‚ < ‚ Free Open Study ‚ > ‚ |
Incident response, initially an area that did little more than evoke curiosity two decades ago, keeps growing in importance.Why? This next section presents the major reasons. Difficulty in Securing Systems and NetworksMost fundamentally, information systems, applications, and networks have become substantially more sophisticated, making them even harder to secure. Networks, in particular, are difficult to secure because of the complexity and diversity of services and protocols in today's network environments. Additionally, networks go virtually everywhere, making potential points of unauthorized access nearly ubiquitous. Distributed computing environments, which typically entail intricate relationships between servers and clients , also present nearly insurmountable challenges to security. Compounding these problems is the fact that most organizations face shortfalls in funding for cybersecurity. As desirable as it is to place extremely high levels of countermeasures (for example, access controls) on computing resources, doing so is generally unrealistic because of cost and other practical constraints. Being able to detect and recover from incidents quickly can, in many respects, therefore be considered a protection strategy that supplements system and network protection measures. A note of caution is appropriate at this point. Although an effective incident response effort can, to some degree, compensate for using fewer countermeasures than needed, it can never totally replace these countermeasures. Consider the consequences of failing to install any countermeasures whatsoever in favor of simply responding to any incident that occurs. The organization that takes this kind of approach makes the implicit assumption that every incident can be promptly detected ‚ a completely unrealistic assumption given statistics from the intrusion-detection arena. Additionally, there is no guarantee that an incident that occurs can and will be immediately terminated with minimal consequences. In the worst case, the organization will devote so much time and attention to incident response (because deploying no countermeasures would virtually open the proverbial incident floodgates) that it would have been better to devote this time to a combination of countermeasures and incident response. Nevertheless, all this translates to substantially elevated potential for security- related incidents that require the capability to deal with these incidents. Difficulties in securing computers and networks thus make incident response a necessary component in any strategy to provide security. Abundance of Security-Related VulnerabilitiesToday's operating systems and applications typically have an abundance of flaws (see related sidebar), many of which, if exploited, result in breaches of security mechanisms. Security-related vulnerabilities of this nature are being found in great numbers and with alarming regularity. Incident response can help reduce the impact of these vulnerabilities by cutting down the potential for loss and disruption should one or more of these vulnerabilities be exploited.
Availability of Programs that Attack Systems and NetworksJust as an abundance of security-related vulnerabilities has emerged and continues to emerge, a large number of programs that exploit these vulnerabilities have become publicly available. Port and vulnerability scanning tools comprise just one of many categories of these tools. Some tools are designed to provide unauthorized local and/or remote access to files and directories. Others yield remote shell (interactive) access, and still others escalate privileges when some kind of shell access is established. Tools that launch denial-of-service attacks are also in abundance. Perhaps worst of all, an increasing proportion of tools that launch attacks require little knowledge of computers or how this software works. These " kiddie scripts" in particular have increased the level of threat to computing systems and networks; now virtually anyone can launch successful attacks. The widespread availability of programs that can be used to attack other systems once again elevates the importance of incident response. Simply put, systems and networks can be attacked more efficiently and easily; effective intervention can reduce the impact of these attacks. Actual and Potential Financial LossOrganizations that experience security-related incidents suffer financial loss, the amount of which has escalated considerably over the years . Eighty-five percent of the respondents to the 2001 computer crime survey by the FBI and Computer Security Institute (CSI) revealed having experienced security-related breaches during the previous year. Sixty-four percent of the respondents admitted that these breaches resulted in financial loss. The cumulative loss attributed to these incidents was nearly $378 million ‚ an eye-opening statistic given the relatively few people who responded. This amount was over $100 million more than the loss reported in the same survey the previous year. In addition, security-related threats have become more diverse. New kinds of security-related incidents are constantly emerging, each of which has its own potential to cause financial loss. All this again points to the need for, among other things, prompt detection of security-related incidents and remedial actions that substantially diminish financial loss. Potential for Adverse Media ExposureNegative media exposure resulting from security-related incidents is a major concern of most organizations. Security-related news items are increasingly making headlines and are receiving major television and radio coverage. News about security-related incidents is especially savory to the media. Effective incident response strategies can reduce the potential for adverse media exposure by helping minimize the duration and magnitude of incidents. The Need for EfficiencyWhen incidents occur, pandemonium too often prevails. Incidents, including security-related incidents, are generally unexpected events in computing environments that are frequently less than sufficiently stable in the first place. Regardless of the type of incident that has occurred, responding efficiently and systematically causes less negative impact and discord than if there is no orchestrated effort. Personnel need to follow all necessary steps to handle an incident correctly without performing incorrect and potentially catastrophic actions (such as needlessly reformatting hard drives to eradicate malicious code) or omitting critical steps. Efficiency also implies using resources appropriately. When both technical and managerial personnel respond to an incident, allocating a sizeable amount of resources often becomes necessary. These resources could be assigned to a different mission more often if a typical incident's impact is blunted and the duration is short. Limitations in Today's Intrusion-Detection CapabilitiesAs mentioned previously, today's intrusion-detection tools are far less than perfect. One particular problem is the tendency to miss (overlook) bona fide incidents. Another is the propensity to generate false alarms. An incident response capability can, to some degree, attenuate both problems; determining exactly what has happened and the magnitude of the problem is an important part of the incident response process. Chapter 6, "Tracing Network Attacks," discusses a few relevant considerations concerning intrusion detection, including the advantages and disadvantages of network-based and host-based intrusion detection. Intrusion detection is not, however, a central focus of this book. Legal ConsiderationsYet another impetus for incident response capability is addressing legal issues. Several considerations that apply are discussed next. Exercise of Due CareAt the most basic level, having an incident response capability is increasingly being viewed within industry as a matter of "due care." Due care, in the most fundamental sense, means exercising reasonable precautions that indicate an organization is being responsible. If a corporation were to experience a major security-related incident that escalated because no incident response capability was in place, those who were adversely affected (such as stockholders , business partners , and others who suffered a significant financial loss) would have strong grounds for suing on the basis of lack of exercise of due care. Conforming to Provisions of the LawAdditionally, responding to incidents presents many potential legal landmines. Issues such as network monitoring, keystroke capture, invasion of privacy, whether or not to construct profiles on certain users, issues related to international law, and so forth frequently present themselves . When done properly, incident response helps ensure that legal statutes are not violated and that actions performed during the course of responding to incidents are defensible in a court of law. The growing area of forensics, using methods of data gathering and handling that will serve as acceptable evidence in a court of law, is a particularly important part of the legal side of incident response. Chapter 7,"Legal Issues," as well as Chapter 8,"Forensics I," and Chapter 9,"Forensics II," cover legal considerations of incident response in detail. Interfacing with the Law Enforcement CommunityFinally, incident response activity is often tied in, explicitly or implicitly, with law enforcement. A question that usually looms in the minds of those who respond to incidents is whether or not a law enforcement agency will be brought in at some point in time. Again, having an incident response capability can result in a better interface with the law enforcement community.
|
‚ < ‚ Free Open Study ‚ > ‚ |