Current Advice Mitigating the risk of Malicious Software DISCLAIMER Reference

Current Advice Mitigating the risk of Malicious Software DISCLAIMER Reference to any specific commercial product, process or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NISCC. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. NISCC shall also accept no responsibility for any errors or omissions contained within this document. In particular, NISCC shall not be liable for any loss or damage whatsoever, arising from the usage of information contained in this document. National Infrastructure Security Co-Ordination Centre PO Box 832 London SW1P 1BG Tel: 020 7821 1330 Ext 4511 Fax: 020 7821 1686 Email: enquiries@niscc.gov.uk Web: www.niscc.gov.uk October 2004 Version 1.4 1 Key Points Threat • • • The threat from future Trojan or similar malicious code attacks against UK Government Departments and their agencies is assessed to be SEVERE. The threat from future Trojan or similar malicious code attacks against Private Sector Companies is assessed to be SUBSTANTIAL. The recommendations contained in and referenced from this document must be evaluated following a risk assessment. Governance • • Senior Information Risk Owners have a ‘duty of care’ to ensure relevant risk management decisions are taken in light of the threat. Senior Information Risk Owners should ensure they are aware of the importance of vulnerability handling in terms of reducing risk to the business and that users are aware of the issues. Remediation after a compromise can be more costly and time consuming than risk managing the implementation of protective measures in advance of an incident. One inadequately managed network or connection could undermine the risk management of an organisation’s information systems. • • Advice • • • • • • • • • • Ensure that Anti-Virus software and application aware firewalls are appropriately implemented, configured and kept up to date to minimise the threat. Prompt reporting and effective information sharing can inform remediation and protective measures. Evaluate and implement best practice secure configuration guides for the various operating systems and applications contained within the network. Regularly monitor vulnerability information to maintain a current view of the risks. Subject to testing, ensure that the latest security patches are installed for all software. Consider implementing a ‘Default Deny’ web browsing strategy. Consider blocking ingress of files that contain potentially dangerous content and also consider blocking all compressed executables from entry. Consider Implementing Spam filtering services for your GSi and Internet facing networks. Ensure that a local policy is in place that prohibits the automated forwarding of mail and that where possible mandatory technical controls are used on either the server or client. Establish effective detection and response mechanisms to recognise and deal with successful attacks. 2 CONTENTS 1. 2. Purpose and Structure of this document ............................................................. 4 Why should you read this document? .................................................................. 6 2.1 2.2 3. Electronic attack on the increase............................................................................... 6 How do Organisations currently fare?....................................................................... 7 Governance................................................................................................................... 8 Risk Assessment and Management.......................................................................... 9 Information Sharing.................................................................................................... 11 Responsibility and Preparation ............................................................................. 8 3.1 3.2 3.3 4. Prevention – Employing Countermeasures........................................................ 13 4.1 Guidance on Securing Interconnected Networks.................................................. 13 4.2 Identification and Authentication .............................................................................. 15 4.3 Best Practice Secure Configuration ........................................................................ 17 4.4 Vulnerability Management ........................................................................................ 18 4.5 Protecting Web Sites ................................................................................................. 20 4.6 Protecting Web Browsers ......................................................................................... 21 4.7 Malware Countermeasures....................................................................................... 24 4.7.1 Trojan Code Countermeasures........................................................................ 25 4.7.2 Worm Countermeasures ................................................................................... 28 4.7.3 Spam Countermeasures ................................................................................... 30 4.8 Distributed Denial of Service Countermeasures ................................................... 32 5. Detection................................................................................................................ 34 5.1 5.2 6. Protective Monitoring ................................................................................................. 34 Intrusion Detection Systems..................................................................................... 35 Incident Response ................................................................................................ 37 Appendix A – Reference to other key documents and useful links ......................... 38 A. B. C. D. General Protective Security Guidance.................................................................... 38 Where is Policy Published? ...................................................................................... 