Chapter 1 – Introduction

Topics: Why require a security? Picking a security policy, strategies for a secure network, the ethics of computer security, security threats and levels, security plan (RFC 2196) Why security – In general, security means keeping anyone from doing things you don’t want them to do with, or, from our computers or any other peripheral devices. This definition leads to some important questions that must be answered by everyone who wishes to build a security system for his/her PC. Very first question arises is what resources we are trying to protect? The answer will be CPU (especially a CPU with running certain software with certain configuration files which has a name, an identity which lets access to more critical resources). A hacker who compromises a host will normally have access to all of its resources like files, storage devices and even phone lines. Somebody might be interested in the data on the machine. Thus these important resources need some protection. For example, machines with sensitive files may require extra levels of passwords or sometimes even file encryption. Another question will be against whom the computer systems must be defended? While answering to this question, one must remember that the computer security is not the goal but it is a means towards a goal; i.e. information security. Hence when necessary, other means should be used as well. The strength of one’s computer security should be proportional to the threat form that arena. Another important question is how much security you can afford? Too much security can hurt as surely as too little can.

Finding the balance between these is an absolutely essential thing and it can only be done if we have properly assessed the risk to the organization from either extreme. Picking a security policy – A security policy is the set of decisions that collectively determines an organization’s posture toward security. Thus it determines the limits of acceptable behavior and what the response to the violations should be. Then the first step is to decide what is and what is not permitted. To some extent, this process is driven by business or structural needs of the organizations. Making such decisions is clearly an interactive process and one’s answers should never be taken granted for ever. A good security policy should have the following characteristics – 1) It should define a clear set of security goals. 2) Should accurately define each issue discussed in the policy. 3) Define under what circumstances each issue is applicable. 4) Should be enforceable with security tools wherever appropriate. 5) Should clearly define the areas of responsibility for users, administrators and management. 6) Should have acceptance within the organization. Strategies for a secure network – Before you can decide on how to safeguard your network, you must identify what level of security you require. That is, whether you want a lower, medium or very tight security. Once this job is done, you are ready to make your strategies to secure your network.

The first step is performing a risk analysis. It is a process of examining all your risks and then finding a cost effective decision to recover from it. Two important steps in this are – a) Finding out what resources you are trying to protect; resources may include  Physical resources like printers, monitors, keyboards, drives, modems etc.  Logical resources like programs, data, utilities, operating systems. b) Finding out who can disrupt them and in what ways. The threats to your assets may include –  Physical threats to the resources such as stealing, malfunctioning the devices  Logical threats such as unauthorized access to data, information and resources  Unintended disclosure of your information. The various strategies used to secure the network may include the following – 1) Authentication of network- it is the process of a user proving that he/she is actually the person who he/she claims. There are three basic ways to do this. a) By providing the information the system or the network is expecting, such as a password or personal identification number (PIN). Sign-in name

Sign in 3

b) By providing a card such as library card or an ID card. c) By providing some physical attribute which the system or network can verify, such as fingerprints. Each of these authentication methods has drawbacks. Password of PIN authentication is easy but it requires that the user commit something to memory (which is often easy to forget). Passwords can also be susceptible to compromise depending on their length and what characters are used. Library cards can share and track a lot of useful information but unless they are password protected, a stolen card can easily be compromised. 2) Using firewalls and proxy servers – A firewall is a software package that usually runs on the main server that is gateway to the internet. Such gateway servers are connected to the internet through routers. A firewall can also run on an individual PC connected to the internet through modem. The main purpose of firewall is to prevent unauthorized users (usually from outside of your local network) from accessing data and other resources on your computer that are attached to your network. A firewall can also allow you to control which resources on your computers can be accessed by outsiders. Proxy server is a software package that filters web page requests made by the users on the local network before passing those requests out of the internet. Thus a firewall is usually designed to prevent the traffic from COMING IN to your PC while Proxy server is designed to focus on the outgoing traffic. Some proxy servers are out on the internet and are used for things such as filtering out unwanted advertisements and websites. The purposes served by a proxy server commonly include –

b) Filtering out objectionable or unwanted sites. The method of arranging a plaintext in such a way as to hide its substance is called encryption. c) Caching (temporarily storing) web pages that have already been accessed and are frequently accessed so that users can have quicker access to those web pages. determination and luck. The security of the encrypted data entirely depends on two things – the strength of the cryptographic algorithm and the secrecy of the key. a number or phrase. A cryptographic algorithm (or ‘cipher’) is a mathematical function used in encryption and decryption process.a) Preventing employees from accessing websites that their employers don’t want them to access on company time. Cryptography is the science of using mathematics to encrypt and decrypt the data. You use the encryption to ensure that the information is hidden from anyone for whom it is not intended. pattern finding. Encrypting plaintext results in what is called as ciphertext. Making use of encryption techniques – data can be read and understood without any special measure is called plaintext or encrypt the plaintext. While cryptoanalysis is the science of analyzing and breaking secure communication. application of mathematical tools. Ethics of computer security – 5 . A cryptographic algorithm plus all possible keys and protocols that make it work. The same plaintext encrypts to different ciphertexts with different keys.a word. A cryptographic algorithm works in combination with the key . Crypto analysts are also called’ attackers’.comprise a cryptosystem. The process of reverting ciphertext to plaintext is called decryption. d) Keeping record of what sites/pages have been accessed and by whom. even those who can see the data. Classical cryptoanalysis involves an interesting combination of analytical reasoning.

However. Security threats and levels – Computer systems are vulnerable to many threats that can inflict various types of damage resulting in significant losses. There may be several issues of security policy that may affect the individuals outside the organization even though the policy is formed for the organization.While we are applying ourselves to keep our assets protected and secured. computer security is ethical. These are moral principles to be followed while using computer security aspects. These errors are caused not only by data entry clerks processing hundreds of transactions per day. The effects of various threats vary considerably: some affect the confidentiality or integrity of data while others affect the availability of a system. In short. we must consider the ethics of computer security. Losses can stem. This damage can range from errors harming database integrity to fires destroying entire computer centers. but also by all types of users who create and edit data. Errors and Omissions Errors and omissions are an important threat to data and system integrity. especially those designed by users for personal computers. Precision in estimating computer security-related losses is not possible because many losses are never discovered. and others are "swept under the carpet" to avoid unfavorable publicity. so long as we stay within the frame of the law. 1. or from careless data entry clerks. A sound 6 . lack quality control measures. Also the consideration to the privacy of the individual should be made. for example. even the most sophisticated programs cannot detect all types of input errors or omissions. from the actions of supposedly trusted employees defrauding a system. The ethical issues say even further that there is no harm in monitoring our systems and equipments that the counterattacking on the attacker is also possible in self defense. Many programs. from outside hackers.

