356
A Practical Guide to Security Assessments
to review the incident to determine the classification and determine who
should be brought in as part of the response effort. This person can be
thought of as the “single point of contact” for the incident and is responsi-
ble for ensuring that the incident is addressed appropriately. A Security
Officer is a good choice for this role, as this person would typically have
the knowledge of the company and have relationships with key groups who
would be instrumental in handling an incident.
Risk:
Without someone in charge, two risks are present. First, the activi-
ties in responding to the security incident may not be organized because
people may be going off in different directions in reacting to the incident.
Second, without someone in charge, little accountability exists in the struc-
ture. Someone should “own” the process and make sure things are done;
having a single point of contact in charge provides the accountability.
Client Response:
8. When there is a security incident, is communication to employees a coor-
dinated effort, which is controlled by one individual or group to ensure
the right information is being communicated to employees?
Guidance:
Depending on the severity of an incident, the state of the com-
pany can be chaotic or in a kind of panic mode. At this time, personnel
need to be reassured, so communication to them must be handled carefully.
Having a centralized communication effort allows the company to review
any communications sent out to employees to ensure that they are accurate
and appropriate.
Risk:
The risk of not having a centralized communication effort is that in-
accurate information might be given to personnel, which can potentially
lead to an uncontrolled and chaotic situation.
Client Response:
INVESTIGATING AN INCIDENT
9. Are there processes in place to ensure that evidence is preserved so that
it may be used to investigate the cause of the incident or to prosecute (if
the situation warrants it)?
AU1706_book.fm Page 356 Wednesday, July 28, 2004 11:06 AM
357
Guidance:
When there is a computer-related security breach, the machine
itself may contain evidence that might be useful if any legal action is pur-
sued. Procedures should be in place to ensure that the evidence is not cor-
rupted. The dilemma in this situation is whether the company preserves the
evidence or just fixes the problem. Company officials are caught between
trying to become fully operational as quickly as possible and at the same
time, preserving evidence in the event that it is required. The decision will
depend on a number of factors including (but not limited to) the severity
of the incident, what systems are affected (i.e., do the systems support core
operations), and whether any legal ramifications will result from the secu-
rity incident. Ideally, the company should have some criteria, similar to the
classification scheme used in classifying the incident. In addition, it is crit-
ical to assemble the right team of people who can quickly come to a sound
decision.
Risk:
If the company is seeking legal action, the evidence must be careful-
ly preserved. If its not carefully preserved, it has limited value in the legal
action.
Client Response:
10. Depending on the nature of the investigation, does the company engage
the appropriate security experts to investigate incidents?
Guidance:
Depending on the company, there may or may not be personnel
who are qualified to handle an investigation resulting from a security inci-
dent. Larger companies may have someone appropriate on their staff or
they may even have a security group that only handles investigations. In
smaller companies, this is less likely. In any case, companies should have
access to qualified individuals to perform investigations as needed. Some-
times, this might mean calling on external resources.
Risk:
Having unqualified people performing the investigation could result in
a botched investigation where evidence might be corrupted and recourse
might become impossible. Any legal action might also become more difficult.
Client Response:
11. Is there a process in place for an investigator to obtain administrator
access to a machine in a timely fashion if required for an investigation?
AU1706_book.fm Page 357 Wednesday, July 28, 2004 11:06 AM
358
A Practical Guide to Security Assessments
Guidance:
In some cases where investigators are engaged, they will re-
quire administrator or root access to machines to investigate. With the sen-
sitivity around this type of access, the process for obtaining it can be
cumbersome. There should be a process to ensure that investigators receive
this access quickly. The access should also be removed once the investiga-
tor is finished with the work. If possible, the investigator’s activity while
accessing the machine with privileged access should be logged. The pro-
cess for receiving this access should require appropriate approvals and be
quick and efficient.
Risk:
If investigators do not receive the appropriate access in a timely
fashion with proper approvals, the investigation of the incident might suf-
fer as they cannot quickly obtain the information they need.
Client Response:
12. Are security incidents documented? If so, what details are documented?
Guidance:
As part of the process of handling security incidents, ample
documentation should occur for audit trail purposes and for “lessons
learned.” Documenting “what happened” and “how it was fixed” can help
in preventing similar incidents from happening again. Based on the docu-
mentation, steps can be taken to make the appropriate changes to the rele-
vant business processes or technology. As a best practice, the client should
consider documenting the following:
• Incident details — what happened
– Nature of the incident
– Classification of the incident
• Impact
– Business processes
– Systems
– People
• Response
– Results of investigation (if applicable)
– Remediation steps taken (if any)
– Groups involved
• Response metrics
–How long did it take to find out about the incident?
–How long did it take to assemble a team?
• Lessons learned
– What could have been done better?
Note that all of the items listed above might not be applicable when
documenting a security incident. One thing to remember is that in the
AU1706_book.fm Page 358 Wednesday, July 28, 2004 11:06 AM
359
midst of an incident, documentation is probably the last thing someone
wants to do. It is absolutely critical to have someone who is responsible
for documentation. For the last section, “lessons learned,” members of the
response team should all provide their input. Other information can be
documented based on the company’s risks. The list above is meant to be a
guideline for documentation.
Risk:
As is the case with most documentation, a lack of it means that the
knowledge is in somebody’s head (to the extent they remember the key de-
tails). The risks related to not documenting the security incident include
the following:
• There might be a tendency to not go back and learn from the incident.
• Needed changes to the environment as a result of the incident are not
made.
• If the same type of incident happens in the future, knowledge from the
current experience cannot be leveraged to respond to the incident.
• If certain key employees leave, any knowledge associated with the
security incident is also gone because it was not documented.
Client Response:
POST-INCIDENT ANALYSIS
13. Are lessons learned from security incidents incorporated into user aware-
ness programs where appropriate? Are security awareness programs
updated as necessary to reflect the experience from security incidents?
Guidance:
Some security incidents result in lessons learned that should be
shared with all personnel. One of the ways to share this information is to
incorporate it into the security awareness programs offered to personnel.
The knowledge resulting from the lessons learned from these security in-
cidents helps in raising awareness and eventually reacting appropriately if
a similar incident occurs.
Risk:
The risk of not incorporating security incident lessons learned into
security awareness programs is that there is a greater chance that any mis-
takes made might be repeated in future incidents.
Client Response:
AU1706_book.fm Page 359 Wednesday, July 28, 2004 11:06 AM
360
A Practical Guide to Security Assessments
14. Are security incidents analyzed on an ongoing basis to identify any trends
that might indicate a weakness?
Guidance:
Ideally, details of security incidents (discussed in an earlier
question) are compiled in a database where they can be analyzed. The val-
ue of ongoing analysis is in determining whether any relevant trends exist
that might indicate a problem with a particular process or system. These
trends can then be used to make changes in process, harden certain systems,
or take other actions as necessary. This is only possible if the company is
diligent in documenting security incidents.
Risk:
The risk of not doing this analysis is that the same types of incidents
can keep occurring because trends are not noticed. If the trends are noticed,
changes can be made sooner rather than later to help prevent future incidents.
Client Response:
AU1706_book.fm Page 360 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.