38 NISCC Best Practice Guidelines ............................................................................. 38 NISCC Technical Notes not referenced ................................................................. 38 3 1. 1. Purpose and Structure of this document This document is designed to inform organisations about the countermeasures that they can employ in order to help mitigate the threat posed to their information systems by malicious software (malware)a. Though general countermeasures are listed in this document, references are contained throughout that point to comprehensive industry best practice and UK and US Government published guidelines and policy. Following the completion of a riskb assessmentc, organisations are encouraged to evaluate the identified countermeasures and implement them as part of a defence in depthd strategy. 2. This document is published on the National Infrastructure Security Coordination Centre (NISCC) Organisations are therefore website1 and will be kept up to date to reflect any new relevant advice. encouraged to refer to the NISCC web site as a point of reference for information on how best to protect their systems from malware. Some of the advice referenced from this document is only viewable via the Government Secure intranet (GSi)2. Private sector organisations should therefore refer to the industry best practice and NISCC technical notes that are also referenced. NISCC is reviewing the advice currently only available on the GSi and is seeking to make as much of it as possible available to the private sector. 3. The document’s structure follows the Information Assurance (IA) life cycle in protecting an organisation’s assets. Senior Information Risk Ownerse should ensure that the IA life cycle is followed as part of their duty of ‘due care’f. This will help ensure that reasonable countermeasures are in place to protect the assets for which they are responsible. 4. Organisations should have an appropriate Governance structure that is informed by regular Risk Assessments that are similarly informed by information sharing fora and communities. These will help determine which Countermeasuresg need to be implemented to protect its assets. Detectionh tools should be used to provide feedback concerning the adequacy of the 5. countermeasures deployed. When an incident does occur, Incident Responsei measures and processes should be in place to deal with and minimise the impact to the organisation. The following diagram illustrates the IA cycle: Malware is any program or file that is harmful to a computer user. Thus, malware includes computer viruses, worms, Trojan horses, and also spyware, programming that gathers information about a computer user without permission. b The risk is the likelihood of a threat agent finding and exploiting a vulnerability. c A process that analyses the threat and produces a representative value of the estimated potential loss (CISSP Krutz & Vines) d The implementation of various countermeasures to protect a network e.g. use of different anti-virus software to provide multilayered anti-malware defence. See http://nsa1.www.conxion.com/support/guides/sd-1.pdf for a short introduction to defence in depth. e A named individual on an organisation’s senior management board who has the ultimate responsibility for information assurance. f Under the concept of ‘due care’ the appointed Senior Information Risk Owner (SIRO) might be liable for negligence if the organisation’s data is not adequately protected. g To reduce a risk, a countermeasure is put into place, which is a safeguard used to mitigate the potential losses from an identified threat. h Detection is represented by the analysis of network data implemented via a combination of measures such as intrusion detection systems and log data accounting and audit. a 4 Prevention - Countermeasures Responsibility & Preparation - Governance - Risk Assessment - Information Sharing Detection - Monitoring Incident Response Actions taken to deal with an incident that occurs. These actions normally represent some form of intervention to negate or minimise the impact of the incident. i 5 2. 2.1 6. Why should you read this document? Electronic attack on the increase The general threatj from electronic attack and particularly malware is increasing. Open source reporting indicates there was a substantial rise in virus infected email in 2003 compared with 2002, with the trend continuing in 2004: ‘Ratio of virus-infected emails to clean emails increased 84 percent to 1 in 33 against 1 in 212 a year ago’ MessageLabs Intelligence Analysis – Comparison of 2003 to 2002 7. The 2004 DTI Information Security Breaches Survey3 is the largest survey of information security in the UK and is referenced throughout this document. It states that since 2002 malware attacks have increased and provides a summary of the increase in attacks. It is worth noting that system failures or data corruption could also point to an unidentified malicious incident: ‘Two-thirds of UK businesses had a premeditated or malicious incident compared with just under a half two years ago. In addition, a quarter had a significant incident involving accidental systems failure or data corruption’. 