Final Project Paper - NO EXTENSIONS
Managing Risk in Information Systems
Lesson 15
Mitigating Risk with a Computer Incident Response Team Plan
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Computer Security Incident
Violation, or imminent threat of a violation of a security policy or security practice
Examples
Denial of service (DoS) attack
Malware code
Unauthorized access
Inappropriate usage
Multiple component
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
What Is a Computer Incident Response Team Plan?
Computer incident response team (CIRT)
A group of people that will respond to incidents
A CIRT plan:
Is a formal document that outlines an organization’s response to computer incidents
Formally defines a security incident
May designate the CIRT team
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Purpose of CIRT Plan
Prepares you for unscheduled computer incidents
Helps you apply critical thinking to solve problems
Helps you develop best responses to reduce damage
Outlines the purpose of the response effort
The five Ws: what, where, who, when, and why
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Growth of Incidents
1988 – one incident was news
2003 – 137,529 incidents
Today – Off the chart
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Elements of a CIRT Plan
CIRT members
IT staff and security professionals who understand risks and threats posed to networks and systems
Accountabilities
CIRT policies
Incident handling process
Communication escalation procedures
Incident handling procedures
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
CIRT Team Members
Team leader
Information security members
Network administrators
Physical security personnel
Legal
Human resources (HR)
Communications
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Team leader—This individual is responsible for the team’s actions.
A team leader is usually a senior manager with expertise in security, However, some CIRTs identify the first team member that arrives on the scene as the team leader.
Information security members—These individuals could be experts on boundary protection.
This includes firewalls and routers on the edge of the network. They are able to identify the source of breaches and recommend solutions.
These members could also be experts in intrusion detection systems (IDSs) and other systems that include audit logs and audit trails.
Network administrators—Network administrators understand the details about a network.
They understand what systems are connected and how they’re connected. They also understand what systems are accessible from the Internet. They know what normal traffic flow is and can recognize abnormal traffic.
Physical security—Because attackers can be social engineers and might be on company property, physical security personnel need to be represented on the team.
They know what physical security controls the organization uses, where these controls are located, and their purpose.
Legal—Legal personnel provide advice on the organization’s legal responsibilities and legal remedies.
This can be before, during, and after an incident. Legal personnel understand what legal actions are possible against the attackers. They also understand
the requirements necessary to pursue legal actions.
Human resources (HR)—If the attack originated from an employee, HR needs to be involved.
HR understands the organization’s policies. They are also aware of the available enforcement methods. For example, if an employee violates the AUP, the first offense may result in a formal written warning. A second or third offense may result in termination. HR personnel would know if the employee had been previously warned.
Communications—Public relations (PR) personnel become the face of the organization if the incident becomes public.
They help to present an image of resolve, even if everything is not quite under control. If PR reps aren’t used, team members might express frustration or confusion about the attack. This can present a poor image to customers, vendors, and stockholders of the organization.
7
Incident Response Lifecycle
Four phases defined by NIST SP 800-61
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
DDoS Attack From a Botnet
What are the indications on the attacked server?
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
How CIRT Plan Can Mitigate Risk
Quick and focused response to incidents
Clearly defined roles and responsibilities for response
Enhanced understanding of needed skills
Enhanced ability to respond to threats and remove risks
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The CIRT plan helps an organization prepare for incidents. When prepared, the organization responds to incidents much quicker and with focused action.
One of the primary benefits of the CIRT plan is the identification of CIRT members. The plan identifies these individuals so that the organization knows who they are. Additionally, individuals on the team know their roles and responsibilities.
Once the plan and the members are identified, the organization has a better understanding of the skills needed. The members can be trained to ensure they have the skills needed to support the requirements.
If you can remove a threat you remove the risk.
R = T * V
(where R= Risk, T= Threats and V= Vulnerabilities)
10
Best Practices for CIRT
Define a computer security incident
Include policies in CIRT plan to guide members
Provide training
Develop CIRT checklists
Subscribe to security notification bulletins
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Define a computer security incident—Incidents are interpreted differently by different organizations. When you define the incident in the CIRT plan, it is clear to all parties.
Include policies in the CIRT plan to guide CIRT members—These policies can be related to CIRT members attacking back at attackers. They can include statements regarding the use of chain of custody, or otherwise protecting evidence.
Provide training—Ensure the CIRT members and end users are trained. The CIRT members should understand their responsibilities. They should also know the best way to respond to different types of incidents. All personnel should understand the threats, as well as basic steps they can take to mitigate the threats.
Include checklists—The checklists can be formal step-by-step checklists that must be performed in a specific order. They can also be informal bullet statements designed to help ensure the CIRT members don’t overlook key data.
Subscribe to security notifications—There are many security bulletins you can sign up for. These provide e-mails describing different types of threats, including new emerging threats.
11
Summary
Computer security incidents
Purpose and critical success factors of CIRT and incident response plan
Major parts of an incident response plan
Best practices for a CIRT
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.