With enterprises becoming increasingly vulnerable to security breaches, an effective IR (incident response) strategy has to be an integral part of the security plan
Information security is a critical concern for most enterprises today. While
in many cases, the security breach may be limited to a virus attack or a website
defacement, there are other and more serious implications of a breach—these
can damage a company’s reputation in the form of crippling downtime-related
losses or theft of proprietary information. An attack or breach could be from
internal or external sources, and while there are many articles that have dealt
with the source of such attacks, this report is aimed at advising enterprises on
the incident response measures that should follow a breach.
Threats from every side A recent IS security survey by CII-PwC shows that 80% of businesses suffered
some kind of breach in 2001-02, up from 60% in the previous year. While virus
attacks accounted for a bulk of most breaches, denial of service attacks were
also on the rise. Besides these, financial fraud, identity theft, spoofing,
corporate espionage, website defacement and insider abuse accounted for the
other attacks—and all were on the rise. Also, internal security breaches
accounted for 60% of all incidents.
OS-related vulnerabilities are among the single-largest causes of IT security
breaches in India—largely in line with the global trend. However, the
proportion of primitive-level security breaches like human error and
poorly-defined access controls seem to be significantly higher in India than
internationally. Swapan Johri, head (security) at HCL Comnet says, "About
80% of all corporate intellectual property is in the digital form. This stands
exposed to a whole range of attacks, varying from insiders with malicious
intent, to terrorists, spies, joyrides, even predatory competition."
In most cases, breaches are determined through data damage, server logs or
being alerted by an employee.
Capt Felix Mohan, CEO of Delhi-based IT security firm Securesynergy, says,
"Breaches are detected by proactive and reactive methods. Proactive methods
are technical controls like intrusion detection systems, firewalls, file
integrity monitors and analysis of server logs. Reactive methods include
discovery of breach due to data loss or material damage, or when alerted by
colleagues, customers, or managed service providers."
Denial doesn’t help Enterprises usually express denial or disbelief on determining a breach for
the first time. Only when the severity of the situation becomes clear does a
gamut of emotions ensue—anger at the perpetrator, betrayal by the security
vendors who didn’t prevent it from happening, and finally, sheer panic. By the
times a typical enterprise actually starts addressing the problem, precious time
has been lost, possibly worsening the situation.
The reason for the panic stems from the absence of an incident response plan
that serves as a guide when the system is breached. Most do not know who to call
for help, when and how to communicate the problem to employees, customers and
the media, or how to get back online. To minimize the damage, an enterprise
should have a well-defined strategy in the form of a detailed and
clearly-written incident response plan. Preparing ahead kills the possibility of
a switch to ‘panic’ mode, apart from making the recovery process faster and
smoother.
Quick-fix may not plug gaps Most enterprises, when confronted with a website defacement, tend to take
down the site, fix it quickly, put it back up and hope that nobody noticed. But
a rushed fix can make matters worse. Many hackers also build a backdoor into
their handiwork, allowing them to easily get back in and do more damage later.
Implementing a quick fix solution, therefore, can quash a company’s ability to
track down and prosecute the perpetrator. In their haste to restore sites,
companies trample and sometimes entirely ‘erase’ the crime scene. The first
step is assessing the extent of the damage. Says Capt Mohan, "Few
enterprises document forensics guidelines that set out how to maintain evidence
during an investigation from a legal perspective, and provide technical
procedures and standards that need to be adopted for diagnosing breaches."
Five
Do’s and Don’t’s
The
Do’s
The
Don’t’s
n Immediately
inform all parties who need to be made aware of the breach, as defined in
the company’s Incident Response Plan, including the IR team, PR staff,
affected users, management, system administrators of other connected sites
etc)
n All
information about the compromised systems, including cause of intrusion,
system and network logs, network connections, processes running, users
logged in, open files etc. should be captured and securely stored. This
can be done by creating an image of the disk, without any changes to the
original data. Differences between the original system and the master copy
count as a change to the data; therefore you must be able to account for
the differences. If possible, without rebooting, make two byte-by-byte
copies of the physical disk.
n Contain
the incident to limit its extent and prevent the intruder from doing
further damage. This action would involve shutting down the system,
disconnecting the system from the network, disabling access, and
monitoring the network for further attacks
n Ensure
that the intruder has no covert means of access into the company’s
system through backdoors, or Trojans that he may have installed. Reinstall
compromised systems, restore programs and binary files from original
media, carryout vulnerability analysis and review configurations of all
protective and detection mechanisms—IDS, firewall, tripwire, access
controls etc
n Return
the system to normal operation after eliminating all means by which the
intruder may gain access. If business requirements require the systems to
be brought online fast, the risk needs to be monitored. Once restored, the
company should implement lessons learned and update its IR plan
An enterprise should
avoid the following just after a breach
n Do
not panic. Execute the company IR plan
n Do
not power a system down immediately upon the discovery of an incident.
