October 11, 2012 at 10:58Work with information security incidents
Good day, dear habrahabr!
I continue to publish articles from information security practices.
This time we will focus on such an important component as security incidents. Work with incidents will take the lion's share of the time after the establishment of an information security regime (documents have been accepted, the technical part has been installed and configured, the first trainings have been conducted).
First things first, you need to get information about the incident. This point needs to be considered even at the stage of forming a security policy and creating presentations on educational program in information security for employees.
Main sources of information:
1. Helpdesk.
As a rule (and this is a good tradition), any problems, malfunctions or malfunctions of the equipment are called or written to the help desk of your IT service. Therefore, it is necessary to “integrate” into the helpdesk business process in advance and indicate the types of incidents with which the application will be transferred to the information security department.
2. Messages directly from users.
Organize a single point of contact, as reported in the training on information security for employees. At the moment, information security departments in organizations are usually not very large, often from 1-2 people. Therefore, it will be easy to appoint a person responsible for receiving incidents, you don’t even have to bother with highlighting the email address for the needs of IS Helpdesk.
3. Incidents discovered by security officers.
Everything is simple here, and no body movements are required to organize such a reception channel.
4. Logs and system alerts.
Configure alerts in the console of anti-virus, IDS, DLP and other security systems. It is more convenient to use aggregators that also collect data from the logs of programs and systems installed in your organization. Particular attention should be paid to points of contact with the external network and places of storage of sensitive information.
Although security incidents are varied and diverse, they are fairly easy to separate into several categories for which statistics are easier to keep.
1. The disclosure of confidential or internal information, or the threat of such disclosure.
To do this, you must have, at a minimum, an up-to-date list of confidential information, a working system for the electronic and paper media. A good example is document templates, for almost all occasions located on the organization’s internal portal or in the internal file storage, by default they have the stamped “Only for internal use”.
I’ll clarify a little about the threat of disclosure, in a previous post I described the situation when a document with the stamp “Only for internal use” was posted in a common hall adjacent to another organization. Perhaps the disclosure itself was not (it was posted after the end of the working day, and it was noticed very quickly), but the fact of the threat of disclosure is on the face!
2. Unauthorized access.
To do this, you must have a list of protected resources. That is, those where any sensitive information of the organization, its customers or contractors is located. Moreover, it is desirable to include in this category not only penetration into the computer network, but also unauthorized access to the premises.
3. Excess of authority.
In principle, you can combine this item with the previous one, but it’s better to highlight, I’ll explain why. Unauthorized access means the access of those persons who do not have any legal access to the resources or premises of the organization. This is an external intruder who does not have a legal entry into your system. Excess of authority is understood as unauthorized access to any resources and premises of legal employees of the organization.
4. Viral attack.
In this case, it is necessary to understand the following: a single infection of an employee’s computer should not entail a trial, since this can be attributed to an error or the notorious human factor. If a significant percentage of the organization’s computers are infected (here you can already start from the total number of machines, their distribution, segmentation, etc.), then you need to deploy a full-fledged security incident with the necessary searches for infection sources, causes, etc.
5. Compromise of accounts.
This item has something in common with 3 . In fact, the incident goes from 3 to 5 category, if during the investigation of the incident it turns out that the user at that moment physically and actually could not use his credentials.
There are 2 ways to deal with incidents with this point: simple and complex.
A simple way: take an agreement on the level of service of your IT service and tailor it to your needs.
Difficult way: on the basis of risk analysis, identify groups of incidents and / or assets in respect of which the solution or elimination of the causes of the incident should be immediate.
The simple way works well in small organizations, where there is not so much classified information and there is not a huge number of employees. But it’s worthwhile to understand that the IT service in the SLA comes from its own risks and statistics of incidents. It is possible that a printer that has jammed paper on the CEO’s desk will have a very high priority, in the event that it will be more important for you to compromise the password for the administrator of the corporate database.
There is a special applied science - forensics, which deals with forensic issues in the field of computer crimes. And there is a wonderful book by Fedotov N.N. "Forensics - Computer Forensics." I will not now describe in detail aspects of forensics, I will simply highlight 2 main points in preserving and providing evidence that must be adhered to.
• For paper documents: the original is stored securely with a record of the person who discovered the document, where the document was found, when the document was discovered and who witnessed the discovery. Any investigation should ensure that the originals were not falsified.
• For information on computer storage media: mirrored images of either any removable media, information on hard drives or in memory should be taken to ensure accessibility. A record of all actions during the copying process should be kept, and the process should be attested. The original media and protocol (if this is not possible, then at least one mirror image or copy) must be kept secure and intact
So, the incident is over, the consequences are eliminated, an internal investigation is conducted.
But work on this should not be completed.
Further actions after the incident:
• reassessment of the risks that led to the occurrence of the incident
• preparation of a list of protective measures to minimize the risks identified in the event of a recurrence of the incident
• updating the necessary policies, regulations, IS rules
• conduct training for the organization’s staff, including IT employees, to raise awareness regarding IS
That is, it is necessary to take all possible actions to minimize or neutralize the vulnerability that entailed the implementation of a security threat and, as a result, the occurrence of incidences nta.
1. Keep an incident log where you can record the time of detection, the data of the person who discovered the incident, the category of incident, the assets involved, the planned and actual time to resolve the incident, as well as the work done to eliminate the incident and its consequences.
2. Record your actions. This is necessary primarily for yourself, to optimize the incident resolution process.
3. Notify employees of the incident so that firstly they do not interfere with your investigation, and secondly, they exclude the use of the affected assets during the investigation.