Fraud and Theft Computer systems can be exploited for both fraud and theft both by "automating" traditional methods of fraud and by using new methods. mischief. Insiders can be both general users (such as clerks) and technical staff members. particularly if their access is not terminated promptly.awareness and training program can help an organization reduce the number and severity of errors and omissions. Financial systems are not the only ones at risk.g.e. such as a data entry error or a programming error that crashes a system. including knowing what actions might cause the most damage. 2. may also pose a threat. data entry clerks. The downsizing of organizations in both the public and private sectors has created a group of 7 . the errors create vulnerabilities. In other cases. with their knowledge of an organization's operations. authorized users of a system) are responsible for the majority of fraud. the error is the threat. authorized system users are in a better position to commit crimes. Errors can occur during all phases of the systems life cycle. Employee Sabotage Employees are most familiar with their employer's computers and applications. Computer fraud and theft can be committed by insiders or outsiders. In some cases. 3. For example... individuals may use a computer to skim small amounts of money from a large number of financial accounts. and programmers frequently make errors that contribute directly or indirectly to security problems. and long-distance telephone systems). Systems that control access to any resource are targets (e. assuming that small discrepancies may not be investigated. Insiders (i. or sabotage. time and attendance systems. system operators. Since insiders have both access to and familiarity with the victim computer system (including what resources it controls and its flaws). school grading systems. An organization's former employees. inventory systems. Users.

and brownouts). sewer problems. They can include both outsiders and insiders. civil unrest. refers to those who break into computers without authorization. loss of communications. One 1992 study of a particular Internet site (i. 4. and strikes. water outages and leaks. Although current losses due to hacker attacks are significantly smaller than losses due to insider theft and sabotage. the hacker problem is widespread and serious. Loss of Physical and Infrastructure Support The loss of supporting infrastructure includes power failures (outages. spikes. Malicious Hackers The term malicious hackers. Much of the rise of hacker activity is often attributed to increases in connectivity in both government and industry. if system accounts are not deleted in a timely manner). fire.individuals with organizational knowledge. Common examples of computer – related employee sabotage include: Planting logic bombs those destroy Entering data incorrectly.g. The number of incidents of employee sabotage is believed to be much smaller than the instances of theft.. lack of transportation services. 8 . 5. one computer system) found that hackers attempted to break in at least once every other day. but the cost of such incidents can be quite high.e. The hacker threat should be considered in terms of past and potential future damage. who may retain potential system access (e. flood..

There are many types of viruses. The new copy of the virus is executed when a user executes the new host program. these costs can be significant. For example. overwriting. Since information is processed and stored on computer systems. Trojan horses. including variants. The virus may include an additional "payload" that triggers when specific conditions are met. Industrial Espionage Industrial espionage is the act of gathering proprietary data from private companies or the government for the purpose of aiding another company (ies). stealth. computer security can help protect against such threats. Industrial espionage can be perpetrated either by companies seeking to improve their competitive advantage or by governments seeking to aid their domestic industries. logic bombs. resident. 9 . Foreign industrial espionage carried out by a government is often referred to as economic espionage. and other "uninvited" software.6. however. malicious code can attack other platforms. worms. it can do little. and polymorphic. Malicious Software – A Few Key Terms Virus – A code segment replicates by attaching copies of it to existing executables. Malicious Code Malicious code refers to viruses. Nonetheless. Actual costs attributed to the presence of malicious code have resulted primarily from system outages and staff time involved in repairing the systems. some viruses display a text string on a particular date. to reduce the threat of authorized employees selling that information. 7. Sometimes mistakenly associated only with personal computers.

This program could be modified to randomly delete one of the users' files each time they perform a useful function (editing). but the deletions are unexpected and definitely undesired! Worm – A self-replicating program that is self-contained and does not require a host program.Trojan horse – A program that performs a desired task. This must be done at the highest level and should address the issues such as level of protection for various aspects of the information relating to the organization. combined with the ability of computers to monitor. and aggregate large amounts of information about individuals have created a threat to individual privacy. no user intervention is required. 2) Selection of a technology 10 . and private companies. Worms commonly use network services to propagate to other host systems. 8. but that also includes unexpected (and undesirable) functions. process. The possibility that all of this information and technology may be able to be linked together has arisen as a specter of the modern information age. The other steps that can be taken are – 1) IT planning – the organization must decide on a policy for introduction of IT. Security Measures – one of the best and first steps in ensuring the data security is to create an awareness and develop a culture within the organization towards the ways in which the information can be lost and what should the consequences of such an occurrence to the organization and individuals. credit bureaus. The program creates a copy of it and causes it to execute. Threats to Personal Privacy The accumulation of vast amounts of electronic information about individuals by governments. Consider as an example an editing program for a multi-user system.

2) Detect .the aim here is to contain the damage when losses occur to reduce the adverse effects of such damage. Additional points to be looked at arei) Information classification ii) Responsibilities for security iii) User training to increase security awareness iv) Guidelines for creation and change of passwords There are four time – honored principles for ensuring security and recovery in cases of breaches of security – 1) Prevent . The next principle is that you must be able to detect the loopholes to security within shortest possible time.3) Identification of points of exposure and of weak links 4) Physical protection of machine and media 5) Controlling and monitoring the access to the data. its usage by persons and its integrity must be clearly defined. 3) Minimize damage . It is a guide to setting computer security policies and procedures for sites that have systems on the internet. total security is almost impossible. 4) Recovery .The method is of course stopping all breaches of security before they occur.There must be enough power in the system to back . And the responsibility for ensuring these must test on persons designated for these tasks. Security Plan (RFC 2196) – This document provides guidance to the system and network administrators on how to address security issues within the internet community.up itself from damages and become functional at the earliest. This helps in damage assessment and also in devising further prevention measures.Even though one may try to achieve lot of prevention. It lists 11 .

intellectual property. confidentiality. and all the various pieces of hardware. Risk assessment involves determining what you need to protect. then ranking those risks by level of severity. It is the process of examining all of your risks. It makes a number of recommendations and provides discussions of relevant areas. like valuable proprietary information. 12 .issues and factors that a site must consider when setting their own policies. what you need to protect it form. There are two elements of a risk analysis that should be considered – a) Identifying the assets b) Identifying the threats For each asset. such as the people who actually use the systems. but some are overlooked. Each threat should be examined with an eye to how the threat could affect these areas. a) Identifying the assets – One step in a risk analysis is to identify all the things that need to be protected. and how to protect it. it is to be misleading about where the effort is needed. Risk Assessment – One of the most important reasons for creating a computer security policy is to ensure that the efforts spent on security yield cost effect benefits. This process involves making cost-effective decisions on what you want to protect. Some things are obvious. the basic goals of security are availability. you should not probably spend more to protect something than it is actually worth. Although this may seem obvious. and integrity. As mentioned above.

audit logs. b) Identifying the threats – Once the assets requiring protection are identified. 2) Software: source programs. ribbons. 6) Supplies: paper. terminals. forms. magnetic media. Depending on your site. 3) Data: during execution. routers. local administrative procedures. diagnostic programs. printers. hardware maintainers. Security policies – of 13 . personal computers. stored on-line. The following list can be useful – 1) Hardware: CPUs. hardware. it is necessary to identify threats to those assets. backups. there will be more specific threats that should be identified and addressed. keyboards. It helps to consider from what threats you are trying protecting your assets. communication lines. disk drives. 1) Unauthorized access to resources and/or information 2) Unintended and/or unauthorized disclosure information 3) Denial of service. utilities. administrators. communication programs. archived off-line. terminal servers. 5) Documentation: on programs. operating systems. 4) People: users. object programs. workstations. boards.The essential point is to list all things that could be affected by a security problem. in transit over communication media. databases. The threats can then be examined to determine what potential for loss exists. The following are classic threats that should be considered. systems.