This could destroy critical evidence. Powering off will destroy the
volatile data of the system before a forensic image of the system can be
created. Besides this, the the attacker might have Trojan-ed the startup
and shutdown scripts, Plug-and-Play devices may alter the system
configuration and wipe out temporary file systems. Rebooting is even
worse, and should be avoided
n Do
not get the compromised system online without undertaking a thorough
vulnerability analysis, and hardening of the system’s protection and
detection mechanisms to ensure that the perpetrator cannot re-enter. The
hardening should include a thorough sanitisation of the system to ensure
no backdoor or Trojan exists before getting the system up again.
n Do
not ignore the incident - even if it may seem insignificant and
potentially harmless. Incidents should be escalated and dealt with as per
the procedures set out in the Incident Response plan.
n Do
not start looking through files, as this could lead to loss of vital
evidence such as time stamps. Any programs you use should be on read-only
media (such as a CD-ROM or a write-protected floppy disk), and should be
statically linked. Do not start looking through files - This might lead to
loss of crucial evidence like timestamps.
(Source: Bangalore
Labs , SecureSynergy)
Backups are essential One technique for buying time to investigate without jeopardizing the
business is to maintain backups with frequently-updated copies of all website
pages. A company hit by a security breach can then run its site from the backup
servers, while combing through evidence on the primary system. The cost of this
would vary, depending on the size and dynamics of the site. Having backup for a
larger site may be worth it when you consider the value it offers. A company can
immediately bring a clean copy of the site backup, examine the damaged site to
determine in detail what happened and avoid a rushed fix.
In-house IR team Enterprises need an in-house incident response team consisting of
cross-functional employees to handle cases of breaches. Calling in the incident
response team should be at the top of the list of action items on a company’s
incident response plan. This group should have executives and representatives
from IS, business units, plus PR, legal, marketing and HR departments, with
training on how to respond in the event of a breach.
Investment
on IT Security: Stretch Your Buck
Options
Benefits
Cost
& Rating
Install basic hardware and software: firewalls, anti-virus
programs, passwords, etc
Basic protection. Despite a heavy initial
investment, you can’t ignore these
Cost: $$$
Security rating:**
Buy advanced HW and SW: encryption, authentication, digital
certificates and signatures, keystroke loggers
These offer far more security than the basics, but
you have to pay a heavy price for it
Cost: $$$
Security rating:***
Hire/reassign staff to create and enforce security policies
Helps secure everyday operations
Cost: $$
Security rating:***
Dedicate one staffer to ongoing maintenance of security
systems
This is a low-cost, highly cost-effective way to
improve security
Cost: $
Security rating:****
Improve IT security awareness through employee training
Low-cost and effective way to quickly improve
security
Cost: $
Security rating:****
Regular virus and patch upgrades, firewall
reconfi-guration,security audits
Worth the cost, ensures critical updates don’t get
delayed/fall by the wayside
Cost: $$
Security rating:***
Regular security/penetration audit and assessment
Expensive but necessary. White Hat hackers will
give reports/suggest improvement
Cost: $$$$
Security rating:***
Outsource entire process of security management
Expensive, but includes service guarantees that
the enterprise will remain secure
Cost: $$$$
Security rating:****
*May/may
not be required
**Needs careful
evaluation
***Important
****Critical urgency$–Inexpensive $$–Consider
spend $$$–Heavy spend $$$$–Top dollar, RoI
study a must
Do not hesitate to report The CSI/FBI 2002 Computer Crime and Security Survey in the US reveals that
only 34% of surveyed respondents reported a security breach to law enforcement
bodies. Also, 77% of the respondents patched holes and moved on with business.
Rohit Nand, senior security consultant at Bangalore Labs, opines—"The
percentage of organizations in India that would detect a security breach and
report the same to law enforcement would be far lower than that in the West.
Thus is due to factors like lower security awareness levels and budgets, apart
from the lack of a centralized IT security incident reporting body, like FBI and
CERT."
A company’s IR plan should detail whether the authorities should be called,
and in what circumstances, and by whom. For one, when an employee receives a
threat via e-mail or trade secrets have been compromised, the authorities should
be informed fast. But in case of an employee being suspected of accessing
information that’s off-limits, it could be a matter best dealt with in-house.
On the whole, reporting cybercrimes and network attacks is the right thing to
do. Only sharing information with law enforcement and industry groups will make
it easier to prosecute criminals, identify new security threats and prevent
future attacks.
Special Issues 