I continue to publish articles from information security practices.
This time we will focus on such an important component as security incidents. Work with incidents will take the lion's share of the time after the establishment of an information security regime (documents have been accepted, the technical part has been installed and configured, the first trainings have been conducted).
Incident Reporting
First things first, you need to get information about the incident. This point needs to be considered even at the stage of forming a security policy and creating presentations on educational program in information security for employees.
Main sources of information:
1. Helpdesk.
As a rule (and this is a good tradition), any problems, malfunctions or malfunctions of the equipment are called or written to the help desk of your IT service. Therefore, it is necessary to “integrate” into the helpdesk business process in advance and indicate the types of incidents with which the application will be transferred to the information security department.
2. Messages directly from users.
Organize a single point of contact, as reported in the training on information security for employees. At the moment, information security departments in organizations are usually not very large, often from 1-2 people. Therefore, it will be easy to appoint a person responsible for receiving incidents, you don’t even have to bother with highlighting the email address for the needs of IS Helpdesk.
3. Incidents discovered by security officers.
Everything is simple here, and no body movements are required to organize such a reception channel.
4. Logs and system alerts.
Configure alerts in the console of anti-virus, IDS, DLP and other security systems. It is more convenient to use aggregators that also collect data from the logs of programs and systems installed in your organization. Particular attention should be paid to points of contact with the external network and places of storage of sensitive information.
Incident categorization
Although security incidents are varied and diverse, they are fairly easy to separate into several categories for which statistics are easier to keep.
1. The disclosure of confidential or internal information, or the threat of such disclosure.
To do this, you must have, at a minimum, an up-to-date list of confidential information, a working system for the electronic and paper media. A good example is document templates, for almost all occasions located on the organization’s internal portal or in the internal file storage, by default they have the stamped “Only for internal use”.
I’ll clarify a little about the threat of disclosure, in a previous post I described the situation when a document with the stamp “Only for internal use” was posted in a common hall adjacent to another organization. Perhaps the disclosure itself was not (it was posted after the end of the working day, and it was noticed very quickly), but the fact of the threat of disclosure is on the face!
2. Unauthorized access.
To do this, you must have a list of protected resources. That is, those where any sensitive information of the organization, its customers or contractors is located. Moreover, it is desirable to include in this category not only penetration into the computer network, but also unauthorized access to the premises.
3. Excess of authority.
In principle, you can combine this item with the previous one, but it’s better to highlight, I’ll explain why. Unauthorized access means the access of those persons who do not have any legal access to the resources or premises of the organization. This is an external intruder who does not have a legal entry into your system. Excess of authority is understood as unauthorized access to any resources and premises of legal employees of the organization.
4. Viral attack.
In this case, it is necessary to understand the following: a single infection of an employee’s computer should not entail a trial, since this can be attributed to an error or the notorious human factor. If a significant percentage of the organization’s computers are infected (here you can already start from the total number of machines, their distribution, segmentation, etc.), then you need to deploy a full-fledged security incident with the necessary searches for infection sources, causes, etc.
5. Compromise of accounts.
This item has something in common with 3 . In fact, the incident goes from 3 to 5 category, if during the investigation of the incident it turns out that the user at that moment physically and actually could not use his credentials.
Incident classification
There are 2 ways to deal with incidents with this point: simple and complex.
A simple way: take an agreement on the level of service of your IT service and tailor it to your needs.
Difficult way: on the basis of risk analysis, identify groups of incidents and / or assets in respect of which the solution or elimination of the causes of the incident should be immediate.
The simple way works well in small organizations, where there is not so much classified information and there is not a huge number of employees. But it’s worthwhile to understand that the IT service in the SLA comes from its own risks and statistics of incidents. It is possible that a printer that has jammed paper on the CEO’s desk will have a very high priority, in the event that it will be more important for you to compromise the password for the administrator of the corporate database.
Incident Evidence Collection
There is a special applied science - forensics, which deals with forensic issues in the field of computer crimes. And there is a wonderful book by Fedotov N.N. "Forensics - Computer Forensics." I will not now describe in detail aspects of forensics, I will simply highlight 2 main points in preserving and providing evidence that must be adhered to.
• For paper documents: the original is stored securely with a record of the person who discovered the document, where the document was found, when the document was discovered and who witnessed the discovery. Any investigation should ensure that the originals were not falsified.
• For information on computer storage media: mirrored images of either any removable media, information on hard drives or in memory should be taken to ensure accessibility. A record of all actions during the copying process should be kept, and the process should be attested. The original media and protocol (if this is not possible, then at least one mirror image or copy) must be kept secure and intact
After eliminating the incident
So, the incident is over, the consequences are eliminated, an internal investigation is conducted.
But work on this should not be completed.
Further actions after the incident:
• reassessment of the risks that led to the occurrence of the incident
• preparation of a list of protective measures to minimize the risks identified in the event of a recurrence of the incident
• updating the necessary policies, regulations, IS rules
• conduct training for the organization’s staff, including IT employees, to raise awareness regarding IS
That is, it is necessary to take all possible actions to minimize or neutralize the vulnerability that entailed the implementation of a security threat and, as a result, the occurrence of incidences nta.
Some tips
1. Keep an incident log where you can record the time of detection, the data of the person who discovered the incident, the category of incident, the assets involved, the planned and actual time to resolve the incident, as well as the work done to eliminate the incident and its consequences.
2. Record your actions. This is necessary primarily for yourself, to optimize the incident resolution process.
3. Notify employees of the incident so that firstly they do not interfere with your investigation, and secondly, they exclude the use of the affected assets during the investigation.