ComplianceinDataSecurity ComputerSecurityIncidentResponseFramework doc

Document Sample
ComplianceinDataSecurity ComputerSecurityIncidentResponseFramework doc Powered By Docstoc
					                                                                         Computer Security Incident Response Framework

               Computer Security Incident Response Framework

                                                           Author: Ian Lim
                                                  Team: Information Security Group
                                                         Version: Draft v.10

                     Date      Version            Edited By:    Comments
                  9/11/2003    Draft v.1           Ian Lim        o Created document
                  10/24/2003   Draft v.2                          o Updated document to reflect current
                                                                     plan in place
                   10/27/03    Draft v.3           Ian Lim        o Incorporated James Thomas’ input
                   11/04/03    Draft v.4           Ian Lim        o Incorporated feedback from meeting
                                                                     with managers
                   11/07/03    Draft v.5           Ian Lim        o Incorporated feedback from ISSC
                   11/10/03    Draft v.6           Ian Lim        o Incorporated Physical Security Officer’s
                   11/17/03    Draft v.7           Ian Lim        o Incorporated Chief Privacy Officer’s
                   12/01/03    Draft v.8           Ian Lim        o Added action for Helpdesk in Appendix
                   4/12/04     Draft v.9           Ian Lim        o Edits based on meetings with Tim
                                                                     Becker and Bill Stevenson
                                                                  o Added the Executive Decision Team
                    5/3/04     Draft v.10          Ian Lim        o Edits based on meeting with Larry
                                                                     Moretti, Monika McCarthy, Marc
                                                                     Loewenthal, Tim B., and Bill Stevenson

Confidential                       Page 1 of 13                                9/30/2012     Created on 5/5/2006 4:35:00 PM
                                                                                Computer Security Incident Response Framework

1 Introduction
1.1 Purpose
          An organization's ability to respond effectively to computer security incidents is the basis for the security Incident Response
          procedures. This document will address the different components of the Incident Response process and how they will be
          implemented to support our business. The Computer Security Incident Response Team (will be referred to as CSIRT from
          here on) will be on point to address Incident Response issues.

1.2 Scope
          This document only pertains to IT incidents that are security-related. The severity levels and response time assigned to
          security incidents are in accordance to the Master Service Level Agreement document (prepared by John Dernbach and Paul
          Skinner v1.4).

1.3 Objectives of Incident Response Framework
                  Confirm or dispel whether an incident occurred
                  Promote the accumulation of accurate information
                  Establish controls for proper retrieval and handling of evidence
                  Protect privacy rights established by law and policy
                  Minimize disruptions to business and network operations
                  Allow for civil or criminal action against perpetrators
                  Provide accurate reports and useful recommendations

Confidential                                Page 2 of 13                              9/30/2012      Created on 5/5/2006 4:35:00 PM
                                                                                                       Computer Security Incident Response Framework