2004 DTI Information Security Breaches Survey 8. Malware attacks are also increasing in sophistication, particularly as Spamk and other malware x writers are combining techniques. This convergence of skills has led to the rise of so called “blended threats”, mass mailer viruses and worms that use Spam techniques to trick users into clicking on a malicious URLl or attachment and then spread in a similar way to an Internet worm. 9. protect. NISCC has seen many examples of these types of attacks against the organisations it helps to Given this and the general rise in malware activity across other connected communities, the following threat assessment has been issued: The threat from future Trojan or similar malicious code attacks against UK Government Departments and their agencies is assessed to be SEVEREm. The threat from future Trojan or similar malicious code attacks against Private Sector Companies is assessed to be SUBSTANTIALn. j The capability and intention that intruders have to attack a system by means of a vulnerability. Unsolicited email which is generally used to advertise various products or services. l The unique address for a file that is accessible on the Internet. m Please contact NISCC for details of the SEVERE descriptor. n Please contact NISCC for details of the SUBSTANTIAL descriptor. k 6 2.2 How do Organisations currently fare? Key Documents: 2004 DTI Information Security Breaches Survey4 Infosec Memo 2 ‘The Risk of Electronic Attack Against HMG Computers and Communications: General Factors’5 (GSI document - to be reviewed) Although NISCC does not have a fully detailed picture of all organisations’ abilities to protect, detect 10. and respond to a malware attack, there is ample evidence that many organisations are not applying a sufficient range of countermeasures to mitigate these attacks. This observation was recently supported by the ‘2004 DTI Information Security Breaches Survey’ that surveyed both private and public sector organisations: “This survey shows that too many organisations have waited until an incidento hits them before putting countermeasures in place” 2004 DTI Information Security Breaches Survey, Executive Summary 11. The cost of an incident is also summarised in the survey: “The average cost of an organisation’s most serious security incident was roughly £10,000. In large companies, this was more like £120,000. The impact on availability was by far the biggest contributor to this cost, with some organisations suffering a major disruption to their business operations for more than a month”. 2004 DTI Information Security Breaches Survey 12. There is no uniformity in the risk management decisions being applied to systems of similar business criticality. Information systems are becoming progressively more joined up, and networked communities are only as secure as the weakest system or connection. It is therefore an organisational responsibility to follow and document a thorough risk assessment and management methodology. 13. The DTI breaches survey also reported that only one in ten companies (and only a quarter of large ones) has staff with formal information security qualifications and that neither overall awareness of BS 7799, nor the number of organisations that have implemented it, has increased over the last two years. However, those organisations that have implemented BS 7799 have found that it has yielded real business benefits. 34% 25% o Adverse events that threaten security in computing systems and networks. (Schultz/Schumway) 7 3. 3.1 Responsibility and Preparation Governance Key Documents: 14. Turnbull Report6 Board briefing on IT Governance (IT Governance Institute)7 From a corporate governance perspective, a member of the senior management has the ultimate responsibility for its organisation’s IA, and may be held to account for the risk management decisions taken. 15. Fundamental to an organisation’s IA programme is senior management’s awareness of public commitment to the importance of having measures in place to protect the organisation from electronic attack. Consequently an organisation’s IT technician, accreditor, head of security and ultimately the Senior Information Risk Owner (SIRO), all have a role to play in achieving the organisation’s over arching IA policy. 16. As part of an organisation’s responsibility for ‘due care’ it must evaluate measures that are industry best practice and those that are recommended by regulatory or national authorities. For example within British Standard 77998, there is a specific objective to protect an organisation’s network from malware with a number of baseline detection and prevention controls. 17. NISCC, in its role of protecting information systems that are part of the UK Critical National Infrastructure, recommends that the advice contained within and referenced from this document is fully evaluated as part of an organisation’s risk assessment and responsibility for ‘due care’. 8 3.2 Risk Assessment and Management Key Documents: Infosec Standard No. 1 ‘Residual Risk Assessment Method’9 (GSI access required) Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM)10 Infosec Standard No. 2 ‘Accreditation Documents’11 (Currently under review by the Security Accreditation Review Committee (SARC) – GSI access required) Infosec Memo 21 ‘Risk Management of Mobile Code’12 (Update in Draft – GSI access required) ‘Three-quarters of businesses are confident that their technical security processes are sufficiently good to prevent or detect all significant security breaches. Given the weaknesses in these controls, it appears that some do not fully appreciate the risks they are running.’ 2004 DTI Information Security Breaches Survey 18. The risk of being a victim of a malware attack cannot be totally mitigated. Countermeasures against such an attack will incorporate a mix of physical, personnel, procedural and technical security controls with the aim of reducing the residual risk to a level that can be accepted by the risk owner. 19. The recommendations contained and referenced from this document must be evaluated following a risk assessment, whereby the accreditor or risk owner, has assessed the impact the organisation would face if malicious code successfully exploited a network’s vulnerabilityp. The Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM)q is a 20. framework for identifying and managing information security risks. It defines a comprehensive evaluation method that allows an organisation to identify the information assets that are important to the mission of the organisation, the threats to those assets, and the vulnerabilities that may expose those assets to the threats. By putting together the information assets, threats, and vulnerabilities, the organisation can begin to understand what information is at risk. With this understanding, the organisation can design and implement a protection strategy to reduce the overall risk exposure of its information assets. 