It is important that an incident response plan is formulated, supported throughout the organization, put into action, and regularly tested. A good incident response plan may minimize the effects of a breach. Furthermore, it may even reduce the negative publicity and focus attention on quick reaction time.
From a security team perspective, it does not matter whether a breach occurs (as such occurrences are an eventual part of doing business using an untrusted carrier network such as the Internet), but rather, when a breach will occur. Do not think of a system as weak and vulnerable; it is important to realize that given enough time and resources someone will breach even the most security-hardened system or network. You do not need to look any further than the Security Focus website at http://www.securityfocus.com for updated and detailed information concerning recent security breaches and vulnerabilities, from the frequent defacement of corporate webpages to the attacks on the 13 root DNS nameservers in 2002 that attempted to cripple Internet access around the world[1].
The positive aspect of realizing the inevitability of a system breach is that it allows the security team to develop a course of action that minimizes any potential damage. Combining a course of action with expertise allows the team to respond to adverse conditions in a formal and responsive manner.
The incident response plan itself can be separated into four sections:
Immediate action
Investigation
Restoration of resources
Reporting the incident to proper channels
An incident response must be decisive and executed quickly. There is little room for error in most cases. By staging practice emergencies and measuring response times, it is possible to develop a methodology that fosters speed and accuracy. Reacting quickly may minimize the impact of resource unavailability and the potential damage caused by system compromise.
An incident response plan has a number of requirements, including;
Appropriate personnel (in-house experts)
Financial support
Executive support
A feasible plan of action
Physical resources (redundant storage, standby systems, and backup services)
The term appropriate personnel refers to people who will comprise a Computer Emergency Response Team (CERT). Finding the core competencies for a CERT can be a challenge. The concept of appropriate personnel goes beyond technical expertise and includes logistics such as location, availability, and desire to put the organization ahead of ones personal life when an emergency occurs. An emergency is never a planned event; it can happen at any moment, and all CERT members must be willing to accept the responsibility that is required of them to respond to an emergency at any hour.
Typical CERT members include system and network administrators as well as members from the information security department. System administrators will provide the knowledge and expertise of system resources, including data backups, backup hardware available for use, and more. Network administrators provide their knowledge of network protocols and the ability to re-route network traffic dynamically. Information security personnel are useful for thoroughly tracking and tracing security issues as well as performing post-mortem analysis of compromised systems.
It may not always be feasible, but there should be personnel redundancy within a CERT. If depth in core areas is not applicable to an organization, then cross-training should be implemented wherever possible. Note that if only one person owns the key to data safety and integrity, then the entire enterprise becomes helpless in that person's absence.
Some important aspects of incident response to consider are legal issues. Security plans should be developed with members of legal staff or some form of general counsel. Just as every company should have their own corporate security policy, every company has its own way of handling incidents from a legal perspective. Local, state, and federal regulatory issues are beyond the scope of this document, but are mentioned because the methodology for performing a post-mortem analysis, at least in part, will be dictated by (or in conjunction with) legal counsel. General counsel can alert technical staff of the legal ramifications of breaches; the hazards of leaking a client's personal, medical, or financial records; and the importance of restoring service in mission-critical environments such as hospitals and banks.
| [1] |