A Five-Step Plan to Help You Stay Ahead of Computer Security Attacks, Risks, and Threats, Part Three

Feb 28
18:13

2007

Etienne A. Gibbs

Etienne A. Gibbs

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

An alert that reaches full-blown incident status triggers an organization's response plan-assuming it has one. Security experts say large enterprises typically do maintain some type of formal response plan, though incident response varies widely.

mediaimage

Step No. 3: Implement An Incident Response Plan at Home and at WorkWhen a security incident occurs,A Five-Step Plan to Help You Stay Ahead of Computer Security Attacks, Risks, and Threats, Part Three Articles it's the information technology security group's job to respond. Among the group's first assignments: Determine whether an alert represents a serious incident or a false alarm. Security managers may call upon internal experts or external help from antivirus vendors and various intelligence services, which provide reports on computer security threats. UPS subscribes to a number of such services and maintains a strategic relationship with an antivirus vendor. The relationships help UPS stay on top of the threat environment, which puts the company in a position to react ahead of time.

But the knowledge flows in both directions. When UPS discovered a variant of the Zotob worm, the company notified its antivirus vendor. Zotob achieved notoriety in August 2005 when it hit CNN and The New York Times, among others. An alert that reaches full-blown incident status triggers an organization's response plan-assuming it has one. Security experts say large enterprises typically do maintain some type of formal response plan, though incident response varies widely. Some response plans, governed by extensive steps and checklists, become so choreographed that they are almost restrictive. The other extreme is no choreography, which results in a "mad dance." The best fit? Follow a middle path. The University of Georgia follows established incident-handling protocols, based on documentation from the National Institute of Standards and Technology (NIST) and the SANS Institute. NIST's Computer Security Resource Center publishes a range of security policy guidelines, some of which touch on incident response. The SANS Institute, in conjunction with the Center for Internet Security, offers the Security Consensus Operational Readiness Evaluation, which seeks to provide a minimum standard for information security procedures and checklists. ISO 17799, which provides guidelines for security management, also covers incident management. At some organizations, a computer incident response team (CIRT) puts the response plan into action. The corporate security chief generally heads the CIRT, but some companies prefer to tap an experienced outsider to manage response activity, so that one person doesn't wear two hats in a crisis. The CIRT team consists of I.T. security specialists, either internal or external, and people with other areas of expertise. Miracle says CIRT usually includes desktop gurus, server managers, and help-desk representatives. The CIRT members' responsibilities are determined in advance. "In real time, you can't have people arguing ... that you can't shut that server down," Miracle explains. He adds that some companies hire consultants to help establish roles and get different groups across the organization to buy into the plan. While the CIRT team may have broad influence, its physical reach may be limited. To address this issue, the University of Georgia's security group has deputized security liaisons in each of the institution's 14 colleges. Each college has a different security parameter, but through the use of institutional policies, standards and processes, the university has been able to set a security baseline. A security liaison also represents the university's administrative users.

For malware cleanup, an organization may choose to reload a fresh software image rather than delete the offending code. More companies choose such "brute-force methods" because they find it less arduous than potentially spending hours cleaning infected files from a system.

Brute force or not, cleanup comes to a halt when an incident calls for a forensics examination. During an ongoing network attack, the organization must decide whether to let the incursion continue to aid its investigation or cut it off to minimize damage. Technology and business leaders must weigh whether the investigative process outweighs the risk to the network.

Sometimes it's strictly a business decision, but criminal cases may involve external authorities such as the FBI, or state authorities.

Because organizations may lack the specialized staff to investigate computer crime, forensics is frequently outsourced. Banks, for example, handle most response tasks internally, but may call in a forensics specialist if an incident looks like something that might lead to litigation. An event such as theft of service could spark a forensics investigation, but could also be treated as an employee matter if the theft occurs internally. Some banks have a retainer-like contract with a forensics services firm that gathers evidence and maintains the chain of custody. While investigation and remediation activities continue, incident responders, ideally, keep lines of communication open with key constituencies. The CIRT team, for instance, notifies line-of-business managers of a problem so they can inform their customers.

Because cybercriminals are becoming smarter and more sophisticated in their operations, they are real threats to your personal security and privacy. Your money, your computer, your family, and your business are all at risk.

These cybercriminals leave you with three choices:

1. Do nothing and hope their attacks, risks, and threats don’t occur on your computer.

2. Do research and get training to protect yourself, your family, and your business.

3. Get professional help to lockdown your system from all their attacks, risks, and threats.

Remember: When you say "No!" to hackers and spyware, everyone wins! When you don't, we all lose!

© MMVII, Etienne A. Gibbs, MSW, The Internet Safety Advocate and Educator