21. Infosec Standard No. 1 ‘Residual Risk Assessment Method’ (IS1) is a risk management tool which is an agreed method for assessing residual risks for official information systems. It is intended for use by both the public and relevant parts of the private sector for managing the risks associated with storing, processing and exchanging Government information. It contains guidance on countermeasures and points to other assurance documents for further detailed advice. It is an ideal starting point with which to begin documenting the risk management decisions that need to be made. A group of conditions which, taken together, can leave a system open to unwanted access or unauthorised use by an intruder or denies availability of the system. q Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University. p 9 “Given the complex nature of risk assessment in IT, it is a baseline requirement that those responsible for securing protectively marked information will use this agreed standard method, which has been specifically tailored to the current HMG security environment.” Infosec Standard No1 - Paragraph 7 22. Infosec Standard No. 2 ‘Accreditation Documents’, provides guidance about producing documents to support information security accreditation. It sets out a recommended format for such documents, and suggests the information which accreditation documents should contain including documented risk management decisions. 23. Infosec Memo 21 ‘Risk Management of Mobile Code’, gives guidance on applying the methods of IS1 in situations where "Mobile Code" technology - such as Java and Active X - is used. It is intended to aid accreditation in assessing both the levels of the risks and the likely effectiveness of various countermeasures so that an informed decision can be taken on whether the risks are acceptable. 10 3.3 Information Sharing Useful Links: The Warning, Advice and Reporting Point (WARP) Toolbox13 NISCC Information Exchanges14 Best Practice Guideline - NISCC’s Information Exchanges – Example Membership Guidelines15 Government IT Security Officer’s Forum (ITSOF)16 (GSI access required) 24. Information Sharing fora provide an organisation with the opportunity to share experiences and explore security issues in an environment of trust and confidence. NISCC runs a number of Information Exchanges for both public and private sector organisations. These successful fora, have provided member organisations with invaluable information to help inform internal risk assessment and management decisions. They have also helped NISCC to find research partners and to prioritise its research. 25. The Government IT Security Officer’s Forum (ITSOF) is a Security Service and CESG led forum that acts as a point of contact for policy advice and development for Government information system accreditors. 26. Sharing information about incidents is a vital part of understanding the threat and what has actually NISCC runs the UK 17 happened on systems and can inform remediation and mitigation measures. Government Computer Security Incident Response Team (CSIRT), UNIRAS that facilitates a sharing of information across Government and private sector CNI organisations. This is both to inform its own assessment of the threat, which then may be shared with those who need this information, and also to enable collective knowledge, experience and warnings to be shared in a focused and timely manner. NISCC and the Central Sponsor for Information Assurance18 (CSIA) are working together to 27. encourage the formation of information sharing communities known as Warning, Advice Reporting Points (WARPs). WARPs provide the following core services: • • • • • • A trusted environment Security information filtering Access to expert advice Early warning of threats Strategic decision support Improved awareness The WARP Toolbox, contains all the supporting documentation and software required to enable you submit a business case for running a WARP for your own organisation. 11 12 4. 4.1 Prevention – Employing Countermeasures Guidance on Securing Interconnected Networks Key Documents: Infosec Standard No.3 ‘Connecting Business Domains’19 (GSI access required) S(E)N 04/03 ‘Connecting Business Domains – Use of Removable Media’20 (GSI access required) GSi Code of Connection21 NISCC Technical Note 01/02 ‘Protecting your Computer Network – Guidance on securing LANs, WANs and internetworks’22 Infosec Memo 13 ‘Protecting Government Connections to the Internet’23 (to be reviewed - GSI access required) Manual M ‘Protecting Government Connections to the Internet – Guidance on Internet Connectivity Architectures’24 (to be reviewed - GSI access required) Useful Links: The Sixty Minute Network Security Guide25 28. Effective security can only be achieved by viewing the organisation’s connections in their entirety. Typically, an organisation will have systems with onward connections. These may include: • • • • • 29. Internet Government Secure intranet (GSi) – Consists of connections to the X.GSI, GSI, GSE, GSX. Trusted Extranets e.g. CJX, TESTA II etc Trusted Closed Networks e.g. SCOPE Direct network connections to partner organisations All organisations should familiarise themselves with the accreditation regime and Code of Connection for each network or community that they have onward connections to, so that all potential attack avenues can be assessed. This will enable the accreditor to have an overview of the environment which needs to be protected. Organisations must assess the risk associated with particular information transfers, i.e. the impact to the business if the security of that transfer is compromised and allow this to drive their information assurance decisions. 30. Infosec Standard No.3 ‘Connecting Business Domains’, indicates the general type of threats which are likely should domains be connected together. It also indicates the type of countermeasures which might be appropriate, but does not give definitive guidance on designing a secure network or interconnections. 