19
INFORMATION SECURITY RESPONSE
Always Vigilant
The price of liberty is eternal vigilance.
—THOMAS JEFFERSON
INTRODUCTION
A company’s data is its lifeblood. Without a steady flow of accurate data, available on demand, the business will grind to a halt. Some companies that lost their data and did not perform proper backups have gone out of business since it would be too expensive to re-create all of that information from paper documents. (Data backup plans are covered in Chapter 20.)
There can be times when the data is safe but inaccessible. This is almost as bad as losing the data since it cannot be used when needed. Other times the company’s confidential data may be spread across the newspapers or the Internet. The company’s networks may become unusable due to a flood of bogus traffic. Each of these situations will freeze a company’s activities as sure as the loss of the data center. For this reason, companies integrate their Information Security program into their business continuity planning.
Business continuity planning provides mitigation actions against adverse business events that may or may not occur. Risks are assessed, plans are published, and often the adverse event never occurs. Information security is different. Where business continuity plans address reactions to environmental events or equipment failure threats, information security is focused on preventing or containing criminal behavior. It is almost a certainty that someone will attempt to reach into your data systems, steal a notebook computer, or deny the public access to your network. Some criminals use automated scanning across the Internet whose sole purpose is to identify vulnerable systems for exploitation. As an automated threat, it is constantly searching and never rests. In this context, business continuity seeks to keep the data and systems secure and available for use on demand.
Therefore, business continuity planning for information security is a continuous and ever-evolving effort. Layers of defenses are established in-depth, from the fence around the facility to the encryption of the data center’s stored data. Just as technology is always changing, so must the defenses to plug the latest vulnerabilities. After all of this effort to build walls around the system, mistaken employee actions may provide a way around part or all of the well-planned controls.
Business Continuity Managers are not expected to be an expert on information security. However, they need to understand enough about it to ensure that its main points are included in the company’s business continuity plans. If in doubt, bring in a company that specializes in information security to audit the contingency plans for adequacy.
At times, it may seem as if information security is primarily something that deals with networks. Networks are a common route for gaining access to the company’s servers and data. However, a comprehensive security plan also encompasses physical security, employee training, encryption of portable data, proper destruction of surplus/obsolete electronic storage, shredding of documents, and so much more.
Information security is founded on three primary objectives. The first is to protect the confidentiality of the company’s information. This is both the electronically stored and printed information. Second, the integrity of the data is to be protected. This means that the user has confidence that the data has no unauthorized alterations. The third area to protect is availability. The data must be available on demand to the appropriate person with approved access to use it.
Some of the information security defenses, such as physical security, are the same as found elsewhere in your business continuity plans. No company (or government) is completely secure. Security plans are only as strong as their weakest link. They are limited by the degree of risk that the organization is prepared to take and the amount of money the organization will spend on them. Security plans must address these various layers of security:
Physical security to protect assets to prevent damage or theft of equipment
Logical security through access control lists (ACLs) and strong access authentication
Encryption of all data in motion across the network and at rest in storage
Proper disposal of assets, including the physical destruction of storage devices
Policies and training to guide employees, and policies to guide information security practices
From a business continuity perspective, the essential areas are physical and technology security, security policies, employee training, and incident management. A Sample Incident Management Plan, Form 19-1, is included in the companion url. The Incident Management Plan describes the immediate actions for the team to identify, contain, and gather evidence from the incident.
Detailed plans for information security are very sensitive and should not be stored with the rest of the business continuity plans because they contain information that could point toward system vulnerabilities.
Information security is a broad subject requiring specific technical expertise. The information in this chapter only touches on some aspects of the field. As with all technical areas, the business continuity plans for your company’s information security should be written and maintained by the company’s information security specialists. This chapter offers the Business Continuity Manager some insight into the minimal contents for these plans and provides some ideas for testing these plans.
WHAT TO PROTECT
The company’s business continuity plans began with a Business Impact Analysis to identify those critical areas requiring the most protection. Similarly, we begin by identifying what we want to protect and from what. In some cases, requirements are legally mandated, like the storage of personal health information under the Health Insurance Portability and Accountability Act (HIPAA). It may also be to protect company financial data from unauthorized changes under the Sarbanes-Oxley Act.
Of course, electronically protecting the data may be pointless if we do not also have physical security to keep someone from stealing the workstations, servers, and disk drives. Another challenge is employees whose well-intentioned (but technically disastrous) actions can bypass all of our well-laid defenses.
Since it is not affordable or practical to be perfectly strong everywhere all of the time, the Information Security Plan must prioritize its efforts. Information security protects three aspects of data systems known as CIA:
Confidentiality. Only authorized access is permitted. Everyone is acquainted with confidentiality of data systems. User ID and password combinations are required to access the various applications on the company’s servers. Just keeping track of the many authentication passwords can be exasperating. This often leads to employees writing down passwords, which compromises security. Most companies address this issue through a Single Sign On (SSO) function that enables one password for all company systems.