2 High-Level Description
2.1 Incident Response Phases
              Phases                  Description                                                                            Activities
         Pre-incident        Take action to prepare before           Identify vital assets to the business.
         Preparation         an incident happens.                    Establish protection strategy for these assets
                                                                          Host level
                                                                          Network level
                                                                     Establish clear communication, escalation, response, and reporting protocols.
                                                                     Prepare, equip, and train Helpdesk to be the first line of response.
                                                                     Establish the processes for the Executive Incident Team (EIT) to arrive at a Response Decision
                                                                     Prepare, equip and train the CSIRT Team to handle and resolve incidents.
                                                                     Raise awareness with ISSC (Information Security Steering Committee) and Executive Board.
         Detection of        Obtain enough information to            Establish alert procedures to enable the Frontline Teams (Helpdesk, NOCC, Network Management Team, Metaframe
         Incidents           determine whether it’s a                 Team, Exchange Team) to capture accurate information, assign severity level, and contact Initial Response Team (IRT).
                             security incident. If so, notify        Establish triggers in network, system, and application monitoring tools to automatically send alerts.
                             Initial Response Team                   Establish event tracking mechanism (Extraview).
         Initial Response    Obtain enough information to            Identify the Initial Response Team (IRT) members
                             determine appropriate                   Establish “IRT Procedures” to quickly classify the incident and respond accordingly:
                             response.                                    Capture volatile evidence before it is lost
                                                                          Apply sound forensics principles and alter the state of the system as little as possible
                                                                          Obtain enough information to determine next steps
                                                                     Train IRT to appropriately escalate to the EIT
         Step-Up             Increase monitoring activities          Increase monitoring activities throughout initial response to the recovery phases of the incident
         Monitoring          to investigate and secure the           Establish central point of contact, collection, and reporting of CSIRT monitoring activities
         Response            Executive Incident Team (EIT)           Establish process to get accurate information to the EIT meeting.
         Strategy            reviews facts, determine best           Establish response protocol according to Master SLA: pager response, call-in to CSIRT MeetMe line, face-to-face
         Formulation         response, and obtain                     meeting at a designated conference room or site (in the case of disasters).
                             appropriate approvals                   Provide guidelines for analysis, decisioning, and escalation protocols to arrive at a Response Strategy.
                                                                     Response Strategy determines the details and extent of forensics, investigation, secure measure implementations,
                                                                      monitoring and recovery strategies.
         Forensics           Execute forensics activities            Engage forensics expert to gather evidence with EnCase.
                             and maintain appropriate                Establish chain-of-custody and evidence-handling procedures.
                             evidentiary integrity
         Investigation and   Detailed root cause analysis.           Assign an investigator to the case to conduct root cause analysis  Investigative Report
         Verification        Involve objective third-party.          May involve an objective third-party security firm to collaborate with our CSIRT.
                             Runs parallel with containment          Establish investigation protocols to interview personnel, run analysis tools, capture pre-existing configurations, gather
                             activities.                              and review logs
         Contain and         Isolate and contain incident to         Implement control measures as outlined by Response Strategy
         Isolate             enable business continuity.             Isolate and contain the infected or compromised system(s) from impacting the business
                             This is a parallel effort with
                             investigative activities.
         Recovery            Restore the system to                   The Recovery Phase is contingent on the completion of Containment activities and input from the Investigative phase
                             operational state                       Compromised or infected systems have to be sanitized and secured before reinstatement
         Post-Incident       Activities conducted after the          Establish reporting procedures to accurately and securely preserve and disseminate information regarding the incident
         Activities          incident to provide                     Address Legal, HR, PR implications
                             accountability to ISSC and              Notify ISSC, Internal Audit, and Executive Committee
                             Executive Committee, address            Provide recommendations to mitigate risks
                             Legal, HR, or PR implications,          Establish verification process for validating security controls that were put in place to mitigate the identified risk area
                             mitigate areas of weaknesses,            Establish process for capturing improvements to the CSIRT process
Confidential                                           Page 3 of 13                                              9/30/2012            Created on 5/5/2006 4:35:00 PM
                                                                                                                          Computer Security Incident Response Framework
                             and improve the CSIRT

2.2 Incident Handling Process Flow
      NCFC Systems                          Frontline                                          IRT                                         EIC/CSIRT                        Execs/HR/PR/Legal             ISSC

                                                                              IRT gathers
         A computer                                 Follow pre-existing      data, steps up
                         Is it a security                                                            Close the incident
          incident is                        No      troubleshooting          monitoring &
                             incident                                                                  or delegate to
           identified                                   procedures           determine next          appropriate team

                                                       Based on                Is incident
                         Follow “CSIRT               severity level          false positive?
                        Alert Procedure”              and incident
                                                   type, contact IRT
                                                                                                                                                                                 Involve Execs,
                                                                                                                                                                                  HR, Investor
                                                                             Can incident                                     EIC meets to                                          Relations,
                                                                             be resolved?                                   decide Response                  interact               Corporate
                                                                                                                                Strategy                                        Communication,
                                                                                                                                                                                    Legal as
                                                                                  No                                                                                               appropriate

                                                                            Contact EIC and
                                                                            update them on                                    EIC Designate
                                                                              the incident                                  Investigators and

                                                                                                                             Troubleshooters           Investigators
                                                                                                                               get system(s)           scour for root
                                                                                                                              back to normal              cause

                                                                                                                                                       Post-incident              Conduct post-
                                                                                                                                                        activities?             incident activities