13 31. An example of a documented interconnected system is the new GSi with its GSi Code of Connection (CoCo). Authored and administered by NISCC, the CoCo requires connecting organisations to prove that they meet a baseline set of requirements. A level of assurance is reached by the fact that the countermeasures and risk management decisions employed by connecting organisations are standardised throughout the GSi community. Infosec Standard No. 1 ‘Residual Risk Assessment Method’, makes specific reference to the fact that before a risk management decision is made organisations should be aware of the impact this may have to their onward connections: “Before accepting significant additional risks on their own systems, departments should consider whether this will make it harder to accredit future onward connections to other departments, for instance via the Government Secure Intranet (GSI). Compliance with the recommendations of this document is one of the conditions of entry to the GSI community.” Infosec Standard No. 1 ‘Residual Risk Assessment Method’ - Paragraph 36 32. NISCC Technical Note 01/02 ‘Protecting your Computer Network – Guidance on securing LANs, WANs and internetworks’, provides best practice generic advice on securing Internet facing networks against external attack including securing local, wide area and interconnecting networks. 33. Infosec Memo 13 ‘Protecting Government Connections to the Internet’ and Manual M ‘Protecting Government Connections to the Internet – Guidance on Internet Connectivity Architectures’, are both scheduled to be reviewed though are referenced here as they still contain some pertinent advice. 34. The Sixty Minute Network Security Guide is another useful document that covers a wide range of countermeasures to protecting a network. Written with the less experienced System Administrator and information systems manager in mind, the guide talks through general guidance, perimeter routers and Firewalls, Windows NT4.0 and 2000 and has a comprehensive section on Unix. 14 4.2 Identification and Authentication Key documents: Infosec Memo 24 ‘Passwords, Tokens and Biometrics Used in Combination for Identification & Authentication of Users of Government IT Systems’26 (GSI access required) Infosec Memo 26 ‘Passwords for Identification and Authentication’27 (GSI access required) Infosec Memo 27 ‘Assessment of the Contribution of Tokens to Multi-Factor Identification and Authentication Systems’28 (GSI access required) S(E)N 99/1 – The Use of Commercial Authentication for Remote Dial-Up over ISDN or PSTN to RESTRICTED Systems29 (GSI access required) Useful Links: UK Biometric Working Group - Management Summary Index30 ‘User ID and password are still the dominant mechanism for authenticating users’ identities. However, a third of large businesses have moved to some degree of two-factor authentication, and have seen a reduced level of unauthorized access breaches as a result.’ 2004 DTI Information Security Breaches Survey, Page 5 35. Controlling access to information systems and associated networks is necessary for the preservation Identificationr and Authentications (Id&A) are essential for of Confidentiality, Integrity and Availability. allowing only authorised personnel or processes to have access to an organisation’s information systems. 36. Infosec Memo 26 ‘Passwords for Identification and Authentication’ provides general advice on This Memo is fully using passwords and a method of working out the required password length. interoperable with Infosec Standard No. 1 and can therefore be particularly useful in reducing a particular risk to your organisation’s systems. 37. Infosec Memo 24 ‘Passwords, Tokens and Biometrics Used in Combination for Identification & Authentication of Users of Government IT Systems’, enables information systems security staff to make structured and consistent comparisons of the effectiveness of combinations of Passwords, Tokens and Biometrics and, in conjunction with related Memoranda dealing with each of those technologies, assess the adequacy of a proposed or existing Id&A system in any particular situation. 38. Infosec Memo 27 ‘Assessment of the Contribution of Tokens to Multi-Factor Identification and Authentication Systems’ provides guidance on the use of Tokens for Id&A, in particular indicates how r s The act of a user professing an identity to a system, usually in the form of a logon Verfication that the user’s claimed identity is valid, and is usually implemented through a user password and/or biometric at logon 15 valuable a Token will be in relaxing the requirements for an associated Password. This Memo must be used in conjunction with Memos 24 and 26. 39. For further guidance on Biometrics, the UK Biometric Working Group has produced a number of short ‘Management Summaries’ to introduce various topics relevant to the use of Biometric authentication systems. 16 4.3 Best Practice Secure Configuration Key Documents: NISCC Technical Note 07/04 ‘Securing MAC OS X’31 NISCC Technical Note 11/03 ‘Secure Configuration of Solaris’32 NISCC Technical Note 04/03 ‘Securing VNC (Virtual Network Computing)33 NISCC Technical Note 01/03 ‘Understanding Database Security’34 Manual P ‘Protecting Government Connections to the Internet – Firewall Configuration, Installation and Maintenance’35 (GSI access required) Useful Links: NSA Operating System Guides36 National Institute of Standards and Technology37 40. It is essential that organisations evaluate, and implement where possible, best practice secure configuration guides for the various operating systems and applications contained within their networks. Though hardening the network against electronic attack cannot guarantee 100% security, such measures may deter an attacker or allow for an attack to be detected by other countermeasures in place (e.g. Intrusion Detection). 41. A variety of implementation and checklist guides have been published by vendors or by third parties. The above non-exhaustive list of key documents and URL’s provide a useful starting point for administrators. 