Integrity. Companies must protect against unauthorized alteration of their data to ensure that employees do not surreptitiously reach into the payroll system and raise their pay or erase all of their absences from the attendance system. Data integrity is essential because you need to have confidence that the data is accurate for reporting.
Availability. Data systems and data are available to authorized users whenever business needs require it. It is synonymous with reliability (and closely related to ease of maintenance). Availability emphasizes that while it is nice to protect everything, systems must also be available for on-demand use by authorized users. Availability normally applies to everything from the workstations through the network to the servers. Availability is only as good as the weakest link in the chain.
Some ways to improve Availability is through the use of:
• Uninterruptible Power Supply (UPS) battery packs that provide power to critical and shared devices when the electrical service has failed
• Mirrored disk drives using RAID (redundant array of independent disks) technology so that data remains available when a disk drive fails
• Clustering critical servers with load balancing so that failure of one server allows the other servers to continue working
• Installing a failover capability to back up network routers
Sometimes it is difficult to obtain willing management support for business continuity planning. However, much of the Information Security area is mandated by security and confidentiality laws that hold executives personally liable.
INFORMATION SECURITY RISKS
Security risks are assessed in the same way as the other risk assessments you previously conducted for your business continuity plans. There is a review of the threats and consequences if they occur. The three aspects of Information Security risks are:
Threats (what could attack you). Threats are potential attackers. These could be individual hackers, automated hacking software, or unhappy employees. Most threats will never occur.
Vulnerabilities (the ways the threats break through your defenses). Examples might be exploiting a known weakness in poorly patched software, incomplete firewall rules, doors propped open in security areas, data transmitted without encryption, using obsolete encryption technologies, disposing of old computers without destroying all of the data stored on them, or the theft of a company notebook PC from a car.
Controls (the actions taken to block or eliminate vulnerabilities). Examples are controlled physical access to all IT areas, training employees to recognize and report social engineering attempts, and executive-backed company policies requiring appropriate information security practices.
Threats
A threat could be thought of as something that could harm the assets that you are protecting. For example, someone walking through a neighborhood may or may not be a burglar. An approaching thunderstorm may threaten electrical service—or it may not. Even driving down the highway, all of the other cars on the road are potential threats. As can be seen, threats are everywhere and ever-changing.
A threat could be as simple as a bored student breaking into a computer system to see if it can be done. Misusing a computer system is another threat. Imagine an employee running a side business on your production servers. They may also use them to make changes to data or software without anyone knowing about it. A malicious external threat may be a denial of service attack that clogs the network equipment, preventing an online business from being able to communicate with its customers.
A network systems administrator for a school district was fired for running the SETI@ home software to assist University of California, Berkeley researchers in the Search for Extraterrestrial Intelligence (SETI). This software ran on the school’s servers and workstations for many years before it was discovered.
Source: John Brownlee, SETI@home ‘god’ fired for costing school district $1.6 million, Geek.com, December 3, 2009, http://www.geek.com/news/setihome-god-firedfor-costing-school-district-1-6-million-1004362/.
When identifying controls, it is useful to consider what you are protecting against. From an Information Security perspective, threats are those that could harm vital IT assets and data. Typical threats are:
Malicious hackers
Bored students curious about their technical abilities
Unhappy employees
Helpful employees deceived by social engineering
Thieves looking for computer equipment
Lazy engineers that leave the manufacturer’s default password on a device
Hardware failures in servers, disk drives, or network devices
This list is only limited by your imagination. In each of these cases, no harm has been done to the company’s IT assets. There is only a potential that a threat could exploit a weakness in your security controls. Most threats will never attack.
Threats can be deliberate. A hacker probing your network or a social engineering caller are intentional. The accidental threats include errors by system administrators that halt system access or disable a security control. They can also occur through negligence, such as not changing the manufacturer’s default password on a device or piece of software. An attack can be active where someone tries to force access, or passive where they are scanning your sites to determine the technology that you are using and potential vulnerabilities.
Threats can also be environmental. Floods, earthquakes, severe weather, pandemics, and other natural disasters can all shut down data systems or damage their communications. However, those threats should be addressed already elsewhere in your business continuity plan. Environmental threats also include loss of electrical power and a Wide Area Network (WAN) connection.
Vulnerabilities
A vulnerability is something that a threat exploits to attack your company. Typically, they are gaps in the protective controls used to keep threats at bay. The existence of vulnerabilities does not mean that someone will try to exploit them. It only means that there is a way through a control if it is discovered and utilized. The degree that a company blocks vulnerabilities is limited by the time and money available to do so. Rarely are both so plentiful that everything can be covered.
The discovery of vulnerabilities is a never-ending process. IT systems are in a state of constant change. Software and hardware vendors regularly provide code patches and changes for the software used by or embedded within their equipment. New equipment is installed; software configuration changes are made in networking devices, and on and on.
As new vulnerabilities are discovered, malicious users pass them around among themselves and attempt to use them on as many victims as they can, as fast as they can, before the more competent targets patch their defenses. They know that given time, vulnerabilities will be closed, so they act on this information as soon as possible (known as Zero Day attacks).