g.A security policy is a formal statement of the rules by which people who are given access to the organization’s technology and information assets must abide. including the type of the traffic allowed on the networks. staff and managers of their obligatory requirements for protecting technology and information assets. The following is the list of individuals who should be involved in the creation and review of security policy documents – a) Site security administrator b) Information technology technical staff (e. an AUP might list any prohibited USENET newsgroups. It should spell out what users shall and shall not do on the various components of the system. The AUP should be as explicit as possible to avoid ambiguity or misunderstanding. It is essentially important that the corporate management fully support the security policy process otherwise there is little chance that they will have the intended impact. Who should be involved when forming security policy? In order for a security policy to be appropriate and effective. configure and audit computer systems and networks for compliance with the policy. The policy should specify the mechanisms through which these requirements can be met. An appropriate use policy (AUP) may also be a part of security policy. For example. Purposes of security policy – The main purpose of security policy is to inform users. staff from computer centre) 14 . Therefore an attempt to use a set of security tools in the absence of at least implied security policy is meaningless. Another purpose is to provide a baseline from which to acquire. it needs to have the acceptance and support of all levels of employees within the organization.

f) Responsible management g) Legal counsel (if appropriate) The list above is representative of many organizations.) d) Security incident response team e) Representatives of the user groups affected by the security policy. where appropriate. management who has budget and policy authority. publishing of acceptable use guidelines. security features. The components of good security policy include – a) The computer technology purchasing guidelines which specify the required. computer science department within the university etc. b) It must be enforceable with security tools. business divisions. c) It must clearly define the areas of responsibility for the users. administrators and management. Of course. 15 . or other appropriate methods. and with sanctions. where actual prevention is not technically feasible. or preferred.g. but it is not necessarily comprehensive. the role of legal counsel will vary form country to country. The idea is to bring in representation from stakeholders. technical staff who knows what can and what can not be supported and legal counsel who knows the legal ramifications of various policy choices. These should supplement existing purchasing policies and guidelines. What makes a good security policy? The characteristics of good security policy are – a) It must be implementable through system administration procedures.c) Administrators of large user groups within the organization (e.

It should also include contact information for reporting system and network failures. and provide incident handling guidelines (i. It should address redundancy and recovery issues. operation staff and management. and adding new software to the systems. what to do and whom to contact if a possible intrusion is detected). and access to user’s files. 16 . as well as specify operating hours and maintenance down-time periods. g) An information technology system and network maintenance policy which describes how both internal and external maintenance people are allowed to handle and access the technology. It should specify an audit capability. connecting devices to a network. It should provide guidelines for external connections.) f) An availability statement that sets user’s expectations for the availability of the resources. e) An authorization policy which establishes trust through an effective password policy. operation staff and management. One important topic to be addressed over here is whether remote maintenance is allowed and how much access is controlled. data communications. It should also specify any required notification messages (for e. logging of keystrokes.. connect messages should provide warnings about authorized usage and line monitoring). Another area for consideration here is outsourcing and how it is managed.g. d) An accountability policy which defines the responsibilities of users. c) An access policy which defines access rights and privileges to protect assets from loss or disclosure by specifying acceptable guidelines for users. and by setting guidelines for remote location authentication and the use of authentication devices (like one-time passwords and the devices that generate them.b) A privacy policy which defines reasonable expectations of privacy regarding such issues as monitoring of electronic mail.e.

Having all personnel sign a statement indicating that they have read. and cross-references to security procedures and related information. and agreed to abide by the policy is an important part of the process. i) Supporting information which provides users. There may be regulatory requirements that affect some aspects of your security policy (e. staff and management with contact information for each type of policy violation. It is also important to recognize that there are expectations to every 17 . or information which may be considered confidential or proprietary. guidelines on how to handle queries about a security incident. such as company policies and governmental laws and regulations. This includes the process. The mechanisms for updating the policy should be clearly spelled out. line monitoring). it should be clearly communicated to users. privacy and security. The creators of the security policy should consider seeking legal assistance in the creation of the policy. the policy should be reviewed by legal counsel. A security policy should be (largely) independent form specific hardware or software situations (as specific systems tend to be replaced or moved overnight).g. Keeping the policy flexible – In order for a security to be viable for the long term. your policy should be reviewed on a regular basis to see if it is successfully supporting your security needs. Finally. staff and management. and the people who must sign-off on the changes. understood. A nonthreatening atmosphere and the possibility of anonymous reporting will result in a greater probability that the violation will be reported if it is detected. internal and external) must be reported and to whom the reports are made.h) A violation reporting policy that indicates which types of violations (e. the people involved.g. Once your security has been established. At a minimum. it requires a lot of flexibility based upon an architectural security concept.

If trained to handle incidents efficiently. the policy should spell out what exceptions to the general policy exist. Operating systems vulnerabilities apply (in some cases) to several millions of systems. usually pays little attention to how to actually handle an attack once one occurs. preparing for the recovery of the system. Due to the world-wide network most incidents are not restricted to a single site. It is important to determine what the proper balance is for your site. The result is that when an attack is in progress. 18 . One of the most important. The risk of losing critical information increases when that information is not shared.rule. This refers to what would happen to a site if a key person was suddenly unavailable for his/her job function (e. and many vulnerabilities are exploited within the network itself. Incident handling – Traditional computer security.g.. less staff time is required when one occurs. Therefore. was suddenly ill or left the company unexpectedly). Also there may be some cases when multiple users will have access to the same user ID. Another consideration is called the ‘Garbage Truck Syndrome’. but often overlooked. Whenever possible. Having both technical and managerial personnel respond to an incident requires considerable resources. For example. The greatest security resides in the minimum dissemination of information. benefits for efficient incident handling is an economic one. while quite important in the overall site security plan. multiple systems administrators may know the password and use the root account. and protecting the valuable data contained on the system. on systems with a ‘root’ user. collecting evidence to be used in prosecution efforts. it is vital that all sites with involved parties be informed as soon as possible. under what conditions is a system administrator allowed to go through a user’s files. many decisions are made in haste and can be damaging to tracking down the source of the incident. For example.