42. On selecting a configuration to follow, a system administrator should start from a clean installation and follow a logical sequence of actions to ensure that the network remains as secure as possible: Plan the installation and configuration carefully Apply the latest patch cluster Lock the system down Create a backup Subscribe to appropriate alert services Perform regular maintenance NISCC Technical Note 11/03 ‘Secure Configuration of Solaris’ - Key Points 17 4.4 Vulnerability Management Key Documents: NISCC Technical Note 04/04 ‘Organisational Vulnerability Management Process’38 NISCC Technical Note 05/04 ‘A Vulnerability Management Process for IT Product Vendors’39 Manual N ‘Vulnerabilities of the TCP/IP Protocol Suite’40 (GSI access required) NISCC Technical Note 02/02 ’Recent Vulnerabilities in SNMP’41 ‘Increasingly, viruses are bypassing traditional anti-virus software and targeting vulnerabilities in computer operating systems. Processes for keeping these up to date with the latest security patches are generally weak.’ 2004 DTI Information Security Breaches Survey 43. It is important that the protocols underpinning an organisation’s network infrastructure are as secure as possible from electronic attack. Malware, in the overwhelming majority of cases, exploits known vulnerabilitiest and new vulnerabilities may be exploited within 24 hours of exposure so an agreed process to manage disclosure is imperative. 44. Increasingly, NISCC is being asked by others to manage the disclosure process. NISCC works extensively with government departments and agencies, commercial organisations and the academic community to research vulnerabilities and potential threats to Information systems, especially where their compromise may have an impact on the UK's Critical National Infrastructure. NISCC Vulnerability Advisory Notices (VANs) result from the NISCC managed disclosure of vulnerabilities. VANs contain information on vulnerabilities, their effects, and where possible patch information or mitigation advice. For information about potential vulnerabilities or for further information on this vulnerability disclosure process visit the NISCC website or contact the vulnerability team at vulteam@niscc.gov.uk. 45. Organisations should regularly monitor vulnerability information to maintain a current view of the risks and implement patch management as necessary. NISCC Technical Note 04/04 ‘Organisational Vulnerability Management Process’ suggests a minimal method for assessing vulnerability risk and also suggests that a number of steps are completed to ensure that the vulnerability management process can be implemented: Ensure that there is senior management buy-in for the importance of vulnerability handling in terms of reducing risk to the business and that users are aware of the issues t A group of conditions which, taken together, can leave a system open to unwanted access or unauthorised use by an intruder or denies availability of the system. 18 Maintain an inventory of systems in the organisation including a definition of each system and an up-to-date list of products in each system For each product record the version, patch level and the location of the product For each product assess the value of the product and the value of information stored by that product For each system in the organisation determine the criticality of the system in terms of availability of service, confidentiality of data, integrity of data and cost Have a policy for business continuity management including system backup and recovery to meet a security management standard such as ISO 17799 which is regularly applied and tested NISCC Technical Note 04/04 ‘Organisational Vulnerability Management Process’ - paragraph 9 19 4.5 Protecting Web Sites Key Documents: NISCC Technical Note 06/03 ‘Guidance on Securing Web Sites’42 ‘Guidelines on Securing Public Web Servers’43 46. Web servers hosting both public and private sector organisation’s web sites are amongst the most easily targeted part of an organisation’s network infrastructure. Web servers are constantly probed by attackers for exploitable vulnerabilities. All organisations need to employ best practice countermeasures to ensure that these public facing systems and their supporting architecture are resistant to attack and that the service maintains high availability. 47. NISCC Technical Note 06/03 ‘Guidance on Securing Web Sites’, gives countermeasures for the following topics which determine the security of a web site: • • • • • The security of the web server The security of the operating system of the web server computer The security of the local area network of the web server computer The security of “backend” (eg database) applications supporting the web server The security of the authoritative domain name server for the web server network 48. The technical note also lists links to vendors and other third party web sites, including the National Institute of Standards and Technology comprehensive publication ‘Guidelines on Securing Public Web Servers’. 20 4.6 Protecting Web Browsers Key Documents: 49. NISCC Technical Note 05/03 ‘Configuration and Use of Web Browsers’44 An increasing number of electronic attacks exploit vulnerabilities in the web browser either directly or through email clients that support HTML. Vulnerabilities are routinely found, published and patched by the vendors. There has been widespread reporting of browser vulnerabilities in 2004. See, for example, ‘Firms urged to look at rivals to ‘hackers’ target’ Internet Explorer’ . Organisations are often faced with choosing between security and functionality when considering how best to configure a browser. u 50. NISCC Technical Note 05/03 ‘Configuration and Use of Web Browsers’ provides system administrators with guidance on the configuration and use of the web browsers Internet Explorer, Netscape and Opera. Following the guidance in this document will help organisations minimise the effects of the most common security risks, including the inadvertent execution of malicious mobile code. Key advice from the document follows: - Adopting a “Default Deny” Web Strategy When reading this guidance please bear in mind the following “Default Deny” principles: Differentiate between internal, trusted and unknown web sites where possible and apply different security policies to each type Treat all external web sites as “unknown” until explicitly identified as trusted (and ideally only then if secured using encrypted HTTPS sessions) Deny all active content (Java applets, ActiveX controls and active scripting) unless absolutely required and restrict use to internal and trusted sites where possible Deny all web access to external networks from internal systems unless requested and restrict access, where possible, to a limited set of external web servers Deny all active content from “Unknown Sites” and consider blocking access where possible and appropriate. - General Configuration Guidance For guidance on configuration of a specific browser, see the annexes to the Technical Note. However, what follows is a list of general guidelines that can be applied to any browser when accessing “Internal Sites”, “Trusted sites” and “Unknown sites”: Ensure that you are using the latest version of the browser. Apply all of the latest browser security patches and updates. u http://www.computerweekly.com/articles/article.asp?liArticleID=131828&liFlavourID=1 21 Differentiate between internal, trusted and unknown web sites where possible and apply “Default Deny” principles to each type Move the Temporary Internet Files folder to a different location. Any location other than the default is suitable. Remove unnecessary browser plug-ins and Internet Relay Chat clients. Configure the browser to check for certificate revocation. - Internal Sites If a browser feature is not specifically required disable it until requested Enable Active Scripting (JavaScript, VBScript) and, optionally, scripting of safe ActiveX controls and Java applets on request Disable Downloading of ActiveX controls (signed or otherwise) but permit “Administrator approved” (e.g. Shockwave Flash) ActiveX controls on request Disable Java or restrict to (ideally internally) signed Java applets only. Enable File Downloads Permit Cookies - Trusted Sites Require site to be secured using HTTPS: before becoming trusted (if possible). Allow use of Active Scripting (JavaScript, VBScript) as necessary. Disable ActiveX controls (signed or otherwise) but permit running of limited “Administrator approved” (e.g. Shockwave Flash) ActiveX controls on request. Disable Java Applets. Enable File Downloads on request. rd Permit Session Cookies (block 3 party cookies if possible). Disable paste operations via scripts. - Unknown / Untrusted Sites Disable all active content (Java applets, ActiveX controls and active scripting). Disable File Downloads. Block All Cookies (if possible). - Browser Usage 22 Never browse the Internet from an administrator account. Never browse the Internet from any machine that is running a network daemon or server. Remember “Default Deny”. Never blindly accept a dialog box, always cancel unexpected dialogue boxes, unless you are sure about what you are doing. Always choose difficult-to-guess passwords which are not dictionary words and which contain numerals and other non-alphabetic characters. Before logging on to a secure site check: • The URL on location bar matches the site you are logging on to. • https:// is displayed in the location bar and the unbroken lock symbol is displayed. The site digital certificate is valid, signed by a trusted third party and the URL in the certificate matches the site you intended to visit. Never enter your operating system login password into any on line form. Use a different secure password for each secure site that you register with. Remember to log out of a secure SSL session before moving on to another site. Never save a page from a site that you have placed in the Restricted Sites zone to the local disk. Never follow a hypertext link to any security sensitive site from either an email message or from another web page. Always access such sites directly to avoid the possibility of a cross-site scripting attack. NISCC Technical Note 05/03 ‘Configuration and Use of Web Browsers - Paragraph 43 23 4.7 Malware Countermeasures Key Documents: 51. NISCC Technical Note 03/04 ‘Guidance on Handling Files with Possible Malicious Content’45 Infosec Memo 12 ‘Dealing with Malicious Software’ 46 (To be reviewed - GSI access required) Infosec Memo 21 ‘Risk Management of Mobile Code’47 (Review in draft - GSI access required) This section points to specific countermeasure advice on different types of malware. NISCC Technical Note 03/04 ‘Guidance on Handling Files with Possible Malicious Content’, provides guidance on the likelihood that a file of a given format could contain potentially malicious executable code. The intended audience of this note is system administrators and organisational security officers looking to carry out a risk assessment of accepting different file types onto an organisation’s network. The note also contains an extensive table of file types and the generic level of risk that they pose to an organisations network. Key recommendations are given as: Install anti-virus products on workstations, servers and gateways. You should consider using an anti-virus product from a different vendor at each of these points to maximise the chances of detecting a virus. Check the configuration of anti-virus products for “heuristics” or “unknown virus” options. If these are not enabled, then enable them. Heuristic scanners look for suspicious code, and thus are an extra layer of defence when dealing with new viruses that are not specifically known to the anti-virus product. This increases the chances of a new or difficult virus being detected. (There is a risk of the heuristic scanner incorrectly detecting a file as a virus. A review of the file in a quarantined environment may indicate that it is safe to provide to the recipient.) Update anti-virus products on a regular basis, preferably using live update