Companies can use automated tools to scan their systems for vulnerabilities. Unfortunately, the bad people also have these tools. They use them to scan for holes in a company’s defenses.
Imagine finding a flash drive in the company’s parking lot labeled “Pending Pay Raises by Person.” Would you be tempted to plug it into your workstation to see what was on it? A hacker would hope so, as it would auto load malicious software onto your workstation. Educate employees that just as they should never open an email attachment from an unverified source, they should never use flash drives of unknown origins.
Controls
Controls are the actions and technologies used to minimize the likelihood or impact of a security breach. A “control” is a defensive measure that eliminates or minimizes a vulnerability. Defenses should be layered and in-depth so a breach in one place still does not permit free access everywhere. The basic types of Information Security controls are:
Preventive actions taken to stop an attack. For example, encrypting all data prevents attackers from reading it even if they obtain a copy. Another example is a spam filter for unwanted email, or a filter over the computer monitor to block anyone observing it from the side. A common preventive measure is to post notices on all log-in screens and in email signature blocks declaring that company assets can only be used for officially approved business and that misuse will be prosecuted.
Warning sensors placed to detect when some aspect of your system has been compromised. Intrusion detection systems monitor network traffic for unusual activities and alert someone when detecting unusual activity.
Technical solutions. Technology can be applied to minimize vulnerabilities, such as using a proxy server to hide internal network addresses. Technology is also used to limit the amount of damage that may result from a single breach.
Administrative actions to reduce vulnerabilities caused by people in the organization. This layer of defense is usually a combination of management policies and education.
The challenge of controls is the time and complexity to implement them and then keep them current. For example, access control lists will need to be changed when new people are added to the company or when they leave a work group.
An interesting thing about controls is that the more effective they are, the fewer the security incidents the company experiences. Then executives feel existing controls are adequate and do not want to spend money updating them. This ignores the evolving nature of threats, vulnerabilities, and controls.
Sometimes a simple notice is a deterrent. A sign outside of the building that security cameras scan and record all activity may deter some casual attempts. A prominent notice on a log-in screen may indicate that the systems are only for official use by the company and that unauthorized entry attempts will be prosecuted. Signs should also be posted wherever access is restricted to approved employees. The point is that no one can say that they were never told that they could not do something.
PHYSICAL SECURITY
Access to IT assets and confidential company documents must also be physically secured. Theft of documents, computers, network devices, and servers will also include the loss of the data stored within them.
The first physical security layer is a fence around the company’s building and grounds along with surveillance cameras and intrusion alarms to keep intruders as far away as practical. A locked front door of the facility should control access beyond the company lobby. Only those people who are approved by an access control list or escorted while inside should be allowed entry. Most companies use electronic keys and “mantraps” to only allow one person to enter at a time. The purpose of the mantrap is to avoid multiple people from entering under a single authorization. This eliminates someone holding the door for the possibly unauthorized persons behind them. Be sure to likewise secure every entrance to the facility.
The next layer is locked doors leading into the IT work areas, since there may be work documents on desks and data displayed on screens. Secure workstations to the worktables using steel cables and padlocks to prevent anyone from picking them up. People entering your building for other business may not need access to this area.
The final physical layer is a locked door on the data center, which will also exclude many of the IT staff from physically connecting to the servers and bypassing the network controls. Be sure to also lock any outlying equipment closets for network switches.
Attackers have the advantage. They can focus all of their efforts to choose the time, place, and method of their attempt. Meanwhile, the defender must try to be strong everywhere, all of the time.
TECHNICAL SECURITY
Technical obstacles restricting access to equipment or data are a common tool for avoiding malicious access. User IDs and password combinations commonly control data system access. Whenever someone leaves the company that person’s ID must be promptly disabled. If a person is taking an extended absence, then their ID must also be disabled. Sometimes a temporary employee leaves the company but the sponsor wants to keep that ID active for an anticipated return. However, these returns sometimes do not occur. This leaves user IDs dangling indefinitely unless there is a process to identify and clean up idle IDs.
Another layer of defense is an access control list (ACL) that can be checked for permission whenever someone tries to access a device or software component. For example, employees may be able to look up a coworker’s desk phone number from the employee master file but do not have access to see the personal cell phone information in the same record. Keeping these lists current is time-consuming. Employees change departments and responsibilities. New employees join the firm and others depart. However, access control lists are an import tool to protect data, systems, and software from unauthorized internal access.
Different types of devices have their own specific threats and vulnerabilities. A network router is different from a cell phone, which is different from a wireless access point. They will also have their own types of controls. Each class of equipment must be evaluated and controlled separately.
Embedded software is everywhere. It is in the building’s air-conditioning system, copiers, LCD televisions, and printers. Each of these “smart” devices contain their own software. Usually this software is burned onto a programmable chip and is loaded when the device starts. Of course, this software is vulnerable to a malicious attack. The attack is through the network connection between the device and whatever it communicates with.