                                                                                                                                                          Document                                     Review incidents
                                                                                                                                                        findings and                                        and
                                                                                                                                                       close ticket for                               recommendations

Confidential                                                 Page 4 of 13                                                         9/30/2012                    Created on 5/5/2006 4:35:00 PM
                                                                                        Computer Security Incident Response Framework

3 Roles and Responsibilities
3.1 The Frontline Teams

3.1.1 Objectives
        Every incident begins with some form of detection. Detection can occur via helpdesk calls, log reviews, alerts, the news, etc. At
        New Century, we’re focusing on the following frontline teams to be our triggers to kick off Incident Response:
        Frontline Teams                      Description
        Helpdesk                                     Receive calls from user population
                                                     Coordinate calls from CSIRT, ISP or Public CSIRT
                                                     Direct calls based on CSIRT Alert Procedure
        NOCC                                         Real-time monitoring of network operations 24/7
        System and Network Administrators            Have visibility into real-time systems activities and logs
                                                     Include all major IT groups such as Network Management, Exchange, Data Center, DB, Web Services, Metaframe,
                                                      Internet Service Group, Infrastructure Group, Security Grouup, Telecom, Windows2000, Business System Support,
                                                      Backup, Unison, Epro, PBX, Intuity,
        Desktop Support/PC Techs                     Detect anomalous or suspicious activities when troubleshooting laptops or workstations
                                                     Alert Helpdesk of security incidents
        Internet Service Provider                    Detect upstream anomalous behavior
                                                     Notify our Helpdesk to initiate proactive response
        Public CSIRT Alerting Service                Detect worldwide cross-organizational attack patterns
                                                     Notify our Helpdesk to initiate proactive response

        The goals of the Frontline Teams are to:
         Capture information that may be volatile (changes if not captured immediately)
         Capture basic information accurately to aid in the response effort.
         Weed-out obvious false positives
         Trigger the Initial Response Team (IRT) process

Confidential                                Page 5 of 13                                         9/30/2012          Created on 5/5/2006 4:35:00 PM
                                                                                               Computer Security Incident Response Framework

3.1.2 Frontline Process
 Stage         Comments                             Question Set
 Initial       If any of the answer is Yes or          Is the incident virus-related?
               Not Sure go to next stage.                    o     Anti-virus warned the user of a suspicious file or activity
                                                             o     An attachment was launched resulting in unusual system behavior (missing files, cannot boot up, etc.)
               Otherwise, proceed with normal                o     Unusual pop-up windows asking the user to click on something
               trouble- shooting procedures.                 o     Unusually high system activity on the user’s computer.
                                                             o     User was accused of sending emails to many people in their Outlook address book.
                                                       Does the incident involve unauthorized or unlawful activities?
                                                             o     Theft (include electronic, email, customer data, etc.)
                                                             o     Unauthorized access.
                                                             o     Impersonation or identity theft.
                                                             o     Copyright infringement.
                                                             o     Violation of privacy.
                                                             o     Vandalism (include defacing web sites and unauthorized deletion or modification of files).
                                                       Are the disruptions/outage to service or functionality caused by unusual or unexplainable events?
                                                             o     User felt as if someone has been tampering with his/her files or emails.
                                                             o     User noticed some unusual activity on his/her system.
                                                             o     User cannot do certain task that he/she was able to do before.
 Details       The goal is to get accurate             Basic Question Set:
               information to pass on to the                 o     What is the incident? Describe the incident.
               Infosec Team.                                 o     Get the following info:
                                                                             Hardware/OS/Software involved:
               Record all answers to the                                     IP address of the compromised system:
               question set and go to the next                               Physical location of the system:
               stage.                                                        Current status of the system:
                                                             o     How was the incident detected?
                                                             o     When was the incident detected?
                                                             o     What has been done to the computer after the incident and by whom?
                                                             o     What’s the current impact? Note the caller’s assessment; also note your own assessment of the situation.
 Action and    Helps you determine what to do           Virus-related Incidents
 Severity      and how soon to do it.                         o    For all virus related events, contact someone on the Corporate Information Team immediately starting with Ken
               If you’re unsure about how to                  o    If Ken doesn’t respond, sound the security pager.
               respond to an incident, contact                o    If there’s no response from the security pager, contact the Information Security Officer
               your Helpdesk Manager.                   Unauthorized/Unlawful events
                                                              o    For all suspicious activities, contact the Information Security Officer (ISO) immediately.
                                                              o    If the ISO doesn’t respond, contact the security pager.
                                                        Unusual/Unexplainable events
                                                              o    Open a CSIRT ticket and assign to the IRT

