The Rationale for Incident Response

‚  < ‚  Free Open Study ‚  > ‚  

Incident response, initially an area that did little more than evoke curiosity two decades ago, keeps growing in importance.Why? This next section presents the major reasons.

Difficulty in Securing Systems and Networks

Most fundamentally, information systems, applications, and networks have become substantially more sophisticated, making them even harder to secure. Networks, in particular, are difficult to secure because of the complexity and diversity of services and protocols in today's network environments. Additionally, networks go virtually everywhere, making potential points of unauthorized access nearly ubiquitous. Distributed computing environments, which typically entail intricate relationships between servers and clients , also present nearly insurmountable challenges to security. Compounding these problems is the fact that most organizations face shortfalls in funding for cybersecurity.

As desirable as it is to place extremely high levels of countermeasures (for example, access controls) on computing resources, doing so is generally unrealistic because of cost and other practical constraints. Being able to detect and recover from incidents quickly can, in many respects, therefore be considered a protection strategy that supplements system and network protection measures.

A note of caution is appropriate at this point. Although an effective incident response effort can, to some degree, compensate for using fewer countermeasures than needed, it can never totally replace these countermeasures. Consider the consequences of failing to install any countermeasures whatsoever in favor of simply responding to any incident that occurs. The organization that takes this kind of approach makes the implicit assumption that every incident can be promptly detected ‚ a completely unrealistic assumption given statistics from the intrusion-detection arena. Additionally, there is no guarantee that an incident that occurs can and will be immediately terminated with minimal consequences. In the worst case, the organization will devote so much time and attention to incident response (because deploying no countermeasures would virtually open the proverbial incident floodgates) that it would have been better to devote this time to a combination of countermeasures and incident response.

Nevertheless, all this translates to substantially elevated potential for security- related incidents that require the capability to deal with these incidents. Difficulties in securing computers and networks thus make incident response a necessary component in any strategy to provide security.

Abundance of Security-Related Vulnerabilities

Today's operating systems and applications typically have an abundance of flaws (see related sidebar), many of which, if exploited, result in breaches of security mechanisms. Security-related vulnerabilities of this nature are being found in great numbers and with alarming regularity. Incident response can help reduce the impact of these vulnerabilities by cutting down the potential for loss and disruption should one or more of these vulnerabilities be exploited.

Dealing with Security-Related Vulnerabilities

Hardly a week goes by before new announcements about security-related vulnerabilities in operating systems and application software appear. It is not unusual for a newsgroup such as BugTraq (www.bugtraq.com) to post several hundred vulnerability notices every year.

Keeping up with security-related vulnerabilities is extremely important in avoiding security-related incidents. For example, a number of security experts have agreed that 10 particular vulnerabilities that are not fixed in many organizations are the cause of a disproportionate number of security-related incidents (see www . sans.org/topten).

Fixing vulnerabilities is, unfortunately , not always an easy matter. Installing vendor-supplied patches is, for example, usually not a straightforward matter. Patches can cause systems and/or applications to become unstable or, at worst, totally nonfunctional. Worse yet, too often the first (or even second) patch that vendors develop does not work properly, requiring deinstallation of the original patch and installation of the most recent one.

Chapter 3 will discuss the relationship between incident response stages and the need to patch security-related vulnerabilities. Aside from all other considerations, however, it is important to realize just how closely related the problem of frequent emergence of new security-related vulnerabilities and proliferation of security-related incidents is. The "white hat" community too often learns of new vulnerabilities only after observing a new pattern of security breaches.

Much of the fault for the abundance of security-related bugs in software lies with vendors, who are in a rush to get their products to market quickly and devote too little time to quality assurance. Many security-related flaws are simply programming errors, such as a failure to check whether input that a user sends is within a defined range of values. Out-of-range input that is nevertheless accepted by a program can cause a variety of problems, depending on many factors. One possible outcome, for example, is a transition to an abnormal processing state with increasing memory consumption to the point that there is no more available memory. The result can be an application or system crash.

Much of the fault for the abundance of security-related vulnerabilities in software actually falls on all of us. We continue to buy bug-infested software and accept software flaws as a normal part of life. Until we demand better-quality software (and, frankly, refuse to buy it until it meets our quality standards), we won't get it. Unless vendors perceive economic pressure for change, they won't change.

Availability of Programs that Attack Systems and Networks

Just as an abundance of security-related vulnerabilities has emerged and continues to emerge, a large number of programs that exploit these vulnerabilities have become publicly available. Port and vulnerability scanning tools comprise just one of many categories of these tools. Some tools are designed to provide unauthorized local and/or remote access to files and directories. Others yield remote shell (interactive) access, and still others escalate privileges when some kind of shell access is established.

Tools that launch denial-of-service attacks are also in abundance. Perhaps worst of all, an increasing proportion of tools that launch attacks require little knowledge of computers or how this software works. These " kiddie scripts" in particular have increased the level of threat to computing systems and networks; now virtually anyone can launch successful attacks. The widespread availability of programs that can be used to attack other systems once again elevates the importance of incident response. Simply put, systems and networks can be attacked more efficiently and easily; effective intervention can reduce the impact of these attacks.