Hard drives are used to hold images in printers and copiers. A copier “repairman” may sneak in and exchange the hard drive for an equivalent item and walk out with the data on it. No one will know it happened.
Equipment normally arrives from the manufacturer with a default password. Search the Internet for a given device and you can see its default passwords. Therefore, whenever installing a new device that has a password, change the password immediately. When a hacker knows that you have a particular make and model of equipment, the default password is the first thing tried.
Multifactor authentication increases your security. It involves, of course, multiple identification factors. Everyone is acquainted with the user ID and password. The concept of multifactor authentication is to check for something you know, something that you have, and something that you are. So, this could be a password (something that you know), a security access badge (something you have), and a biometric measurement like a fingerprint (something that you are).
DATA SECURITY
Data is unusual since when it is stolen, nothing is missing. A copy is made and (if the thieves successfully cover their tracks) it may be a considerable amount of time before the copy is discovered. A stolen notebook PC is immediately obvious by its absence, but unlike the hardware, the original data sits as it did before it was copied.
The types of data to protect vary according to industries. Some examples are:
Personally identifiable information (PII), which is data that can specifically identify a person. This may be a Social Security number, a bank account number, a biometric identifier (such as a retinal scan), or personal health information.
Student records, including university financing, attendance, counseling, and grades.
Medical records of any type. These are often worth more to a malicious person than a credit card number.
Credit card or check numbers on customer orders.
The company’s data is subject to many legal requirements governing financial controls, personal privacy, and company trade secrets. (Transnational companies must comply with a separate set of laws covering these areas for each country supported.) Ideally, every data field is evaluated to determine if it contains PII or other confidential data. Alternatively, some companies avoid the expense of classifying data elements by treating all data as confidential and not for general distribution. To accomplish this:
Employees must encrypt all portable data, such as data stored outside of the data center on notebook PCs, flash drives, CDs, and other portable media.
All data passing into and out of the data center must be encrypted using a company-approved encryption standard.
To avoid the chance that someone will download sensitive data, disable the use of USB ports in the operating system on all company computers. Also, the operating system can disable the “write” feature on CD and DVD burners. These can be enabled on an individual basis with proper authorization.
The money recovered from the sale of obsolete equipment is far less than the cost of a single data compromise. Therefore, before disposing of computing hardware that is obsolete, all devices that have stored data must be physically destroyed, including disk drives, solid-state storage drives, tape media, CDs, and flash drives. Some companies also use special software to wipe off all data prior to crushing the media.
All company documents are shredded and never thrown away in the trash. This reduces the chance that data and technical information may be found by “dumpster divers.”
Implement a clean desk policy to ensure that documents are not left where they can be viewed by unauthorized personnel. Although this policy applies mainly to sensitive information, it is easier to administer if everything is off the desk whenever that person is away. Even though the office door is locked, all data in reports, documents, spreadsheets, and presentations must be stored in locked work area drawers. Compliance is improved if management periodically makes unannounced sweeps of area to validate.
A variation of a clean desk is to set the screen saver time-out for workstations. This practice reduces the amount of time that a malicious person can gather information from an unattended workstation.
Cell phones are a major security problem. Malicious employees can steal information by recording conversations and photographing workstation screens or documents. These actions leave no traces as the information walks out the door. A cell phone’s large memory capacity and high-resolution camera can capture quick video records of large amounts of data. Entry into some secure areas should require people leaving their phone outside or agreeing to a device contents search on demand.
Data is everywhere. As “smart” devices proliferate, each of these devices has its owns software code that introduces vulnerabilities and a way to update its embedded code, which provides another vulnerability as a pathway to enter the device. As examples:
The SIM memory card in your cell phone often contains personally identifiable information.
Automobiles use onboard computers that can be hacked. Access is through the cellular phone connection, enabling a hacker to take control of the vehicle’s speed and direction.
Company facility access badges can be queried by a radio frequency (RF) antenna hidden in a place where employees must pass on their way into the building.
Social Engineering
After all of the company’s security controls are in place and properly maintained, there is still one glaring weakness. Employees may enable the bypassing of many of the controls through their well-meaning but dangerous actions. Social engineering is one of the greatest weapons in a hacker’s tool kit. Talking employees out of their information is a lot less work than trying to penetrate a company’s security defenses.
Social engineering is also known as “people hacking.” It is the use of deception and personal persuasion to obtain access to information useful for illegal penetration of the company’s data systems. No matter how comprehensive a company’s security defenses may be, they can be bypassed with the right information innocently provided by helpful people.
Everyone has received unsolicited emails promising large sums of money if you will click on a link that may lead to a convincing but malicious website. These messages cost next to nothing to send out to millions of people. Even if only a few hundred people reply, there is still a significant payoff. Social engineering assaults may be broadcast to everyone or finely targeted. They come in many forms and are only limited by the imagination of the perpetrator. Examples are:
A phone call from someone claiming to be the Help Desk and asking for your ID and password so they can load an emergency software patch or a new software application. After all, the caller ID has been altered (called “spoofing”) to indicate that they are from the Help Desk.
