Critical Incident Response and CIRT Development

Critical Incident Response and CIRT Development

AU0010_C04.fm Page 229 Wednesday, August 13, 2003 8:28 AM Chapter 4 Critical Incident Response and CIRT Development Critical Incident Management In modern organizations, the combination of easily available data, poorly administered safeguards, and malicious individuals make systems vulnerable and attractive to attacks. Almost daily, we hear of businesses being robbed of critical information assets or suffering outages through virus infections or denial-of-service attacks. Computer net- works are still relatively new, having their birth only 30 years ago. It sometimes seems hard to put in perspective, but the vaunted Information Highway was just getting its feet of the ground in the early 1980s. And, as information became an extremely valuable commodity, the exploitation of vulnerabilities seemed to keep pace with the growth of network systems. Illustrating this point is one of the most famous misdeeds, the 1988 “Morris Worm” incident resulted in a significantly large percentage of the network systems with Internet connections being corrupted and removed from service. This was the catalyst that caused Internet users to have postmortem meetings where they decided that preventative, detective, and corrective steps had to be made active parts of their business practice. For the past seven years, the Computer Crime and Security survey has been conducted jointly by the Computer Security Institute (www.gocsi.com) and the Federal Bureau of Investigation’s San Francisco, California, office. The purpose of this survey is to raise levels of computer system awareness while measuring the magnitude and frequency of computer crimes. The 2002 survey results are based on 503 responses from computer security professionals practicing in U.S. business and government agencies. Responses to this survey confirm that computer systems threats continue to spiral upwardly with corresponding financial losses following. Here are a few highlights from the most recent survey: Ⅲ 90 percent of the survey respondents detected computer security breaches in the last twelve months. 229 AU0010_C04.fm Page 230 Wednesday, August 13, 2003 8:28 AM 230 Critical Incident Management Ⅲ 80 percent acknowledged financial losses attributable to the computer security breaches. Ⅲ Of the 503 respondents, 44 percent estimated their financial losses at more than $455 million. Ⅲ The most serious financial losses occurred through the theft of proprietary information with 26 respondents reporting more than $170 million and 25 respondents reporting more than $115 mission in financial fraud. Ⅲ Of the respondents, 74 percent reported their Internet connection as the more- frequent point of attack than their internal system. Ⅲ In 1996, only 16 percent acknowledged reporting intrusions to law enforcement, but in 2002, 34 percent reported their intrusions to law enforcement authorities. Ⅲ 40 percent detected systems’ penetration from outside the organization. Ⅲ 78 percent detected employee abuse of Internet access privileges or inappro- priate use of e-mail. Ⅲ 38 percent suffered unauthorized access or misuse of their Web sites in the last 12 months, while 21 percent reported they did not know if there had been unauthorized access or misuse. Patrice Rapalus, CSI Director, remarked that the Computer Crime and Security Survey has served as a reality check for industry and government: Over its 7 year life span, the survey has told a compelling story. It has underscored some of the verities of the information security profession; for example, that technology alone cannot thwart cyber attacks and that there is a need for greater cooperation between the private sector and the government. It has also challenged some of the profession’s ‘conventional wisdom;’ for example, that the ‘threat from inside the organization is far greater than the threat from outside the organization and that most hack attacks are perpetrated by juveniles on joy rides in cyberspace. Over the 7 year life span of the survey, a sense of the facts on the ground has emerged. There is much more illegal and unauthorized activity in cyberspace than corporations will admit to their clients, stockholders, and business partners or report to law enforcement. Incidents are widespread, costly, and commonplace. Since September 11, 2001, there seems to be a greater appreciation for how much information security means not only to each individual enterprise but also to the economy itself and to society as a whole. Hopefully, this greater appreciation will translate into increased staffing levels, more investment in training, and enhanced organizational clout for those responsible for information security. Experience Note The most frequent system attacks originate outside the business organization, but the most successful attacks are those committed by insiders. Critical Incident Response The best response to critical incidents is characterized by the “ounce of prevention is worth a pound of cure” philosophy. It is much more financially prudent to implement a sound risk management program characterized by written policies, procedures, and standards, with compliance ensured by comprehensive and unannounced audits, than it is to deal with financially devastating events after they happen. But there are times when “bad things happen to good people” and a response must be made to a critical incident occurring despite your best efforts. It is virtually AU0010_C04.fm Page 231 Wednesday, August 13, 2003 8:28 AM Critical Incident Response and CIRT Development 231 impossible to predict when someone is going to attack your system and steal your critical information except to say it is not a matter of if as much as it is a matter of when. Firefighter Response Model Responding to a critical incident is similar to responding to a fire. Fire departments work tirelessly to educate us about the best means to prevent fires. Safety training starts with simple programs when we are young by talking about fire-related hazards at home and school. Television and radio public service announcements tell us of the safety measures we can take to safeguard our lives at home. We see fire-safety slogans telling us “only you can prevent forest fires” and similar signs as we enter campgrounds and picnic areas. Sometimes we are visited by Fire Marshals inspecting our facilities, making certain there are marked exits and equipment to extinguish fires and save lives. When the worst happens, a company of firefighters responds to an emergency: Ⅲ Respond to emergency contact numbers Ⅲ Trained to handle wide-ranging emergency situations Ⅲ Organized in the deployment of their tactics and equipment Ⅲ Frequently cross-trained as Emergency Medical Technicians Ⅲ Confirm that an emergency exists and the nature of it Ⅲ Take all appropriate steps to control the emergency Ⅲ Take all appropriate steps to prevent the fire from destroying priority order: – Lives – Surrounding property – Property where the fire is presently burning Ⅲ Take every possible step to collect and preserve evidence of criminal behavior but not at the risk of life and property Ⅲ Testify at judicial proceedings about their actions and findings Ⅲ Conduct reviews and critique improving their performance Critical Incident Response Strategy No one would argue that responding to critical system incidents is a complex area that is not as easy as taking a pill and waking up feeling better in the morning. Critical Incident response methodology closely follows that of the firefighters: Ⅲ Precritical incident preparation. Designated and specially trained response personnel, contact methods, equipment, and tool availability and response posture. Ⅲ Detection of critical incidents. Ⅲ Initial response evaluation. This is a preliminary step in which an initial investigation is performed and an evaluation is made quickly to determine which type of response is appropriate. Ⅲ Response. This is the step where necessary resources are deployed responding to the critical incident. The response goals are very similar to those of the firefighters: contain the damage, prevent it from further spreading, dedicate efforts in a priority manner, and pursue resumption of normal operations. Ⅲ Response posture strategy. This step is where the preliminary facts are ascer- tained and a “best response” plan is proposed. At this time, the proposed plan AU0010_C04.fm Page 232 Wednesday, August 13, 2003 8:28 AM 232 Critical Incident Management is passed to senior managers for their review and approval. It is imperative that this step be accomplished within the framework of response demands and priorities. Time is of the essence, dawdling is not acceptable here. Depending on the nature of the emergency, there will be times that an immediate hammer-to-nail response is made and there will be times when the matter may be handled the next business day. Experience Note Be careful of “crying wolf” too frequently; if every case is declared an emergency, there are no emergencies. Ⅲ Law enforcement notification. Having previously established a relationship with law enforcement authorities, responders know whether they should collect the evidence first, or secure the crime scene and wait for officers to respond. Ⅲ Legal determination. Responders must include their legal counsel in the deci- sion process surrounding response strategy. On receiving the responder’s observations and recommendations, legal counsel should be prepared to render an opinion whether the responders should collect evidence for future legal proceedings, notify law officers so they can collect relevant evidence or take

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    112 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us