It is possible that in the near future organizations may be held responsible because one of their nodes was used to launch a network attack. Law enforcement and investigative agencies iii. News about computer security incidents tends to be damaging to an organization's stature among current or potential clients. In a similar vein. The sections in this chapter provide an outline and starting point for creating your site's policy for handling security incidents. and then taking appropriate measures to counter these potential threats. Local managers and personnel ii. if the patches or workarounds themselves damage systems. people who develop patches or workarounds may be sued if the patches or workarounds are ineffective. b) Notification (who should be contacted in the case of an incident). is critical to circumventing possible legal problems. The sections are – a) Preparing and planning (what are the goals and objectives in handling an incident). Efficient incident handling minimizes the potential for negative exposure.Another benefit is related to public relations. or. Knowing about operating system vulnerabilities and patterns of attacks. Computer security incidents handling teams 19 . resulting in compromise of the systems. A final benefit of efficient incident handling is related to legal issues. i.

f) Administrative response to incidents. and will lead to a more 20 . Affected and involved sites v. and after the incident) iii. Recovery (how to reestablish service and systems) vi. and provide some guidance as to what should be included in a site policy for handling incidents. 5. Having written plans eliminates much of the ambiguity which occurs during an incident. during. Internal communications vi. Follow Up (what actions should be taken after the incident) e) Aftermath (what are the implications of past incidents). Protection also includes preparing incident handling guidelines as part of a contingency plan for your organization or site. The remainder of this chapter will detail the issues involved in each of the important topics listed above. Eradication (how to eliminate the reasons for the incident) v.iv. Public relations and press releases c) Identifying an incident (is it an incident and how serious is it). Protecting evidence and activity logs (what records should be Kept from before. Notification (who should be notified about the incident) ii. Containment (how can the damage be limited) iv.1 Preparing and Planning for Incident Handling – Part of handling an incident is being prepared to respond to an incident before the incident occurs in the first place. i. This includes establishing a suitable level of protections as explained in the preceding chapters. Doing this should help your site prevent incidents as well as limit potential damage resulting from them when they do occur. d) Handling (what should be done when an incident occurs).

there might be a conflict between analyzing the original source of a problem and restoring systems and services. g) Find out who did it (if appropriate and possible).) Learning to respond efficiently to an incident is important for a number of reasons a) Protecting the assets which could be compromised b) Protecting resources which could be utilized more profitably if an incident did not require their services c) Complying with (government or other) regulations d) Preventing the use of your systems in attacks against other systems (which could cause you to incur legal liability) e) Minimizing the potential for negative exposure As in any set of pre-planned procedures.appropriate and thorough set of responses. but all involved 21 . Of course. c) Avoid escalation and further incidents. A team might even consider hiring a tiger team to act in parallel with the dry run. f) Update policies and procedures as needed. d) Assess the impact and damage of the incident. It is vitally important to test the proposed plan before an incident occurs through "dry runs". Overall goals (like assuring the integrity of critical systems) might be the reason for not analyzing an incident. A specific set of objectives can be identified for dealing with incidents – a) Figure out how it happened. attention must be paid to a set of goals for handling an incident. Due to the nature of the incident. b) Find out how to avoid further exploitation of the same vulnerability. (Note: a tiger team is a team of specialists that try to penetrate the security of a system. These goals will be prioritized differently depending on the site. e) Recover from the incident. this is an important management decision.

. loss or alteration of system files. managerial and other data. because loss of data is costly in terms of resources. Prevent exploitations of other systems. networks or sites about already occurred penetrations. classified and/or sensitive systems. (5) Priority five -. the following suggested priorities may serve as a starting point for defining your organization's response – (1) Priority one -. It is also important to prioritize the actions to be taken during an incident well in advance of the time an incident occurs.). etc.prevent damage to systems (e. scientific.protect classified and/or sensitive data. Inform affected. networks or sites and inform already affected systems. including proprietary. It is better in many cases to shut a 22 . human life always has precedence over all other considerations. Prevent exploitation of classified and/or sensitive systems. Damage to systems can result in costly down time and recovery. networks or sites about successful penetrations. Sometimes an incident may be so complex that it is impossible to do everything at once to respond to it.minimize disruption of computing resources (including processes). (4) Priority four -.protect human life and people's safety. (Be aware of regulations by your site or by government) (3) Priority three -.parties must be aware that without analysis the same incident may happen again.g. priorities are essential.protect other data. Although priorities will vary from institution to institution. (2) Priority two -. damage to disk drives. networks or sites.

The policies chosen by your site on how it reacts to incidents will shape your response. Sites will have to evaluate the trade-offs between shutting down and disconnecting. it may make little sense to create mechanisms to monitor and trace intruders if your site does not plan to take action against the intruders if they are caught. the damage and scope of an incident may be so extensive that service agreements may have to be over-ridden. Government and private sites that deal with classified material have specific rules that they must follow. Telephone companies often release information about telephone traces only to law enforcement agencies. it is generally more important to save data than system software and hardware. There may be service agreements in place that may require keeping systems up even in light of further damage occurring. Another important concern is the effect on others. systems can be replaced. For example. Any plan for responding to security incidents should be guided by local policies and regulations. However. and staying up. it should be included in the planned procedures to avoid further delays and uncertainties for the administrators. Within the limits imposed by government regulations it is always important to inform affected parties as soon as possible. Other organizations may have policies that affect your plans. the loss or compromise of data (especially classified or proprietary data) is usually not an acceptable outcome under any circumstances.system down or disconnect from a network than to risk damage to data or systems. Although it is undesirable to have any damage or loss during an incident. Due to the legal implications of this topic. An important implication for defining priorities is that once human life and national security considerations have been addressed. beyond the systems and networks where the incident occurs. However. 23 .

These additional contacts include local managers and system administrators. The names and 24 . administrative contacts for other sites on the Internet. Notification and Points of Contact – It is important to establish contacts with various personnel before a real incident occurs. there will also be many times when others outside your immediate department will need to be included in the incident handling. However. what information will be shared with the users at a site. When establishing these contacts. These may be technical or administrative in nature and may include legal or investigative agencies as well as service providers and vendors. Indeed. A list of contacts in each of these categories is an important time saver for this person during an incident. incidents are not real emergencies. faxing. To free the technical staff it may be helpful to identify support staff that will help with tasks like: photocopying. Many times.Handling incidents can be tedious and require any number of routine tasks that could be handled by support personnel. and various investigative organizations. specific "Points of Contact" (POC) should be defined. often you will be able to handle the activities internally. it is important to decide how much information will be shared with each class of contact. It is especially important to define. For each type of communication contact. Settling these issues is especially important for the local person responsible for handling the incident. and with other sites. ahead of time. since that is the person responsible for the actual notification of others. Getting to know these contacts before incidents occur will help to make your incident handling process more efficient. with the public (including the press). It can be quite difficult to find an appropriate person during an incident when many urgent events are ongoing. etc. It is strongly recommended that all relevant telephone numbers (also electronic mail addresses and fax numbers) be included in the site security policy.

Another important function of the POC is to maintain contact with law enforcement and other external agencies to assure that multiagency involvement occurs. The person in charge of the incident will make decisions as to the interpretation of policy applied to the event. There are two distinct roles to fill when deciding who shall be the POC and who will be the person in charge of the incident. A major mistake that can be made is to have a number of people who are each working independently. This will only add to the confusion of the event and will probably lead to wasted or ineffective effort. the more people that touch a potential piece of evidence. It should not necessarily be the same person who has administrative responsibility for the compromised systems since often such administrators have knowledge only sufficient for the day to day use of the computers. The single POC may or may not be the person responsible for handling the incident. and lack in depth technical expertise. Care should be taken when identifying who this person will be. The POC must be a person with the technical expertise to successfully coordinate the efforts of the system managers and users involved in monitoring and reacting to the attack. the POC must coordinate the effort of all the parties involved with handling the event. The level of involvement will be determined by management decisions as well as legal constraints. A single POC should also be the single person in charge of collecting evidence. Local Managers and Personnel – When an incident is under way. To ensure that evidence will be 25 . In contrast. since as a rule of thumb. the greater the possibility that it will be inadmissible in information of all individuals who will be directly involved in the handling of an incident should be placed at the top of this list. a major issue is deciding who is in charge of coordinating the activity of the multitude of players. but are not working together.

When a change in the POC occurs. The situation becomes even more complex if multiple sites are involved. This section describes many of the issues that will be confronted. Associated with each level of incident will be the appropriate POC and procedures. collecting evidence should be done following predefined procedures in accordance with local laws and legal regulations. Lastly. The incident handling process should provide some escalation mechanisms. old POC should brief the new POC in all background information. local security offices. involving multiple independent departments or groups.. users must know how to report suspected incidents. This will require a well coordinated effort in order to achieve overall success. it is important to establish contact with investigative agencies (e.S.acceptable to the legal community. there may be a change in the POC which will need to be communicated to all others involved in handling the incident. When this happens. while beepers and telephones can be used for out of hours reporting. rarely will a single POC at one site be able to adequately coordinate the handling of the entire incident. Law Enforcement and Investigative Agencies – In the event of an incident that has legal consequences. Instead. sites will need to create an internal classification scheme for incidents.g. and campus police departments should also be informed as appropriate. In order to define such a mechanism. As an incident is escalated. but it is acknowledged that each organization will have its own local and governmental 26 . Sites should establish reporting procedures that will work both during and outside normal working hours. Local law enforcement.) as soon as possible. the FBI and Secret Service in the U. Responsibilities may be distributed over the whole site. appropriate incident response teams should be involved. One of the most critical tasks for the POC is the coordination of all relevant processes. Help desks are often used to receive these reports during normal working hours.

A final reason for establishing contacts as soon as possible is that it is impossible to know the particular agency that will assume jurisdiction in any given incident.laws and regulations that will impact how they interact with law enforcement and investigative agencies. The most important point to make is that each site needs to work through these issues. If your organization or site has a legal counsel. you need to notify this office soon after you learn that an incident is in progress. At a minimum. Making contacts and finding the proper channels early on will make responding to an incident go considerably more smoothly. There are many legal and practical issues. your legal counsel needs to be involved to protect the legal and financial interests of your site or organization. a few of which are – (1) Whether your site or organization is willing to risk negative publicity or exposure to cooperate with legal prosecution efforts. A primary reason for determining these points of contact well in advance of an incident is that once a major attack is in progress. your site or organization may be liable for damages incurred. there is little time to call these agencies to determine exactly who the correct point of contact is. Knowing the working procedures in advance and the expectations of your point of contact is a big step in this direction. and this will require prior knowledge of how to gather such evidence. 27 . (2) Downstream liability – if you leave a compromised system as is so it can be monitored and another computer is damaged because the attack originated from your system. and that will be in accordance with the working procedures of these agencies. For example. it is important to gather evidence that will be admissible in any subsequent legal proceedings. Another reason is that it is important to cooperate with these agencies in a manner that will foster a good working relationship.

there are no clear precedents yet on the liabilities or responsibilities of organizations involved in a security incident or who might be involved in supporting an investigative effort. Indeed. (4) Liabilities due to monitoring – your site or organization may be sued if users at your site or elsewhere discover that your site is monitoring account activity without informing users. The decision to coordinate efforts with investigative agencies is most properly that of your site or organization. Another result is that 28 . On the other hand. This. and may prevent investigators from identifying the perpetrator. most investigators cannot pursue computer intrusions without extensive support from the organizations involved. an organization's legal council may advise extreme caution and suggest that tracing activities be halted and an intruder shut out of the system. Investigators will often encourage organizations to help trace and monitor intruders. Involving your legal counsel will also foster the multi-level coordination between your site and the particular investigative agency involved. may not provide protection from liability. However. You'll need to consider the advice of your legal counsel and the damage the intruder is causing (if any) when making your decision about what to do during any particular incident. in itself. The balance between supporting investigative activity and limiting liability is tricky. your site or organization may again be liable for any damages (including damage of reputation). which in turn results in an efficient division of labor. Unfortunately.(3) Distribution of information – if your site or organization distributes information about an attack in which another site or organization may be involved or the vulnerability in a product that may affect ability to market that product. and these kinds of efforts may drag out for months and may take a lot of effort. investigators cannot provide protection from liability claims. Your legal counsel should also be involved in any decision to contact investigative agencies when an incident occurs at your site.

agency can force you to monitor. your legal counsel should evaluate your site’s written procedures for responding to are likely to obtain guidance that will help you avoid future legal mistakes. avoid using electronic mail to communicate with other agencies (as well as others dealing with the incident at hand). It is recommended that each site be familiar with those laws and regulations. etc.. allowed unauthorized people into their systems. when dealing with investigative agencies.) A similar consideration is using a secure means of communication.S. Normally (in U. because a caller has masqueraded as a representative of a government agency. and identify and get know the contacts for agencies with jurisdiction well in advance of handling an incident. Unfortunately. so be careful! There is no one established set of rules for responding to an incident when the local government becomes involved. Each organization will have a set of local and national laws and regulations that must be adhered to when handling incidents. It is vital. Because many network attackers can easily re-route electronic mail. many well intentioned people have unknowingly leaked sensitive details about incidents. to verify that the person who calls asking for information is a legitimate representative from the agency in question. except by legal order no. Finally. to disconnect from the network. etc. (Note: this word of caution actually applies to all external contacts.). Nonsecured phone lines (the phones normally used in the business world) are also frequent targets for tapping by network intruders. It is essential to obtain a "clean bill of health" from a legal perspective before you actually carry out these procedures. 29 . to avoid telephone contact with the suspected attackers.

In setting up a site policy for incident handling. If such a team is created. or it may emerge only after further analysis. This is especially important because many other systems are vulnerable. Even if the incident is believed to be contained within a single site. notifying it should be of primary consideration during the early stages of an incident. Affected and Involved Sites – If an incident has an impact on other sites. it is possible that the information available through a response team could help in fully resolving the incident. and other teams around the globe. If such a team is available. These teams are responsible for coordinating computer security incidents over a range of sites and larger entities.Computer Security Incident Handling Teams – There are currently a number of Computer Security Incident Response teams (CSIRTs) such as the CERT Coordination Center. the German DFN-CERT. it may be desirable to create a subgroup. Each site may choose to contact other sites directly or they can pass the information to an appropriate incident 30 . much like those teams that already exist. the vendor (or supplier) and a Computer Security Incident Handling team should be notified as soon as possible. Once an incident is under way. and these vendor and response team organizations can help disseminate help to other affected sites. it is essential that communication lines be opened between this team and other teams. it is good practice to inform them. Teams exist for many major government agencies and large corporations. If it is determined that the breach occurred due to a flaw in the system's hardware or software. It may be obvious from the beginning that the incident is not limited to the local site. it is difficult to open a trusted dialogue between other teams if none has existed before. that will be responsible for handling computer security incidents for the site (or organization).

they are able to protect the anonymity of the original source. they are being 31 . To avoid problems in this area. For example. Internal Communications – It is crucial during a major incident to communicate why certain actions are being taken. In particular. But. it wouldn't be good for an organization if users replied to customers with something like. All the problems discussed above should be not taken as reasons not to involve other sites. "I'm sorry the systems are down. in many cases. irrelevant information should be deleted and a statement of how to handle the remaining information should be included." It would be much better if they were instructed to respond with a prepared statement like. Incident response teams are valuable in this respect. Without timely information. other sites are often unable to take action against intruders. A clear statement of how this information is to be used is essential. the analysis of logs and information at other sites will reveal addresses of your site. It is important to define a policy for the sharing and logging of information about other sites before an incident occurs. the experiences of existing teams reveal that most sites informed about security problems are not even aware that their site had been compromised.response team. it should be made very clear to users what they are allowed to say (and not say) to the outside world (including other departments). No one who informs a site of a security incident wants to read about it in the public press. we've had an intruder and we are trying to clean things up. It is often very difficult to find the responsible POC at remote sites and the incident response team will be able to facilitate contact by making use of already established channels. and may be subject to privacy laws. "I'm sorry our systems are unavailable. The legal and liability issues arising from a security incident will differ from site to site. When they pass information to responsible POCs. In fact. Information about specific people is especially sensitive. be aware that. and how the users (or departments) are expected to behave.

and provide a buffer between the constant press attention and the need of the POC to maintain control over the incident. it may be advantageous to provide only minimal or overview information to the press. it is important to use this office as liaison to the press. Also note that misleading the press can often backfire and cause 32 . and will help to assure that the image of the site is protected during and after the incident (if possible). There are many issues to consider when deciding this particular issue. One of the most important issues to consider is when. If the information is sensitive. who. They should be involved in all planning and can provide well constructed responses for use when contact with outside departments and organizations are necessary. Such press coverage is bound to extend to other countries as the Internet continues to grow and expand internationally. but sensitive way. Public relations departments can be very helpful during incidents. and how much to release to the general public through the press. When an incident occurs. and should be forewarned and prepared. the information released to the press must be carefully considered. Public Relations .Press Releases – There has been a tremendous growth in the amount of media coverage dedicated to computer security incidents in the United States. If a public relations office is not available.maintained for better service in the future. One can prepare for the main issues by preparing a checklist." Communications with customers and contract partners should be handled in a sensible. It is quite possible that any information provided to the press will be quickly reviewed by the perpetrator of the incident.S. if a public relations office exists for the site. A public relations office has the advantage that you can communicate candidly with them. Readers from countries where such media attention has not yet occurred can learn from the experiences in the U. the checklist can be used with the addition of a sentence or two for the specific circumstances of the incident. First and foremost. The public relations office is trained in the type and wording of information released.

While it is difficult to determine in advance what level of detail to provide to the press. If prosecution is involved. 5. Try not to be forced into a press interview before you are prepared. malicious users. The popular press is famous for the "2 am" interview. where the hope is to catch the interviewee off guard and obtain information otherwise not available. it is usually helpful to obtain and use any detection software which may be available. etc. Keep the speculation out of press statements. 4. 2. To assist in identifying whether there really is an incident. some guidelines to keep in mind are – 1. Work with law enforcement professionals to assure that evidence is protected. and an initial system snapshot may be the most valuable 33 . Many incidents cause a dynamic chain of events to occur. Audit information is also extremely useful. Speculation of who is causing the incident or the motives are very likely to be in error and may cause an inflamed view of the incident. especially in determining whether there is a network attack. Detailed information about the incident may provide enough information for others to launch similar attacks on other sites. Identifying an Incident – Is It Real? This stage involves determining if a problem really exists. Of course many if not most signs often associated with virus infection.. Do not allow the press attention to detract from the handling of the event. 3. or even damage the site's ability to prosecute the guilty party once the event is over. Keep the technical level of detail low. assure that the evidence collected is not divulged to the press. are simply anomalies such as hardware failures or suspicious system/user behavior. Always remember that the successful closure of an incident is of primary importance. It is extremely important to obtain a system snapshot as soon as one suspects that something is wrong. system intrusions.more damage than releasing sensitive information.

(7) Data modification or deletion (files start to disappear). etc. such as data. or high activity on a previously low usage account. and is the basis for subsequent stages of incident handling.EXE files in an MS DOS computer have unexplainably grown by over 1800 bytes).xx). time stamps. telephone conversations. There are certain indications or "symptoms" of an incident that deserve special attention – (1) System crashes. (5) Changes in file lengths or dates (a user should be suspicious if . (3) New files (usually with novel or strange file names. can lead to a more rapid and systematic identification of the problem. Finally. something that should make you very suspicious that there may be an intruder).tool for identifying the problem and any source of attack. (2) New user accounts (the account RUMPLESTILTSKIN has been unexpectedly created). (9) Unexplained. (6) Attempts to write to system (a system manager notices that a privileged user in a VMS system is attempting to alter RIGHTSLIST.DAT).. (4) Accounting discrepancies (in a UNIX system you might notice the shrinking of an accounting file called /usr/admin/lastlog. (8) Denial of service (a system manager and all other users become locked out of a UNIX system.xx or k or . now in single user mode). it is important to start a log book. poor system performance 34 . Recording system events.

In order to identify the scope and impact a set of criteria should be defined which is appropriate to the site and to the type of connections available. we have just listed a number of common indicators.)? (5) Is the press involved? (6) What is the potential damage of the incident? (7) What is the estimated time to close out the incident? (8) What resources could be required to handle the incident? (9) Is law enforcement involved? 35 . (12) Suspicious browsing (someone becomes a root user on a UNIX system and accesses file after file on many user accounts. It is best to collaborate with other technical and computer security personnel to make a decision as a group about whether an incident is occurring. local terminal.) (13) Inability of a user to log in due to modifications of his/her account. Some of the issues include – (1) Is this a multi-site incident? (2) Are many computers at your site affected by this incident? (3) Is sensitive information involved? (4) What is the entry point of the incident (network. phone line. (11) Suspicious probes (there are numerous unsuccessful login attempts from another node).(10) Anomalies ("GOTCHA" is displayed on the console or there are frequent unexplained "beeps"). etc. It is important to correctly identify the boundaries of the incident in order to effectively deal with it and prioritize responses. By no means is this list comprehensive. Types and Scope of Incidents – Along with the identification of the incident is the evaluation of the scope and impact of the problem.

for example. This includes check summing all media from the vendor using an algorithm which is resistant to tampering. and aid investigation and prosecution. If process accounting and connect time accounting is enabled. Your ability to address all aspects of a specific incident strongly depends on the success of this analysis. Without defined policies and goals. If the system supports centralized logging (most do). an analysis of all system files should commence. look for patterns of system usage. go back over the logs and look for abnormalities. System software is the most probable target. The goals should be defined by management and legal 36 . to decide which backup media are showing a correct system status. the preincident preparation will determine what recovery is possible. In all security related activities. Preparation is the key to be able to detect all changes for a possibly tainted system. As soon as the breach has occurred. Handling an Incident – Certain steps are necessary to take during the handling of an incident. in some cases. It can be very difficult. the most important point to be made is that all sites should have policies in place. the entire system and all of its components should be considered suspect. Consider.Assessing the Damage and Extent – The analysis of the damage and extent of the incident can be quite time consuming. To a lesser extent. disk usage may shed light on the incident. or otherwise have intimate knowledge or access to the systems. activities undertaken will remain without focus. and any irregularities should be noted and referred to all parties involved in handling the incident. that the incident may have continued for months or years before discovery and the suspect may be an employee of the site. Accounting can provide much helpful information in an analysis of an incident and subsequent prosecution. but should lead to some insight into the nature of the incident. In all cases. Assuming original vendor distribution media are available.

or semaphone) providing information about the incident be 37 . It is invalid to assume that all administrators reading a particular newsgroup have access to operating system source code. First of all. Great care should be taken when determining to which groups detailed technical information is given during the notification. in order to aid prompt acknowledgment and understanding of the problem. real damage might occur due to delays or missing information. While trying to solve the problem alone. but it might not be considered worth the risk to allow the continued access.counsel in advance. may the only practical solution.g. other objectives as outlined in the local policies may not always be considered. This requires that any statement (be it an electronic mail message. for example. via USENET newsgroups or mailing lists) may potentially put a large number of systems at risk of intrusion. the appropriate personnel must be notified. beeper. In the worst case scenario. How this notification is achieved is very important to keeping the event under control both from a technical and emotional standpoint. compared to system integrity. Types of Notification and Exchange of Information – When you have confirmed that an incident is occurring.. For example. As the activities involved are complex. Trying to catch intruders may be a very low priority. shutting down the system. putting the critical knowledge into the public domain (e. One of the most fundamental objectives is to restore control of the affected systems and to limit the impact and damage. Most administrators take the discovery of an intruder as a personal challenge. Monitoring a hacker's activity is useful. phone call. On the other hand. or can even understand an advisory well enough to take adequate steps. try to get as much help as necessary. By proceeding this way. fax. it is helpful to pass this kind of information to an incident handling team as they can assist you by providing helpful hints for eradicating the vulnerabilities involved in an incident. or disconnecting the system from the network. The circumstances should be described in as much detail as possible. any notification to either local or off-site personnel must be explicit.

For example. The importance of these communications cannot be underestimated and may make the difference between resolving the incident properly and escalating to some higher level 38 . Due to this fact. and fully qualified. the press. This will not only reduce duplication of effort. However. Another issue associated with the choice of language is the notification of non-technical or off-site personnel. but may even worsen the situation. a "smoke screen" will only divide the effort and create confusion. A non-technical description may be required for upper-level management. Another consideration is that not all people speak the same language. When you use emotional or inflammatory terms. but allow people working on parts of the problem to know where to obtain information relevant to their part of the incident. especially if it is a multi-national incident. Attempting to hide aspects of the incident by providing false or incomplete information may not only prevent a successful resolution to the incident. misunderstandings and delay may arise. The choice of language used when notifying people about the incident can have a profound effect on the way that information is received. Another important consideration when communicating about the incident is to be factual. an administrator of a university system might be very relaxed about attempts to connect to the system via telnet. between different social or user groups. you raise the potential for damage and negative outcomes of the incident. It is important to remain calm both in written and spoken communications. it is helpful to provide information to each participant about what is being accomplished in other efforts. It is important to accurately describe the incident without generating undue alarm or confusion. cultural differences do not only exist between countries. but the administrator of a military system is likely to consider the same action as a possible attack. concise. it is often more important. Other international concerns include differing legal implications of a security incident and cultural differences. When you are notifying others that will help you handle an event. or law enforcement liaisons.clear. They even exist within countries. While it is more difficult to describe the incident to a non-technical audience. If a division of labor is suggested.

The response team may be able to respond to aspects of the incident of which the local administrator is unaware.. it might be necessary to fill out a template for the information exchange. as well as law enforcement officers. local user IDs) is included in the log entries. recording details will provide evidence for prosecution efforts. and followup "lessons learned.e. In general. for example.. document all details related to the incident. IP addresses and (perhaps) user Ids (3) All log entries relevant for the remote site (4) Type of incident (what happened.of damage. At the same time. in GMT or local time (2) Information about the remote system." During the initial stages of an incident. If information is given out to someone else. Documenting an incident will also help you perform a final assessment of damage (something your management. it is 39 . the following minimum information should be provided – (1) Time zone of logs . including host names. If you don't document every relevant phone call. why should you care) If local information (i. Documenting all details will ultimately save you time. unless local policies prohibit this. recovery. it will be necessary to sanitize the entries beforehand to avoid privacy issues. will want to know).. it helps the team to act on this minimum set of information. you are likely to forget a significant portion of information you obtain. providing the case moves in that direction. requiring you to contact the source of information again. Although this may seem to be an additional burden and adds a certain delay. This will provide valuable information to yourself and others as you try to unravel the course of events. Protecting Evidence and Activity Logs – When you respond to an incident. If an incident response team becomes involved. all information which might assist a remote site in resolving an incident should be given out. and will provide the basis for later phases of the handling process: eradication.

disconnect from a network.. signed copies of your logbook (as well as media you use to record system events) to a document custodian. you should receive a signed. (1) Regularly (e. one should follow the prepared procedures and avoid jeopardizing the legal follow-up by improper handling of possible evidence. the date and time.g. (2) The custodian should store these copied pages in a secure place (e. set traps. when a legal follow-up is a possibility. If appropriate. Thus. disable functions 40 .g. and the content of the conversation) The most straightforward way to maintain documentation is keeping a log book. the following steps may be taken.. (3) When you submit information for storage. determining whether to shut a system down. Much of this information is potential evidence in a court of law. At a minimum.. chronological source of information when you need it.often infeasible to determine whether prosecution is viable. so you should document as if you are gathering evidence for a court case. An essential part of containment is decision making (e. a safe). monitor system or network activity. instead of requiring you to page through individual sheets of paper. every day) turn in photocopied. This allows you to go to a centralized. dated receipt from the document custodian. Containment – The purpose of containment is to limit the extent of an attack. you should record – (1) all system events (audit records) (2) all actions you take (time tagged) (3) all external conversations (including the person with whom you talked. Failure to observe these procedures can result in invalidation of any evidence you obtain in a court of law.g.

archive them before deleting them. it is worthwhile to risk some damage to the system if keeping the system up might enable you to identify an intruder. Eradication – Once the incident has been contained. But before eradicating the cause. In the absence of predefined procedures. Bear in mind that removing all access while an incident is in progress obviously notifies all users. and should prescribe specific actions and strategies accordingly. If any bogus files have been created. 41 . great care should be taken to collect all necessary information about the compromised system and the cause of the incident as they will likely be lost when cleaning up the system. define acceptable risks in dealing with an incident. including the alleged problem users. In some cases. it is prudent to remove all access or functionality as soon as possible. This is especially important when a quick decision is necessary and it is not possible to first contact all involved parties to discuss the decision. or proprietary. for example. that the administrators are aware of a problem.). In other cases.such as remote file transfer. such as anti-virus software. A final activity that should occur during this stage of incident handling is the notification of appropriate authorities. Sometimes this decision is trivial. etc. and then restore normal operation in limited stages. this may have a deleterious effect on an investigation. This stage should involve carrying out predetermined procedures. it is time to eradicate the cause. Your organization or site should. the person in charge of the incident will often not have the power to make difficult management decisions (like to lose the results of a costly experiment by shutting down a system). sensitive. shut the system down if the information is classified. Software may be available to help you in the eradication process.

and you can get advice from incident response teams. A security log can be most valuable during this phase of removing vulnerabilities. The goal of recovery is to return the system to normal. Finally.In the case of virus infections. bringing up services in the order of demand to allow a minimum of user inconvenience is the best practice. vulnerability which was exploited. a new backup should be taken. In general. The security mailing lists and bulletins would be a good place to search for this information. one should automate and regularly apply the same test as was used to detect the security incident. ensure that all backups are clean. After eradication. Ideally. The key to removing vulnerabilities is knowledge and understanding of the breach. Many systems infected with viruses become periodically re-infected simply because people do not systematically eradicate the virus from backups. The logs showing how the incident was discovered and contained can be used later to help determine how extensive the damage was from a given incident. a record of the original system setup and each customization change should be maintained. Recovery – Once the cause of an incident has been eradicated. Understand that the proper recovery procedures for 42 . it is important to install patches for each operating system. To facilitate this worst case scenario. it is important to clean and reformat any media containing infected files. It may be necessary to go back to the original distribution media and re-customize the system. The steps taken can be used in the future to make sure the problem does not resurface. Removing all vulnerabilities once an incident has occurred is difficult. In the case of a network-based attack. If a particular vulnerability is isolated as having been exploited. the recovery phase defines the next stage of action. the next step is to find a mechanism to protect your system.

as quickly as possible obtain a monetary estimate of the amount of damage the incident caused. the follow-up stage. and a summary of lesson learned. This estimate should include costs associated with any loss of software and files (especially the value of proprietary data that may have been disclosed). hardware 43 . it is prudent to write a report describing the exact sequence of events: the method of discovery. Exactly what happened. Creating a formal chronology of events (including time stamps) is also important for legal reasons. could be lurking in the system. Remember. This will aid in the clear understanding of the problem. correction procedure. and how could they have gotten that information as soon as possible? What would the staff do differently next time? After an incident. It provides a reference to be used in case of other similar incidents. Follow-Up – Once you believe that a system has been restored to a "safe" state. It would be prudent to utilize some of the tools mentioned in chapter 7 as a start. it is still possible that holes. the system should be monitored for items that may have been missed during the cleanup stage. One of the most important stages of responding to incidents is also the most often omitted. A follow-up report is valuable for many reasons. The most important element of the follow-up stage is performing a postmortem analysis.the system are extremely important and should be specific to the site. and at what times? How well did the staff involved with the incident perform? What kind of information did the staff need quickly. monitoring procedure. It is also important to. these tools don't replace continual system monitoring and good systems administration practices. and even traps. In the follow-up stage.

Once a site has recovered from and incident. Another important facet of the aftermath may 44 . if it is deemed desirable. d) An investigation and prosecution of the individuals who caused the incident should commence.e.damage. site policy and procedures should be reviewed to encompass changes to prevent similar incidents. Even without an incident. reconfigure affected systems. Reviews are imperative due to today's changing computing environments. This estimate may become the basis for subsequent prosecution activity. a careful examination should determine how the system was affected by the incident). The whole purpose of this post mortem process is to improve all security measures to protect the site against future attacks. b) The lessons learned as a result of the incident should be included in revised security plan to prevent the incident from re-occurring. Aftermath of an Incident – In the wake of an incident. These actions can be summarized as follows – a) An inventory should be taken of the systems' assets. A concrete goal of the post mortem is to develop new proactive methods. a site or organization should gain practical knowledge from the experience. and unless the policy is changed. The report can also help justify an organization's computer security effort to management. If an incident is based on poor policy. several actions should take place. c) A new risk analysis should be developed in light of the incident. it would be prudent to review policies and procedures on a regular basis. and manpower costs to restore altered files. As a result of an incident. and so forth. (i. then one is doomed to repeat the past..

During the handling of an incident. attempt to reach the appropriate point of contact for the affected site. a site can choose to watch the intruder in the hopes of catching him." and. or. certain system vulnerabilities of one's own systems and the systems of others become apparent. It is quite easy and may even be tempting to pursue the intruders in order to track them. Being a good Internet citizen means which you should try to alert other sites that may have been impacted by the intruder. as there may be legal liabilities if you choose to leave your site open. Good Internet Citizenship – During a security incident there are two choices one can make. but quite another to assume that one should protect other networks. Keep in mind that at a certain point it is possible to "cross the line. First. the site can go about cleaning up after the incident and shut the intruder out of the systems. 45 . The best rule when it comes to propriety is to not use any facility of remote sites which is not public. This is a decision that must be made very thoughtfully. Don't do it! Instead. This clearly excludes any entry onto a system (such as a remote shell or login session) which is not expressly permitted. Responsibilities Not Crossing the Line – It is one thing to protect one's own network. This may be very end user and administrator education to prevent a reoccurrence of the security problem." to ascertain what damage is being done to the remote site. a system administrator may have the means to "follow it up. with the best of intentions. These affected sites may be readily apparent after a thorough review of your log files. after a breach of security is detected. become no better than the intruder. knowing that an intruder is using your site as a launching pad to reach out to other sites.

but it is very important to be sure of the role the user played. education or reprimand of a user) in addition to more stern measures for intentional acts of intrusion and system misuse. the site's security policy should describe what action is to be taken.. Question Bank – a) What do you mean by security policy &who should be involved when forming policy? (4 m) b) What are the components of a good security policy? (8m) c) What are the different types of services given by application layer? Explain with respect to attack and protection of individual services? Any three services. The transgression should be taken seriously. Security policy (8m) 46 . Risk assessment (8m) b.g. Was the user naive? Could there be a mistake in attributing the security breach to the user? Applying administrative action that assumes the user intentionally caused the incident may not be appropriate for a user who simply made a mistake.Administrative Response to Incidents – When a security incident involves a user. It may be appropriate to include sanctions more suitable for such a situation in your policies (e. (6m) d) Write short notes on a.

c. Incident handling(8m) 47 .

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer: Get 4 months of Scribd and The New York Times for just $1.87 per week!

Master Your Semester with a Special Offer from Scribd & The New York Times