An official-looking person presenting himself to the receptionist in the lobby claiming to be a repairman answering an urgent call. The person may even be wearing the uniform of the appropriate company.
The hacker who searches online social media to locate an IT person working for the target company. The hacker then calls that person claiming to be a vendor preparing an urgent bid and wanting to know what type of antivirus software is on the desktop PCs.
A person walking behind an employee toward a security door while carrying several boxes of pastries. They then ask them to hold the door open for them since their hands are full.
A caller pretending to be a vendor who wants to know the brand of networking or computer equipment used by the company, so they can bid for some work. (Different manufacturer’s equipment has specific vulnerabilities that can be exploited.)
The person quietly watching over someone’s shoulder as they enter a password. Similarly, using a cell phone’s camera to record a person typing in their password. An alternative to this scenario is a drone with a high-resolution camera peeping in the upper-level windows of an office building.
The dumpster diver who searches through a company’s trash containers for information useful in an attack.
The employee who only wants to be helpful. It is hard to fault employees; they are only doing what they expect someone else to do for them if they needed assistance. It seems so normal that they do not even know to report the incident. Later the Information Security team wonders what happened to their best-laid defenses.
The best defense against social engineering attacks is to train all employees in the various ways that they work. Explain to them that they should never answer such questions and to refer the caller to the Information Security department. This training should be presented at least annually along with an ongoing reminder program throughout the year.
So, by now you have your doors locked and curtains on the ground-floor windows. However, with the proliferation of small drones, each carrying a high-resolution camera, anyone can peer into any of your upper-floor office windows for a look at documents, whiteboards, computer screens, and desktops.
INCIDENT MANAGEMENT
When an information security incident has possibly occurred, a written mitigation plan is essential. The Incident Management Plan details the initial action steps necessary to stop the intrusion, contain the damage, and gather evidence as to the source, objectives, and actual impact. There are many decisions to make, and so little information to act on. Time is short. Damage must be contained. Evidence must be properly collected. The plan details the immediate team actions during the early minutes of the alert. (Some people refer to this as a “playbook” to infer that it is a flexible approach that is based on immediate circumstances.)
Once the nature of the incident has been determined, additional plans specific to the threat may be used. Some companies draft additional plans for worms, Trojan horses, and denial of service attacks. As before, these plans detail the common steps and tools for mitigating that sort of threat.
In the early steps, incident management tends to follow the same immediate action steps. As more information is gathered, the team’s actions will be adjusted to conform with the circumstances. Upon receiving an alert that a questionable event has occurred, the first step is to verify that it has occurred. Some technical tools such as an Intrusion Detection System (IDS) may provide “false positive” events based on their configuration. Activating a reaction team for every alert may wear people out by “crying wolf” too often and lessen the urgency for a real summons.
Is this a real security incident? Something triggers an alert to the Information Security team. The network IDS may have detected unusual network activity. It may also come from a server running erratically or a report of an attempt to breach the physical security barriers. However the alarm was raised, the first step is to verify that it is not a false-positive alert. If the alert is confirmed, then this becomes an incident and the response plan is implemented.
It is a combination of the value of the asset and the type of security compromise that determines the incident’s impact. For example, the theft of a notebook PC would involve a check to see what data and software was stored on it. If it was primarily used to browse server data, then the compromise would be what was stored in its buffers. If a server containing financial and medical records was illegally entered then based on the potential damage to the company of the compromise of this data, a different impact value may be assessed. When in doubt, assess the situation as the worst possible impact until proven otherwise.
There is a Sample Incident Management Plan, Form 19-1, on the companion url listed in this book. It is a starting point for modification to reflect your company’s needs.
Plan Contents
The plan is invoked when an alert is determined to be a real security incident. As with the other business continuity plans, the Incident Management Plan identifies what should occur until the team assembles and assesses the situation. Immediate steps include:
Confirm the incident is not a false positive.
Activate the response team and start an incident tracking log.
Open the telephone bridge so that anyone off-site can join in.
Assess the situation:
• If the incident is ongoing, contain the damage. If it is not ongoing, assess the extent of the damage.
• Based in the extent of the damage, inform management (usually the IT Director or Information Security Manager) of the situation.
• If damage from the incident appears to be over, contain the hardware involved by leaving it on but disconnected from the network.
The incident management team meanwhile checks the rest of the IT systems for potential break-ins and the introduction of “back doors.”
Management notification is usually addressed by the Information Security Manager who will also coordinate the response. Notification is usually a brief message with regular updates. This enables the notified management to work with the business executives to keep them updated and away from the technicians working on the problem.
Use a log sheet to track the team’s action and time spent on the incident. Investigations can be long and time-consuming. These expenses must be properly documented if financial damages are to be assigned to a perpetrator or submitted as a claim to business insurance. The log sheet is also needed to track the steps taken to determine the cause, scope, and resolution of the incident. These steps will be valuable later when assessing the team’s incident response performance and to implement future response plans.
