| What
is your Incident Response quotient? |
| Felix
Mohan, CEO - SecureSynergy |
| |
|
It
is good to have a snare and a trigger, but without
the trap it makes no sense. Incident detection
is important; but incident response is more critical.
You realise you are being hacked. What do you
do? Press the panic button?
|
|
| |
| What
are the most common forms of security breaches? |
|
As per
the CII-PwC Survey of 2002, 35% of the security
breaches in Indian businesses were caused due
to attacks that exploited known Operating Systems
vulnerabilities. The other major causes of security
breaches were poor access controls, abuse of valid
user accounts/permissions, system misconfiguration
and human errors, external and internal denial
of service attacks, exploiting application vulnerabilities,
and malicious code attacks.
|
| |
| How
are most Security breaches usually detected? |
|
Security
breaches are detected by proactive and reactive
methods. Proactive methods of discovery include
technical controls like Intrusion Detection Systems,
firewalls, file integrity monitors, alarms/triggers,
and analysis of server logs. Reactive methods
include discovery of breach due to data loss or
material damage, or when alerted by colleagues,
customers, or managed service providers.
|
| |
|
Are enterprises
engaged in quick fix solutions to the breach or
do they diagnose the cause and possibly engage
in forensics of the breach before they apply the
solution?
|
|
Most enterprises
engage quick-fix solutions to the breach because
of two important reasons:
(a) The priorities
of most enterprises when a security breach occurs
are to resume normal business operations as soon
as possible, and prevent similar incidents from
occurring in future. Tracking down the perpetrator
is on low priority. This is partly due to top-management
considering security breaches as technical events
— not business related.
(b) Very few enterprises have documented computer
forensics guidelines that set out how to maintain
evidence during an investigation from a legal
perspective, and provide the technical procedures
and standards that need to be adopted for diagnosing
breaches.
However, as financial
impacts of breaches continue to increase exponentially,
enterprises will take legal action against attackers.
For this, the response procedures would, in future,
be expanded to include forensics and evidentiary
activities.
|
| |
| Approximately
what % of the breaches could be related to corporate
espionage? |
|
As per
the CSI-FBI Survey 2002, 38% of US respondents
reported corporate competitors as a likely source
of attack. In India, about 7% of the security
breaches were due to competitors as reported in
the CII-PwC Survey 2002. However, with more and
more Indian enterprises placing their proprietary
and other sensitive information in their networks,
an increase in corporate espionage in Indian businesses
can be foreseen on the lines of global trends.
|
| |
| What
are the top five things a company should do when
it notices a breach? |
|
After
a breach has been detected/reported, the company
should do the following:
(a) Immediately inform all parties who need to
be made aware of the breach, as defined in the
company's Incident Response Plan. (These would
include the company's incident response team,
PR staff, affected users, management, system administrators
of other connected sites etc).
(b) All information about the compromised systems,
including cause of intrusion, system and network
logs, network connections, processes running,
users logged in, open files etc. should be captured
and securely stored.
(c) Contain the incident to limit its extent and
prevent the intruder from doing further damage.
This action would involve temporarily shutting
down the system, disconnecting the compromised
system from the network, disabling access to sensitive
directories/files, services and accounts, and
monitoring the network for further instances of
attacks.
(d) Ensure that the intruder has no covert means
of access into the company's system through backdoors,
or Trojans that he may have installed in the compromised
systems. For this, reinstall compromised systems,
restore executable programs and binary files from
original distribution media, carryout vulnerability
analysis through tools like CyberCop, and review
configurations of all protective and detection
mechanisms installed in the system (IDS, firewall,
tripwire, access controls etc).
(e) Return the system to normal operation after
eliminating all means by which the intruder may
gain access. If business requirements require
the systems to be brought online quickly, the
risk needs to be managed and monitored. Once system
is restored, company should implement lessons
learned and update its Incident Response Plan.
|
| |
| What
are the top five things a company should not do
when it notices a breach? |
|
(a) Do not press the panic button
— follow the company Incident Response Plan.
(b) Do not power a system down immediately upon
the discovery of an incident. This can destroy
critical evidence. Powering off will destroy the
volatile data of the system before a forensic
image of the system can be created.
(c) Do not get the compromised system online without
undertaking a thorough vulnerability analysis,
and hardening of the system's protection and detection
mechanisms to ensure that the perpetrator cannot
re-enter. The hardening should also include a
through sanitisation of the system to ensure no
backdoor or Trojan exists in the system before
getting it up again. If the system cannot be left
offline till security hardening is done, the company
should consider having backup systems that can
be brought online quickly.
(d) Do not ignore the incident - even if it may
seem insignificant and potentially harmless. Incidents
should be escalated and dealt with as per the
procedures set out in the Incident Response plan.
(e) Do not implement a quick fix since it can
quash the company's ability to track down and
prosecute the intruder.
|
SEND FEEDBACK ON THIS ARTICLE