Actual and Potential Financial Loss

Organizations that experience security-related incidents suffer financial loss, the amount of which has escalated considerably over the years . Eighty-five percent of the respondents to the 2001 computer crime survey by the FBI and Computer Security Institute (CSI) revealed having experienced security-related breaches during the previous year. Sixty-four percent of the respondents admitted that these breaches resulted in financial loss. The cumulative loss attributed to these incidents was nearly $378 million ‚ an eye-opening statistic given the relatively few people who responded. This amount was over $100 million more than the loss reported in the same survey the previous year.

In addition, security-related threats have become more diverse. New kinds of security-related incidents are constantly emerging, each of which has its own potential to cause financial loss. All this again points to the need for, among other things, prompt detection of security-related incidents and remedial actions that substantially diminish financial loss.

Potential for Adverse Media Exposure

Negative media exposure resulting from security-related incidents is a major concern of most organizations. Security-related news items are increasingly making headlines and are receiving major television and radio coverage. News about security-related incidents is especially savory to the media. Effective incident response strategies can reduce the potential for adverse media exposure by helping minimize the duration and magnitude of incidents.

The Need for Efficiency

When incidents occur, pandemonium too often prevails. Incidents, including security-related incidents, are generally unexpected events in computing environments that are frequently less than sufficiently stable in the first place. Regardless of the type of incident that has occurred, responding efficiently and systematically causes less negative impact and discord than if there is no orchestrated effort. Personnel need to follow all necessary steps to handle an incident correctly without performing incorrect and potentially catastrophic actions (such as needlessly reformatting hard drives to eradicate malicious code) or omitting critical steps.

Efficiency also implies using resources appropriately. When both technical and managerial personnel respond to an incident, allocating a sizeable amount of resources often becomes necessary. These resources could be assigned to a different mission more often if a typical incident's impact is blunted and the duration is short.

Limitations in Today's Intrusion-Detection Capabilities

As mentioned previously, today's intrusion-detection tools are far less than perfect. One particular problem is the tendency to miss (overlook) bona fide incidents. Another is the propensity to generate false alarms. An incident response capability can, to some degree, attenuate both problems; determining exactly what has happened and the magnitude of the problem is an important part of the incident response process. Chapter 6, "Tracing Network Attacks," discusses a few relevant considerations concerning intrusion detection, including the advantages and disadvantages of network-based and host-based intrusion detection. Intrusion detection is not, however, a central focus of this book.

Legal Considerations

Yet another impetus for incident response capability is addressing legal issues. Several considerations that apply are discussed next.

Exercise of Due Care

At the most basic level, having an incident response capability is increasingly being viewed within industry as a matter of "due care." Due care, in the most fundamental sense, means exercising reasonable precautions that indicate an organization is being responsible. If a corporation were to experience a major security-related incident that escalated because no incident response capability was in place, those who were adversely affected (such as stockholders , business partners , and others who suffered a significant financial loss) would have strong grounds for suing on the basis of lack of exercise of due care.

Conforming to Provisions of the Law

Additionally, responding to incidents presents many potential legal landmines. Issues such as network monitoring, keystroke capture, invasion of privacy, whether or not to construct profiles on certain users, issues related to international law, and so forth frequently present themselves . When done properly, incident response helps ensure that legal statutes are not violated and that actions performed during the course of responding to incidents are defensible in a court of law. The growing area of forensics, using methods of data gathering and handling that will serve as acceptable evidence in a court of law, is a particularly important part of the legal side of incident response. Chapter 7,"Legal Issues," as well as Chapter 8,"Forensics I," and Chapter 9,"Forensics II," cover legal considerations of incident response in detail.

Interfacing with the Law Enforcement Community

Finally, incident response activity is often tied in, explicitly or implicitly, with law enforcement. A question that usually looms in the minds of those who respond to incidents is whether or not a law enforcement agency will be brought in at some point in time. Again, having an incident response capability can result in a better interface with the law enforcement community.

The Fortress Mentality

In past centuries, armies built fortresses as a major part of their military strategy. Fortresses had different architectures, defense features, and so forth, and for a while they worked. Then came the advent of more powerful weaponry. Troops that stayed inside fortresses eventually became sitting ducks . Fortresses are now not much more than items of curiosity in the twenty-first century.

The term "fortress mentality," first coined by Eugene Schultz, David Brown, and Tom Longstaff in their 1990 University of California technical report on incident response, also applies to a prevalent mentality concerning how security should be achieved. Traditional approaches (based on annual loss expectancy, calculation of residual risk, controls checklists, and so on) are in many respects akin to building a fortress because they emphasize barriers at the expense of the operational side of security. It is impractical and almost certainly impossible , however, to protect systems sufficiently to make them immune against all attacks. If appropriate detection and response strategies are implemented, rapid intervention that can diminish the impact of any incident will occur. Effective computer and information security strategies achieve balance between barriers and operational security.

‚  < ‚  Free Open Study ‚  > ‚  


Incident Response. A Strategic Guide to Handling System and Network Security Breaches
Incident Response: A Strategic Guide to Handling System and Network Security Breaches
ISBN: 1578702569
EAN: 2147483647
Year: 2002
Pages: 103

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net