Keep all records for as long as required by the company’s records retention policy. Since they may become part of a legal action, this could be several years. It is important that individual interviews of the people involved be documented as soon as practical while their memory of the event is fresh.
Incident After-Action Review
Conduct an after-action review within a few days of the incident while details are still fresh in everyone’s mind. The results are useful in identifying gaps in the response procedures. The review may also point to a need for additional staff training in some areas. Every event must be documented and critiqued. This information may be vitally important later if the attacks are renewed or during a forensic investigation.
The format is five questions:
1. What happened?
2. What should have happened?
3. What went well?
4. What did not go well?
5. What will be done differently next time?
Testing the Response Plan
Exercise the team applying the incident response plan regularly. In lieu of a test, a recent incident may be critiqued by the team. Plan testing trains the team in their individual and team roles. If your company only runs a single server and single workstation, then system changes are not frequent. However, most companies run multiple servers, multiple network devices, and many workstations of various types, and each will be patched, replaced, or updated according to its own needs and schedule. Given the large number of devices in most companies, at any given time there is some device being upgraded or reconfigured. After a month or two, think about how different these same systems have become.
Testing updates the procedures and team expertise by applying them to these revised systems. It may uncover gaps in coverage and training. The tests should vary the types of threats and require use of various techniques and defensive tools. The alerts used may also include some false-positive signals from the IDS.
Interhack (www.Interhack.com) is a computer expert firm addressing matters of privacy, security, and forensic data analysis. Companies call Interhack when they discover illegal entry to their computer system or unauthorized activity. It may also be an ongoing incident where they are reluctant to shut down critical infrastructure. Using techniques based on computer science principles, Interhack dives into the client’s data systems to gather evidence in response to their client’s legal discovery requirements.
Matt Curtin, founder of Interhack, recommends that companies spend some time understanding the nature of the threats against their industry and their company. This includes both current and historical threats. Think about what sort of assets a malicious attacker (or employee) might want to attack and the vulnerabilities they may exploit. Honestly assess your company’s capabilities and areas for improvement. Refer to the National Institute of Standards and Technology (NIST) cybersecurity framework (www.nist.gov/cyberframework) in this review to target your limited resources on the weakest points.
When an incident occurs, the time window available to collect evidence may be short. Illicit activities leave traces if you know where to look, how to recognize them, and how long they linger. Curtin recommends that Information Security teams assembly a set of tools and techniques for evidence collection before they are needed. To be effective, the team must be trained on the tools’ use and regularly exercise them to master their operation and to improve their techniques.
Sometimes companies feel they are under such continuous threat that they will hire Interhack to establish these tools and procedures. Over the course of a year, the company’s team is trained on proven forensic tools for gathering evidence that will hold up in court. Collecting defensible evidence must be carefully and properly done; otherwise, despite your many efforts, it will be inadmissible in legal proceedings.
Curtin suggests creating and using playbooks rather than fixed procedures. Playbooks touch on all of the steps but are not rigid in their application. This provides the team with greater flexibility based on the situation.
Check your business insurance policy, too. It may not cover the services of a forensic computing firm. If your insurance does cover the service, then is the coverage adequate or does the insurer require the use of a low-priced offering? Using a low-priced security consultant will likely produce results similar to asking the cheapest DBA you can find to come in and tune all your company’s databases over a weekend.
Preserving the Forensic Evidence
When unauthorized persons have accessed your computer systems, they have committed a crime. If they continued on to steal data or software or disable your network, they have committed further crimes—just as sure as if they broke into your warehouse and stole crates of goods. If they are not caught and convicted they will strike again.
To prosecute a malicious intruder, the evidence must be properly collected and preserved. Few IT departments are skilled in legal proceedings. What may seem to the IT team to be a straightforward technical task may be shredded in court by an aggressive defense lawyer. As soon as you decide to begin collecting evidence, wait for your company’s legal counsel to arrive on scene. You may also need to immediately contact a forensic computing company to ensure the proper collection and handling of electronic evidence. Time is short and actions must be taken to minimize the chance of something overwriting a critical buffer or a log being auto-purged. After all, the company must still carry on with its business while the recovery and evidence gathering continues.
Computer forensics is the science of reviewing the evidence—on system logs and malicious changes in memory and on the hard disk—to determine what occurred. Computer system actions leave traces, provided you have the specialized tools to detect them and know where to look. When gathering evidence, always start with the items that are most likely to change, time-out, or be overwritten. You may be able to preserve a digital signature of any malicious software.
In terms of incident response planning, include tools and steps needed to support the forensic efforts. Make video recordings of witness interviews. People may have seen things that at the time appeared to be innocent but in retrospect were significant. Record information about events and the time they occurred. Review the video record of the interviews to pick up additional details. Conduct a follow-up interview the next day in case anything else comes to mind.
A chain of custody is a record of who has controlled each piece of evidence. If a hard drive is removed from an infected computer, then each person who takes control of that item must sign the chain of custody form. If this item is to be used in legal proceedings, this paper trail will be used to prove that the device has not been altered.
