‚ < ‚ Free Open Study ‚ > ‚ |
An incident response team cannot exist in a vacuum . Several of the other chapters in this book discuss issues related to dealing with other company organizations. It bears repeating that the team must involve other company personnel to effectively manage the incident. The systems affected in a security incident do not belong to the response team. They exist for the sole purpose of filling a business requirement. There is no difference in availability between a system compromised by an intruder and a system taken offline waiting for examination. Coordinating with organizations outside the company might also be within the purview of the incident response team. The team might coordinate directly or might go through other company personnel. Regardless, the team must develop and maintain communications with external organizations. Law Enforcement AgenciesEarly in the life of an incident, management needs to address the issue of whether to pursue legal action against the person responsible for the incident. Chapter 7,"Legal Issues," discusses this at some length. When the decision is made, the appropriate law enforcement agencies should be contacted in a timely and professional manner. This is much easier if the incident response team has already developed a working relationship with local agencies (and representatives of national ones). A number of forums can be used to develop such relationships. Local professional groups such as the ISSA or HTCIA can allow team members to meet and speak with law enforcement personnel in a neutral setting. Other groups within the company might already have contacts. Physical security organizations typically have ex-law enforcement personnel on staff and normally interface with the police on a regular basis. When the time comes to notify law enforcement, a designated contact within the team should make the call. Only that team member should be authorized to contact law enforcement personnel. That person could be the team leader or could be a virtual member of the team such as a representative from physical security or legal. The importance of this cannot be overstated. After the call has been made, it cannot be unmade. The existence of the incident, and possibly the details of it, will probably become public. The company has, to a large extent, relinquished management of the incident. [2]
MediaNegative media exposure can be more damaging than any actual loss of availability or data. As an example, consider defacements of government web sites. Most of these sites contain no sensitive data. However, a defacement does damage the reputation of the agency. The System Administrators and Network Security (SANS) web site (www.sans.org) was defaced in mid-2001. The impact to the reputation of a security organization cannot be overstated. On the other hand, skillful management of the public relations battle can help minimize this damage. Although the damage cannot be undone, perhaps the public perception can be influenced by emphasizing positive actions and minimizing the negative aspects of the incident. Consider, for example, a hack against Microsoft that occurred in late 2000. It appeared that an attacker placed (or found) a trojan program on the home computer of a Microsoft employee. The attacker then used this program to connect to Microsoft's internal network using its own virtual private network solution. [3]
This was an extremely serious compromise. Depending on the permissions of the remote user , the attacker could potentially have accessed anything on the internal Microsoft network. Microsoft responded by contacting the FBI and then publicly announcing that it had done so. The company issued a press release stating that it had been compromised and that an investigation was ongoing. Regardless of the seriousness of the incident, skillful handling of the public relations piece allowed the company to downplay the effects. If the benefits of coordination are clear (as well as the drawbacks of failing to coordinate), the question of who should contact or talk to the media is not. There are a number of possibilities. The announcement can come from an external organization such as law enforcement. However, after the announcement is made, the company will certainly be contacted by the press. It's better to make the announcement in the first place. As mentioned in Chapter 4, incident response personnel often have the option to deal directly with the media. This generally is not the best idea for several reasons. The team is normally too busy working on other issues to have the time to speak to the press. Second, technical members might not be the best choice to explain the issue to an unsophisticated audience. A formal policy dealing with media relations should be part of the team's charter. It should state that any unauthorized contact with the media or release of any incident information to an outside party is strictly forbidden. In most cases, it is better to rely on the company's public relations staff to brief the press. If necessary, a member of the team can be present to field specific questions (of course, with the caveat to not reveal information that can compromise either the investigation or further security). If there is the slightest possibility that knowledge about an incident could leak, public relations personnel must be briefed immediately, even if the company chooses not to make a statement. It can be extremely damaging when the company spokesperson is asked a question during a press conference but has no knowledge of the incident. Other Incident Response TeamsThe team might also want to coordinate with other teams during the investigation. For example, it might be necessary to exchange information with service providers to detect the source of an incident or to block traffic. Peer (or competitor) organizations might be experiencing similar attacks. An excellent model for this coordination exists in the area of financial fraud. Banks and financial institutions can be very aggressive competitors . When threatened by fraud, however, they cooperate extremely well. That same level of cooperation should be available during an incident. Because the security industry is still relatively small, members might know each other from professional organizations or previous jobs. A great deal of behind-the-scenes coordination is possible using these personal contacts. It can be extremely valuable during an attack, for example, to know whether you are the only target or your competitors are being hit as well. This information can go a long way in helping to evaluate the motivations and intent of the attacker. On a more formal level, members of incident response teams can contact information-sharing agencies. The FBI runs a program called Infragard through its local field offices. The program is billed as an information-sharing forum. However, even if data is not provided directly to Infragard , contacts made there with other local teams can be used to exchange data.
The Forum of Incident Response Teams (discussed in Chapter 13,"Future Directions,") also provides members with a forum to discuss details and request assistance with security incidents. |
‚ < ‚ Free Open Study ‚ > ‚ |