Confidential                                     Page 6 of 13                                           9/30/2012           Created on 5/5/2006 4:35:00 PM
                                                                                             Computer Security Incident Response Framework

3.1.3 The Initial Response Team (IRT)

3.1.4 Objectives
        The IRT is the first expert unit at the scene of the incident. The following are the composition of the IRT during different
        incident categories:
        Incident Category                       IRT
        Virus or Active Attack                           On-call/Duty Pager of Information Security Group
                                                         On-Call/Duty Pager of the Exchange Group
                                                         On-Call/Duty Pager of the Windows 2000 Group
                                                         On-Call/Duty Pager of the Network Management Group
        Outage or Service Degradation Events             On-Call/Duty Pager of the Information Security Group
                                                         On-Call/Duty Pager of the Information Services Group
                                                         On-Call/Duty Pager of the Network Management Group
                                                         On-Call/Duty Pager of the Network Operations Group
                                                         On-Call/Duty-Pager of the Impacted Application or System(s)
        Suspicious or Unlawful Events                    On-Call/Duty Pager of the Information Security Group
                                                         On-Call/Duty Pager of the Impacted Application or System(s)

        The goals of the IRT are to:
         Quickly determine the incident as real or false
         Capture volatile evidence before it is lost
         Apply sound forensics principles and alter the state of the system as little as possible
         Obtain enough information to determine next steps
         Determine the CSIRT Team to assemble

3.1.5 Initial Response Procedure
     1. IRT team members gets notified of an incident by the Frontline
     2. IRT team members gather to verify the incident
     3. IRT collect volatile information on implicated systems:
           a. System date and time
           b. A list of currently running processes
           c. A list of currently open sockets/ports
           d. The applications that are listening on open sockets/ports
           e. A list of the users who are currently logged on
           f. A list of the systems that have current or had recent connections to the system
     4. IRT decides based on data collected whether the incident is real.
           a. If the incident is real, IRT will contact the Executive Incident Team (EIT)
     5. While the EIT meeting is being called, IRT members should continue to collect the following information:
           a. Capture any volatile information
           b. Obtain the updated network diagram pertaining to the incident
           c. Obtain the updated contact list of business managers that have decision-making authority surrounding the incident
Confidential                                   Page 7 of 13                                           9/30/2012         Created on 5/5/2006 4:35:00 PM
                                                                               Computer Security Incident Response Framework
               d. The Lead IRT, opens a ticket to track the incident and post any relevant information on the ticket
               e. Initiate increased monitoring activities – network, system, application

3.1.6 IRT Contact Information
        The IRT will be led by a member of the Corporate Information Security. On-call/duty pager process will be leveraged to notify
        other IRT members. The following is the list of pagers as of November 2003. The up-to-date list is maintained by the Help
         Group                             On-Call Pagers
         Network Management                877-906-9461
         Exchange Group                    877-907 3349
         Data Center Group                 877-907-4036
         Database Group                    877-907-4037
         Web Service Group                 877-906-8919
         MetaFrame Group                   877-907-2133
         Internet Services Group           877-907-2936
         Infrastructure Group              877-907-3159
         Help Desk                         877-907-3165
         Security Group                    877-906-8923
         Telecom Group                     877-906-8922
         Windows 2000                      877-907-7019
         Desktop Support                   877-906-9381
         Business Sys Support              877-907-3933

3.2 The Executive Incident Team (EIT)

3.2.1 Objectives
          The EIT will be composed of the following individuals:

          Primary                           Backup
          Chief Information Officer         Chief Technology Officer
          Chief Privacy Officer             SVP Compliance
          General Legal Counsel             Chief Legal Counsel

          The EIT’s goals are:
               Propose a Response Strategy to best handle the incident based on the circumstances at hand
               Designate the managers or associates or outside third-party who will be involved in resolving or investigating the
Confidential                               Page 8 of 13                               9/30/2012      Created on 5/5/2006 4:35:00 PM
                                                                                 Computer Security Incident Response Framework
                  Manage communications about the incident from a corporate-wide and public relations perspective
                  Report up to the Executive Committee

3.2.2 Response Strategy
          Due to the nuances found in different security incidents, the EIT will formulate Response Strategies based on the specific sets
          of circumstances presented by the incident. The following table shows how different response priorities change the course of
          action for the CSIRT Team.