The opposing lawyers will attack the evidence at every point. They will point out gaps in the chain of custody, opportunities that someone could have tampered with the files, and instances where files are contaminated by mishandling. To be admissible in court, evidence must be proven to be:
Authentic
Reliably obtained
Properly handled to avoid tampering or alteration
Types of evidence to collect:
Photographs of the workstation screens and server consoles displaying any error messages or unexpected behavior. It is much faster to use a picture than words to describe something. Electronic images of computer screens may also be used.
The time difference on each device under investigation. Document the exact system time and compare it to the actual time. This difference may be important when stepping through system logs to re-create events.
A hash of every data set, log file, and program in question. Use a standard hash described by NIST, which maintains a reference list of the hashes of malicious software.
System logs of each device that keeps one. Copy logs for as far back as they are available since there may have been previous hack attempts.
After reviewing a serious incident, you may decide to report it to the Computer Emergency Response Team (www.cert.org) at Carnegie Mellon University. This decision must be made by legal counsel and executive management as it may reflect on the company’s public image and the public confidence.
Establishing Policies
Ask managers what they would do in a given situation and they may be able to clearly describe the steps they want you to take. Ask a highly skilled and longtime employee the same thing and the answer is likely very different. This illustrates the difference between what management wants to see and what a knowledgeable and loyal employee may do. How can you close this gap?
Approved company policies are a way for management to provide guidance in certain situations. Policies are general statements of what to do or not to do. In some cases, they require specific action; in most cases, they are guidelines of what is acceptable or guiding principles to be applied. Step-by-step lists are procedures that implement specific aspects of a policy. Approved policies are the administrative aspect of security for your facilities.
Published policies are management’s way of providing direction to individual employees who find themselves in a specific situation. Instead of the individual deciding what to do (which may be the wrong thing), the policy provides direction on what company management expects.
Remember, the best and most expensive information security control can be sidestepped by accidental or intentional actions by company employees. In some instances, the policies may contain punitive clauses for employees who ignore them.
Typical policies include:
Incident Response policies describe the immediate actions to contain the damage, gather evidence, and inform management. It primarily applies to the Information Security team and those who will assist them on the response team. This policy is often supplemented by a specific set of procedures developed by the local team handling information security.
Acceptable Use policies describe management’s expectations to employees on the use of the company’s assets. This includes only using company assets for approved company business and not for running a personal business on the side, viewing pornography, or sending insensitive emails. This policy will also contain prohibitions about loading personal software onto workstations and connecting any personally owned devices to the company’s workstations, servers, or network.
Often the Acceptable Use policy contains the company’s policy on personal privacy. There is no expectation of privacy when using company property. This applies to company computers, desks, and facilities. Anything stored or displayed on a desktop PC, email server, file server, or locked in an office or desk can be opened and reviewed by the company without notice. To enforce this policy, configure all equipment to require administrator privileges to add devices. Also, disable USB ports to reduce the likelihood of an unauthorized connection.
The Acceptable Use policy should be reinforced with banners on all log-in screens that explain that anything on your network, servers, and equipment is company property and may be screened for information security issues. Even though this may seem to be common sense to anyone in the IT department, it addresses legal concerns about wiretapping and illegal monitoring.
Social Engineering. There are various types of social engineering techniques for gaining physical and logical access to the company’s data systems. This policy mandates at least annual employee and new hire training on how to identify and report social engineering attempts. It should also require employee updates and reminders throughout the year to maintain a high level of awareness.
Password Management. This policy should specify minimum length and complexity, maximum time before a password expires, length of time before it can be changed again, and a history of words that were used in the past so that passwords are different.
User IDs. All user IDs must be promptly canceled or placed on hold (made unusable but retained) whenever someone departs or takes an extended leave of absence.
Data Policy. Encrypt all data wherever it is stored, including on workstations, thumb drives, and CDs. Data is also encrypted when passing from a server to a workstation or to permanent storage.
Patching Policy. As software manufacturer’s find and then close security vulnerabilities, these software changes are issued to customers. It is important that all fixes and patches of service packs are tested in a technically isolated area to ensure that they will not break more than they fix. Then, if approved, the patches should be applied promptly to the company’s systems.
Sometimes updates are necessary to the encoded PROM (programmable readonly memory) chips. New versions of firmware take a bit more effort and planning. Always record the version of firmware in use on a device. Firmware may require manual updates (a challenge if there are many of these devices to update).
Sometimes employees feel the temptation too strongly to resist. There was a California hospital whose patients included many of the nation’s celebrities. Since the hospital had no strong internal controls, the curious could peruse these medical records. Eventually, someone spoke publicly about the private information they had viewed, embarrassed the hospital and was dismissed.
Source: “Maria Shriver’s Medical Records Leaked,” CBSNews.com, April 7, 2008, http://www.cbsnews.com/news/maria-shrivers-medical-records-leaked/.
Educating Employees
Employees are the number-one security threat to a business. Company policies on information security must be explained to all employees. Simply handing them out to be read in a quiet moment is not enough. What is clear as day to one person may not make sense to another.
