Organizations of any significant size that provides some kind of service inevitably handles sensitive information. When considering a service-oriented organization in contemporary terms this service would be either delivered within a digital medium or would have a significant portion of the organization handled in a digital format. It should go without saying that because of this fact, organizations are susceptible to cyber-attacks. These malicious attacks are aimed at one of the three characteristics of what is known as the CIA triad which make up confidentiality, integrity, and accessibility.
Confidentiality refers to the state or process of hiding communication and data from outside parties which is not intended to be seen by. Cryptography is the process of encrypting or encoding data so that only the appropriate parties are able to make sense of it. It’s imperative for example that an organization uses some form of cryptography to help ensure that user information is kept private.
Integrity refers to the assurance from those handling or receiving data that the information has not been tampered with and that when received, the intended information has been communicated. The use of certificates allows for the assurance the data source is from the organization and not from another entity posing as the organization. Signing an organization’s web portal with a strong security certificate allows for users visiting the site to be confident that the information they receive is coming from the intended source.
Availability is the access of information to those who are requesting it. The fundamental purpose of an organization handling data is to have that information available. If data is not readily available to those requesting it, the service of an organization would stop entirely. It is the responsibility of the organization to ensure that the mechanisms responsible for data delivery are functioning and not susceptible to malicious attacks. Protecting against a Distributed Denial of Service (DDOS) would protect the availability of data.
Establishing InfoSec policies and procedures for handling a malicious attack is the responsibility of the Incident Response (IR) team. The IR team must consider all three characteristics of the CIA triad when creating their policies and procedures for handling such incidents. The team must perform some risk analysis and prioritize CIA when handling an incident so the impact of incident to the organization is minimal. For example a DDOS attack may lessen the availability of data, but the response could possibly weaken the integrity of the data by allowing access through an alternative site that is not digitally signed.
According to the “Computer Security Incident Handling Guide” (NIST.SP.800-61r2) established by the National Institute of Standards and Technology (NIST), the following should be considered when establishing a policy:
- Statement of management commitment
- Purpose and objectives of the policy
- Scope of the policy (to whom and what it applies and under what circumstances)
- Definition of computer security incidents and related terms
- Organizational structure and definition of roles, responsibilities, and levels of authority; should include the authority of the incident response team to confiscate or disconnect equipment and to monitor suspicious activity, the requirements for reporting certain types of incidents, the requirements and guidelines for external communications and information sharing (e.g., what can be shared with whom, when, and over what channels), and the handoff and escalation points in the incident management process
- Prioritization or severity ratings of incidents
- Performance measures
- Reporting and contact forms
IR policies should be well defined in respect to the purpose, parties involved, ownership of responsibilities, escalation, and resolution. An IR policy that accomplishes this will better serve the organization before, during, and after a malicious attack.
The NIST.SP.800-61r2 also provides the following list of tools and resources that should be considered when handling IR matters:
Incident Handler Communications and Facilities:
- Contact information for team members and others within and outside the organization (primary and backup contacts), such as law enforcement and other incident response teams; information may include phone numbers, email addresses, public encryption keys (in accordance with the encryption software described below), and instructions for verifying the contact’s identity
- On-call information for other teams within the organization, including escalation information
- Incident reporting mechanisms, such as phone numbers, email addresses, online forms, and secure instant messaging systems that users can use to report suspected incidents; at least one mechanism should permit people to report incidents anonymously
- Issue tracking system for tracking incident information, status, etc.
- Smartphones to be carried by team members for off-hour support and onsite communications
- Encryption software to be used for communications among team members, within the organization and with external parties; for Federal agencies, software must use a FIPS-validated encryption algorithm20
- War room for central communication and coordination; if a permanent war room is not necessary or practical, the team should create a procedure for procuring a temporary war room when needed
- Secure storage facility for securing evidence and other sensitive materials
Incident Analysis Hardware and Software:
- Digital forensic workstations21 and/or backup devices to create disk images, preserve log files, and save other relevant incident data
- Laptops for activities such as analyzing data, sniffing packets, and writing reports
- Spare workstations, servers, and networking equipment, or the virtualized equivalents, which may be used for many purposes, such as restoring backups and trying out malware
Blank removable media
- Portable printer to print copies of log files and other evidence from non-networked systems
- Packet sniffers and protocol analyzers to capture and analyze network traffic
- Digital forensic software to analyze disk images
- Removable media with trusted versions of programs to be used to gather evidence from systems
- Evidence gathering accessories, including hard-bound notebooks, digital cameras, audio recorders, chain of custody forms, evidence storage bags and tags, and evidence tape, to preserve evidence for possible legal actions
Incident Analysis Resources:
- Port lists, including commonly used ports and Trojan horse ports
- Documentation for OSs, applications, protocols, and intrusion detection and antivirus products
- Network diagrams and lists of critical assets, such as database servers
- Current baselines of expected network, system, and application activity
- Cryptographic hashes of critical files22 to speed incident analysis, verification, and eradication
Incident Mitigation Software:
- Access to images of clean OS and application installations for restoration and recovery purposes
NIST. (2012, August). Computer Security Incident Handling Guide. Retrieved October 25, 2015, from National Institute of Standards and Technology: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf