auditing through processes such as vulnerability assessment and penetration testing.

·         Learn about new vulnerabilities and attack strategies employed by attackers.

·         Research new software patches.

·         Analyze and develop new technologies for minimizing security vulnerabilities and risks.

·         Provide security consulting services.

·         Continually hone and update current systems and procedures.

When you create a CSIRT, prepare the team so they are equipped to handle incidents. To prepare the team, you should:

·         Train them on the proper use and location of critical security tools. You should also consider providing portable computers that are preconfigured with these tools to ensure that no time is wasted installing and configuring tools so they can respond to an incident. These systems and the associated tools must be properly protected when not in use.

·         Assemble all relevant communication information. You should ensure that you have contact names and phone numbers for people within your organization who need to be notified (including members of the CSIRT, those responsible for supporting all of your systems, and those in charge of media relations). You will also need details for your Internet service provider (ISP) and local and national law enforcement agencies. Discuss with your legal counsel about contacting local law enforcement before an incident happens. This will help you to ensure that you understand proper procedures for communicating incidents and collecting evidence. Legal counsel should be informed of any contacts with law enforcement.

·         Place all emergency system information in a central, offline location, such as a physical binder or an offline computer. This emergency information includes passwords to systems, Internet Protocol (IP) addresses, router configuration information, firewall rule set lists, copies of certification authority keys, contact names and phone numbers, escalation procedures, and so on. This information must both be readily available and be kept extremely physically secure. One method of securing and making this information readily available is to encrypt it on a dedicated security portable computer that is placed in a secure vault and limit access to the vault to authorized individuals such as the CSIRT leader and the CIO or CTO.

The ideal CSIRT membership and structure depends on the type of your organization and your risk management strategy. However, the CSIRT should generally form part or all of your organization's security team. Inside the core team are security professionals responsible for coordinating a response to any incident. The number of members in the CSIRT will typically depend on the size and complexity of your organization. However, you should ensure that there are enough members to adequately cover all of the duties of the team at any time.

Establishing Team Roles

A successful CSIRT team consists of several key members.

CSIRT Team Leader. The CSIRT must have an individual in charge of its activities. The CSIRT Team Leader will generally be responsible for the activities of the CSIRT and will coordinate reviews of its actions. This might lead to changes in polices and procedures for dealing with future incidents.

CSIRT Incident Lead. In the event of an incident, you should designate one individual responsible for coordinating the response. The CSIRT Incident Lead has ownership of the particular incident or set of related security incidents. All communication about the event is coordinated through the Incident Lead, and when speaking with those outside the CSIRT, he or she represents the entire CSIRT. The Incident Lead might vary depending on the nature of the incident, and is often a different person than the CSIRT Team Leader.

CSIRT Associate Members. Besides the core CSIRT team, you should have a number of specific individuals who handle and respond to particular incidents. Associate members will come from a variety of different departments in your organization. They should specialize in areas that are affected by security incidents but that are not dealt with directly by the core CSIRT. Associate members can either be directly involved in an incident or serve as entry points to delegate responsibility to a more appropriate individual within their departments. The following table shows some suggested associate members and their roles.

CSIRT Associate Members

Responding to an Incident

In the event of an incident, the CSIRT will coordinate a response from the core CSIRT and will communicate with the associate members of the CSIRT. The following table shows the responsibilities of these individuals during the incident response process.

Responsibilities of CSIRT During the Incident Response Process