                     Response Priority                                           Description of Possible Activities

                                                            Take affected systems offline immediately to prevent further compromise of

                                                            Determine the extent of customer data that has been compromised
           Protect Data Integrity and
           Confidentiality.                                 Consider legal implications around the CSIRT process

                                                            Employ an objective third-party to validate our forensics activities

                                                            Engage Corporate Communications and Investor Relations

                                                            Expedite Incident Handling procedures with accountability as a top priority

           Publicity Control                                Brief employees on the appropriate dissemination of information

                                                            Plan to manage public and media expectations

                                                            Perform recovery activity before containment or eradication activity

                                                            Troubleshoot the operations issues without taking the system offline (if

           Resume Operations                                Decision to invest less time and resource gathering evidence

                                                            Accept the risk of further contamination

                                                            Perform containment and eradication activity during off-peak hours or
                                                             maintenance windows

           Cleanse Site                                     Stop all possible avenues of contamination

Confidential                              Page 9 of 13                                  9/30/2012       Created on 5/5/2006 4:35:00 PM
                                                                                   Computer Security Incident Response Framework
                                                              Possibly taking the site offline for a thorough eradication and recovery process

                                                              Hardening the site to prevent security relapse

                                                              Decision to allocate time and resource to build a legal case against intruder

                                                              Maintain status quo as not to tip off the intruder

                                                              Accept and manage the risk of allowing the intruder to remain in the system
           Prosecute Intruder
                                                              Involve Professional Security Investigators early in the process to collect
                                                               evidence for forensics analysis

                                                              Create decoy systems (honey-pots) to better monitor intruder activities

                                                              Involve Legal and Law Enforcement Department

3.2.3 EIT Procedure
               1. Gets the phone call from the Information Security Officer with meeting logistics and a quick briefing on the incident
               2. Dial in to the CSIRT Meet-Me Line or gather onsite to discuss the incident
               3. Engage other key players on an as-needed basis (CEO, CFO, Subject Matter Experts, Investor Relations, etc.)
               4. Decide on course of action / response strategy based on limited facts
               5. Designate Troubleshooters to work on bringing the system back to operational status
               6. Designate Investigators to identify root cause and propose recommendations
               7. Define short-term objectives and status checkpoints
               8. Follow-up on activities surrounding the incident
               9. Make adjustments to response strategy based on the checkpoint meetings
               10. Review and approve incident report
               11. Report up to the ISSC and the Executive Committee as appropriate
               12. Initiate incident remediation plan
               13. Assign a PMO to follow-up on remediation activities

3.3 Troubleshooters

3.3.1 Objectives
        The goals of the Troubleshooters are:
         Assess the scope and damage of an incident and formulate a containment and isolation strategy

Confidential                               Page 10 of 13                                   9/30/2012      Created on 5/5/2006 4:35:00 PM
                                                                                      Computer Security Incident Response Framework
              Control and contain the incident using proper escalation and collaboration processes
              Establish communication lines to all relevant party on a need-to-know basis
              Capture relevant information for Investigators

3.3.2 Troubleshooting Guidelines
              Stay in close communications with the Investigators
              Control user access to affected system(s) and limit any other new variables from entering the equation
              Step-up monitoring and reconnaissance activities to collect all pertinent information
              Contact SMEs (Subject Matter Experts) to assist with interpreting logs or symptoms
              Do not reboot or change the system before capturing volatile information or verifying the possible implications of the reboot
              Systematically follow leads until the cause of the failure/malfunction/anomaly is isolated
              Note any key breakthroughs or artifacts in the Incident’s Extraview ticket to share with the Investigators
              Consult with the Investigators before launching system changes to contain the incident
              Contain the incident
              Restore the system to full functionality
              Notify Helpdesk to send system announcements
              Collaborate with the Investigators to close the incident out of Extraview.

3.3.3 Subject Matter Experts (SMEs)
        The SMEs primary role is to assist with the incident response process by providing interpretation to logs, symptoms, or
        recommendations in the areas of their expertise. The CSIRT may need to engage the SMEs to decipher certain facts from the
        investigation or the troubleshooting effort.

            Subject Matter                                          SME Primary                        CONTACT INFO
            Windows                                                 James Wang                         949-743-6454
            Unix/Linux                                              Hsu Chan                           949-743-7524
            Network                                                 Steve Kerman                       949-743-6553
            Web                                                     Mike Currie                        949-743-7037
            Application                                             Mike Currie                        949-743-7037
            Database                                                Joann McLaughlin                   949-743-7143
            Telco                                                   Lee Pongraphan                     949-743-7878
            Security                                                Bill Stevenson                     949-743-7173
            Exchange                                                Adnan Silajdzik                    949-743-7114
            LOS                                                     Greg Hall                          949-743-7145
            Metaframe                                               Mark Tang                          949-743-6496

Confidential                                 Page 11 of 13                                 9/30/2012   Created on 5/5/2006 4:35:00 PM
                                                                                     Computer Security Incident Response Framework
            Subject Matter                                          SME Primary                        CONTACT INFO
            Security                                                Bill Stevenson                     949-743-7173

3.4 Investigators

3.4.1 Objectives
        The goals of the Investigators are:
         Use an organized, formal investigative process to retain chain-of-custody and evidentiary integrity
         Provide relevant information to Troubleshooters
         Provide liaison to law enforcement and legal authorities and provide expert testimony
         Provide managements with recommendations after conferring with the Troubleshooters.

3.4.2 Investigation Guidelines
              Stay in close communications with the Troubleshooters
              Execute or skip forensics imaging in accordance to the Incident Response Strategy
              Keep a written log of all investigative activities
              Collect as much information as possible without changing the system
              Use trusted binaries to execute commands on the system and pipe output to a secure forensics server or disk
              Systematically investigate each lead and timestamp all investigative activities
              Note any key breakthroughs or artifacts in the Incident’s Extraview ticket to share with the Troubleshooters
              Collaborate with Troubleshooters to identify root/probable cause along with recommendations
              Prepare a final Root Cause Analysis Report to attach to the Extraview ticket before closing it out. Also note any
               improvements to the CSIRT process.
              Present the incident at the EIT Checkpoints.

Confidential                                 Page 12 of 13                                9/30/2012    Created on 5/5/2006 4:35:00 PM
                                                               Computer Security Incident Response Framework
Required Signatures:                                           _______________________________________________________
                                                               Help Desk Group                                Date
     The signatures on this agreement indicate the following
     departments have reviewed the CSIRT document and          _______________________________________________________
     agree with the content.                                   Security Group                                 Date

     DIRECTOR IT Operations                         Date       _______________________________________________________
                                                               Telecom Group                                  Date

     Network Management                             Date       _______________________________________________________
                                                               Windows 2000                                   Date
     Exchange Group                                 Date
     _______________________________________________________   Desktop Support                                Date
     Data Center Group                              Date

     _______________________________________________________   _______________________________________________________
     Database Group                                 Date       Business System Support                        Date

     Web Services Group                             Date       _______________________________________________________
                                                               Human Resource                                 Date
     MetaFrame Group                                Date
     _______________________________________________________   Legal                                          Date
     Internet Services Group                        Date
     _______________________________________________________   Investor Relations                             Date
     Infrastructure Group                           Date

     _______________________________________________________   _______________________________________________________
     Manager, Change Management/QA                  Date       Corporate Communications                       Date

     Wholesale                                      Date       _______________________________________________________
                                                               Compliance                                     Date
     Retail                                         Date

     Loan Servicing                                 Date

Confidential                            Page 13 of 13                 9/30/2012     Created on 5/5/2006 4:35:00 PM

Shared By: