APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

How to respond to a Security Incident

By Michael Desrosiers
m3ip Inc.
Email: mdesrosiers@m3ipinc.com
Web Site: https://m3ipinc.com
© April 2005 Michael Desrosiers

How an organization responds regarding a security or privacy breach tells me a lot about their level of preparedness.

The first thing that an organization needs to understand is exactly what constitutes an incident, what incidents are reportable and what actions they need to take when an incident occurs. The purpose of an incident response plan is to respond, investigate and report any abnormal activities that deviate from approved or expected practices on your organization's information system resources. Your plan should include a description of a security violation, a security incident and an example of when a technical vulnerability causes or could cause one or the other.

There are two types of security violations:

Those that violate one or more laws (HIPAA, SOX, GLBA)

Those that violate organizational policy and regulations.

Security incidents may reveal the need for increased computer security efforts, possibly including a security training and awareness program. Technical vulnerabilities can be found in hardware, firmware or software and can be caused by design or implementation characteristics or flaws that leave an information system open to potential exploitation.

Should you shut down the system, alerting the potential hacker, or should you try to gain more information about the attacker for prosecution or study? Your decision will depend on what sort of activity has already been discovered and what the likelihood is of loss of life or market edge. Timely reporting is paramount and should be consistent with the incident's severity; efficient incident handling also minimizes the potential for negative public relations exposure. When an attack is in progress, spontaneous decisions can thwart efforts to determine the source of the incident, collect evidence, prepare for recovering the system and protect system data. Be aware that if you report a potential crime, authorities may seize all of your equipment and remove it from your premises for an unknown amount of time.

Your incident response plan will look similar to business continuity plans developed earlier:

Preparation and planning: goals and objectives in handling an incident.

Notification/point of contact in the case of an incident: local managers and personnel; law enforcement and investigative agencies; computer security incidents handling teams; affected and involved sites; internal communications; public relations; and customers, as applicable, if personal data was stolen.

Identifying an incident and classifying its severity.

Handling the incident: protection of evidence and activity logs; containment; eradication; recovery; and follow-up.

What are the implications of past incidents?

Administrative response to incidents.

An incident report should include the type, description and impact of the incident; date and time the incident occurred; name and classification of the information system; man-hours involved in recovery and cleanup; and a point of contact. All reports are classified at the level of the system compromised, but at least "Confidential" on any system processing classified information.

There you have it. The premise behind developing a sound and workable incident response mechanism, is to think it through before it is needed. This is one aspect of information security that cannot be reactive.

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> How to respond to a Security Incident

1 comment

Inexpensive and informative Apple related e-books:

Take Control of Preview

Take Control of Automating Your Mac

Take Control of Pages

Photos for Mac: A Take Control Crash Course

Photos: A Take Control Crash Course

More Articles by © Michael Desrosiers

Sun Apr 3 17:57:02 2005: 270   bruceg

I am wondering if anyone out there has ever had to get law enforement involved with a security breach. We had to let an employee go, because he broke some rules of out acceptable use policy, and I had several hundred pages of unauthorized web sites that he "surfed" during business hours. Since we do not pay out employee's to surf all day long, and he had been doing this for a few months, we had to let him go. We do let people browse, but within reason. We tell them not to abuse the privalege, and that all websites are monitored by machine, and by username.

This guy actually got someone else's username/pass from a "public" PC, where the user had used the cached password utility to store passwords on the PC, and not set the master password, despite the warning message, urging you to do so. He was able to simply view the passwords of the usernames on that PC, and used that persons user/pass to surf the web. So he actually broke two rules in our policy, by stealing someone elses password, and using it without their knowledge.

Has anyone ever had to get law enforcement involved for a more serious breach of their system? What can they do? Is it even worth it?

Our acceptable use policy covers just about everything, and our employee's are well aware of how they should protect their password's, so others cannot use them. I am actually going to write a script, and see if users are logging on other machines than their own, since we use static IP addresses, and most of the time the user would only log on one station.

I have also updated our Win98 PC's to require a network logon, so I may take things a step further, and only allow certain users to logon certain machines, so we do not have to worry about other users using other peoples logins on another machine, should a password be found, or somehow "cracked".

I need to find a way to see how to do this with Apache, and Squid authentication, since they would have to be somehow limited by IP address as well.

My main concern is how law enforcement would actually pursue a case, where a small business had a breach of security, and maybe some payroll or other personal data was "stolen" from a computer system.

Has anyone out there had any experience with this?




Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Java is C++ without the guns, knives, and clubs. (James Gosling)

Linux posts

Troubleshooting posts

This post tagged:



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode