External Coordination

‚  < ‚  Free Open Study ‚  > ‚  

An incident response team cannot exist in a vacuum . Several of the other chapters in this book discuss issues related to dealing with other company organizations. It bears repeating that the team must involve other company personnel to effectively manage the incident.

The systems affected in a security incident do not belong to the response team. They exist for the sole purpose of filling a business requirement. There is no difference in availability between a system compromised by an intruder and a system taken offline waiting for examination.

Coordinating with organizations outside the company might also be within the purview of the incident response team. The team might coordinate directly or might go through other company personnel. Regardless, the team must develop and maintain communications with external organizations.

Law Enforcement Agencies

Early in the life of an incident, management needs to address the issue of whether to pursue legal action against the person responsible for the incident. Chapter 7,"Legal Issues," discusses this at some length. When the decision is made, the appropriate law enforcement agencies should be contacted in a timely and professional manner. This is much easier if the incident response team has already developed a working relationship with local agencies (and representatives of national ones).

A number of forums can be used to develop such relationships. Local professional groups such as the ISSA or HTCIA can allow team members to meet and speak with law enforcement personnel in a neutral setting. Other groups within the company might already have contacts. Physical security organizations typically have ex-law enforcement personnel on staff and normally interface with the police on a regular basis.

When the time comes to notify law enforcement, a designated contact within the team should make the call. Only that team member should be authorized to contact law enforcement personnel. That person could be the team leader or could be a virtual member of the team such as a representative from physical security or legal. The importance of this cannot be overstated. After the call has been made, it cannot be unmade. The existence of the incident, and possibly the details of it, will probably become public. The company has, to a large extent, relinquished management of the incident. [2]

[2] This is, by no means, meant to imply that companies should not report security incidents. See Chapter 7 for a discussion of this decision.

Media

Negative media exposure can be more damaging than any actual loss of availability or data. As an example, consider defacements of government web sites. Most of these sites contain no sensitive data. However, a defacement does damage the reputation of the agency.

The System Administrators and Network Security (SANS) web site (www.sans.org) was defaced in mid-2001. The impact to the reputation of a security organization cannot be overstated. On the other hand, skillful management of the public relations battle can help minimize this damage. Although the damage cannot be undone, perhaps the public perception can be influenced by emphasizing positive actions and minimizing the negative aspects of the incident.

Consider, for example, a hack against Microsoft that occurred in late 2000. It appeared that an attacker placed (or found) a trojan program on the home computer of a Microsoft employee. The attacker then used this program to connect to Microsoft's internal network using its own virtual private network solution. [3]

[3] Microsoft's press release on the incident is available at www.microsoft.com/presspass/features/2000/oct00/10-27security.asp.

This was an extremely serious compromise. Depending on the permissions of the remote user , the attacker could potentially have accessed anything on the internal Microsoft network. Microsoft responded by contacting the FBI and then publicly announcing that it had done so. The company issued a press release stating that it had been compromised and that an investigation was ongoing. Regardless of the seriousness of the incident, skillful handling of the public relations piece allowed the company to downplay the effects.

If the benefits of coordination are clear (as well as the drawbacks of failing to coordinate), the question of who should contact or talk to the media is not. There are a number of possibilities. The announcement can come from an external organization such as law enforcement. However, after the announcement is made, the company will certainly be contacted by the press. It's better to make the announcement in the first place.

As mentioned in Chapter 4, incident response personnel often have the option to deal directly with the media. This generally is not the best idea for several reasons. The team is normally too busy working on other issues to have the time to speak to the press. Second, technical members might not be the best choice to explain the issue to an unsophisticated audience. A formal policy dealing with media relations should be part of the team's charter. It should state that any unauthorized contact with the media or release of any incident information to an outside party is strictly forbidden.

In most cases, it is better to rely on the company's public relations staff to brief the press. If necessary, a member of the team can be present to field specific questions (of course, with the caveat to not reveal information that can compromise either the investigation or further security). If there is the slightest possibility that knowledge about an incident could leak, public relations personnel must be briefed immediately, even if the company chooses not to make a statement. It can be extremely damaging when the company spokesperson is asked a question during a press conference but has no knowledge of the incident.

Other Incident Response Teams

The team might also want to coordinate with other teams during the investigation. For example, it might be necessary to exchange information with service providers to detect the source of an incident or to block traffic. Peer (or competitor) organizations might be experiencing similar attacks.

An excellent model for this coordination exists in the area of financial fraud. Banks and financial institutions can be very aggressive competitors . When threatened by fraud, however, they cooperate extremely well. That same level of cooperation should be available during an incident.

Because the security industry is still relatively small, members might know each other from professional organizations or previous jobs. A great deal of behind-the-scenes coordination is possible using these personal contacts. It can be extremely valuable during an attack, for example, to know whether you are the only target or your competitors are being hit as well. This information can go a long way in helping to evaluate the motivations and intent of the attacker.

On a more formal level, members of incident response teams can contact information-sharing agencies. The FBI runs a program called Infragard through its local field offices. The program is billed as an information-sharing forum. However, even if data is not provided directly to Infragard , contacts made there with other local teams can be used to exchange data.

Infragard

Infragard is a joint partnership between FBI field offices and private companies. At its most basic, it is a forum to allow members to exchange data about security incidents.

The FBI, in coordination with the National Infrastructure Protection Center (NIPC) runs the program. They provide information and training about infrastructure protection issues and security bulletins about current threats and vulnerabilities.

Infragard has been criticized on several fronts. The data submitted is not anonymous, and the FBI reserves the right to open an investigation on any data received from a member. Vulnerability alerts have been criticized for both timeliness and technical accuracy.

The program does allow local members to meet each other and law enforcement personnel in a neutral setting, however, and does facilitate some communications between the parties.

More information on Infragard is available at www.infragard.net.

The Forum of Incident Response Teams (discussed in Chapter 13,"Future Directions,") also provides members with a forum to discuss details and request assistance with security incidents.

‚  < ‚  Free Open Study ‚  > ‚  


Incident Response. A Strategic Guide to Handling System and Network Security Breaches
Incident Response: A Strategic Guide to Handling System and Network Security Breaches
ISBN: 1578702569
EAN: 2147483647
Year: 2002
Pages: 103

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net