Security is everyone’s responsibility. The company cannot automatically assume that its employees will know or apply appropriate security measures. After establishing security policies, it is essential that all employees are trained in their use. This training will help people to understand management’s guidance as well as raise overall security awareness in all employees. Take time to explain how each policy enhances security. Conduct this training annually and record who attended and when. Annual training on company policies also provides evidence that everyone was informed and told what was not allowed in case someone needs to be dismissed from the company for willful disregard of published security policies.
Users should understand the importance of proper data disposal and be taught how to do it. This includes placing unneeded documents in bins for shredding and instruction on how to destroy storage media (shred CDs and use a hammer and powerful magnet on hard drives and a drill on flash drives).
An ongoing user awareness program that includes posters, short refresher sessions, and articles in company newsletters will keep everyone focused throughout the year. A useful side benefit is that employees will also be better informed about how to protect their home computers and networks.
Some people will only pay minimal attention to training sessions (many are online). Verify training with simple exams that highlight the main points. These exams are particularly important for Acceptable Use policies that may include disciplinary actions and anti-phishing training. (Phishing is the see of email with external links that encourage the recipient to click on them which downloads malicious software.)
Policies should be aligned with government privacy regulations. A documented program to educate employees and to enforce the policies may mitigate any legal damages from illegal employee actions.
Security threats are constantly evolving and your training must keep pace. Sometimes it seems that it takes hackers a bit of time to find workarounds before exploiting some of the newer vulnerabilities. An example are attacks through the short-range Bluetooth technology used in smartphones. Although the typical range is 10 meters, a malicious transmitter hidden in a backpack in a busy airport or train station could potentially contact and infect passing cell phones. Bluejacking is “spam” via Bluetooth. Another is “car whispering,” where the Bluetooth connection between a cell phone and a car is monitored.
Additional Sources of information
Rapid technology change means that yesterday’s adequate protection is tomorrow’s false confidence. As threats evolve and new vulnerabilities are discovered, each company needs an evolving program to meet them.
Information security is an ever-evolving challenge as new techniques, new exposures from software changes, and new technologies are revealed. It is essential to keep current. Many free services are available to keep your plans (including the Incident Management Plan) up to date.
CERT (Computer Emergency Response Team) at Carnegie Mellon University works closely with the Department of Homeland Security. CERT (www.cert.org) provides research, information, and training in all aspects of information security.
ISO 27000 is a series of standards providing industry-accepted best practices for administering an Information Security program. Applying a standard set of practices is intended to build confidence in the program within the company and among its investors and customers. (Some customers may require a demonstrated information security capability before conducting business.)
• ISO 27001 describes the components of an Information Security program.
• ISO 27002 describes many of the potential controls that may be implemented.
• ISO 27003 describes how to implement and maintain an Information Security program.
• ISO 27004 describes ways to assess your program’s effectiveness.
• ISO 27005 describes how to conduct and maintain a risk assessment for information security.
• There are many more standards in this series, including industry-specific standards that apply to the unique challenges of hospitals.
Infragard is a partnership between business, local and state law enforcement, and the Federal Bureau of Investigation (FBI) to protect the nation’s infrastructure. It is law enforcement outreach to the business and education communities to share information on threats, vulnerabilities, and the latest attacks. Membership is free and local meetings are held around the country. Members receive access to a secured mailbox and receive the latest announcements and solutions. Ongoing education about emerging threats and general information security issues are provided at the local level, too, making Infragard a useful place to make contact with other technicians working in information security to exchange ideas and find solutions to common problems.
Conclusion
Information security is an important part of the business continuity plan. In various aspects, it has been in the plan all along. However, since it is normally managed by its own team, there should also be a dedicated plan.
Where the business continuity plans may not be invoked very often, information security requires constant vigilance to prevent criminal activity against the company. The Information Security Plan addresses the theft of assets and data, maintains the availability of assets, and protects the CIA (Confidentiality, Integrity, and Accessibility) of the company’s data systems and data.
Incident response planning must be completed before it is needed. Exercising the team using the plan will uncover areas for plan improvement, employee training on the tools, and overall improvement in the speed to resolution. A part of the response plan is the readiness to implement evidence gathering for forensic computing experts to ensure the evidence is admissible in court.
Social engineering is the number-one threat to a company. No matter how thoroughly you defend your assets, helpful or curious employees may enable someone to bypass your controls. The main defenses against this weakness are approved company policies guiding actions and an ongoing employee training and awareness program.
The Information Security team does not do everything itself. Many of the other important components of an Information Security program already exist in your business continuity plans. Physical security of the premises and assets is provided through the company’s security program. Availability is provided by the Infrastructure team’s use of device redundancy, environmental controls, and backup power sources. However, the Information Security team validates that there are adequate controls for the company’s critical assets. As new technologies are installed, configurations changed, and software patched, the threats, vulnerabilities, and controls for an IT system must be regularly reviewed to provide some assurance that the controls are keeping pace.