functionality to the organisational gateway. Use a content scanner at the gateway in conjunction with an anti-virus product to check that the format of a file is as claimed. Content checkers should be evaluated as fit for use before deployment (for example, against Common Criteria or the UK government’s FAST TRACK scheme), otherwise they may not provide the desired security functionality. Subject to testing in a non-operational environment to verify that patches do not adversely affect system stability, ensure that the latest security patches are installed for all software. This may include patches which prohibit or warn about particular file formats imported onto the desktop. NISCC Technical Note 03/04 ‘Guidance on Handling Files with Possible Malicious Content’ paragraph 31 24 4.7.1 Trojan Code Countermeasures Key Documents: NISCC Technical Note 01/04 ‘Increased use of Trojan Horse Programs’48 NISCC Technical Note 08/03 ‘Trojan Horse Programs and RootKits’49 Useful Links: UNIRAS Briefing 308/04 ‘Mitigating risks to Email based Trojans’50 NISCC recommends that organisations, whether members of the GSi or not, ensure that a local policy is in place that prohibits the automated forwarding of mail and that where possible mandatory technical controls are used on either the server or client. 52. The key documents above are particularly pertinent when forming a network defence strategy. 53. NISCC Technical Note 08/03 ‘Trojan Horse Programs and RootKits’, describes the capabilities of Trojans and rootkits and illustrates the capabilities by mentioning the features of some well-known examples. Advice is provided on detection, removal and prevention. Preventative measures are listed as: Block all executable mail attachments at the network perimeter or at the very least ensure that they are digitally signed by a trusted party Ensure that the security permissions of all users reflect least privilege (for example, restricting installation privileges to system administrators) Follow the vendor’s best practice security advice Use an appropriate virus/Trojan scanner on a regular basis NISCC Technical Note 08/03 ‘Trojan Horse Programs and RootKits’ - Paragraph 21 54. Many Trojans have the capability to be able to exfiltrate user ID and password details. This enables the attacker to attempt a POP3v or IMAPw based attack whereby a email account is accessible to someone other than the owner. 55. The GSi Code of Connection currently mandates a security policy to connecting organisations that forbids automatic forwarding of email to accounts that are beyond the GSi network boundary. GSi connected POP3 (Post Office Protocol 3) is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is received and held for you by your Internet server. Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any mail, probably using POP3. This standard protocol is built into most popular e-mail products, such as Eudora and Outlook Express. It's also built into the Netscape and Microsoft Internet Explorer browsers. w An alternative protocol to POP3 is Internet Message Access Protocol (IMAP). IMAP provides the user more capabilities for retaining e-mail on the server and for organizing it in folders on the server. IMAP can be thought of as a remote file server. v 25 networks must therefore have in place a local policy which prevents the auto-forwarding of mail to prevent protectively marked or commercially sensitive information being present on an unaccredited network. 56. NISCC Technical Note 01/04 ‘Increased use of Trojan Horse Programs’, is an urgent reminder to organisations that system software requires routine maintenance. Updating software is one of the most important aspects of any network defence strategy. The note emphasises the increased development and use of network attack tools by the hacker community, and specifies mitigation recommendations as follows: Organisations that use Microsoft products should use Microsoft’s Software Update Service to keep their software current. Information on this service is available at http://www.microsoft.com/windowsserversystem/sus/default.mspx Install and use anti-virus software. As with any software, visit the vendor web site at least once a week or use an automated update feature to download the software updates. Anti-virus software can become dated very quickly and therefore must be kept current for it to protect a system from attack. Install and use a firewall. The purpose of a firewall is to isolate a computer from the rest of the Internet. Firewalls should be configured to block incoming and outgoing Internet communications according to the rules created by a user or system administrator. To stop trojan server software communicating to a client, blocking unexpected outbound communications is an important technique. Use of an integrity checker such as “tripwire” to detect changes to key system files. Institute a mandatory user awareness and security training program. Use a proxy for services because it breaks the stateful connection that in some instances will be required to successfully compromise a computer. Use an intrusion detection system to monitor the network key computers and the local area network. Use a network traffic monitoring tool such as Microsoft’s “netmon”. Ethereal is also available for Microsoft and UNIX systems. Enable logging on applications, the operating system and on gateways such as routers and firewalls. Logs should be reviewed regularly against the organisational security policy. Install and use a specialised Trojan detection kit. Network administrators should coordinate with an organisation’s mission directors and disable all network services not mission essential. Never run services as administrator, institute a policy whereby all services are run at the lowest privilege level. 26 Show multiple file extensions such as “name.bmp.exe” or “name.txt.vbs,” and remember that only the last extension matters. File extensions are often hidden so a user can not tell what type of file they have at a glance. Files that have a “.vbs” “shs” or “.pif” extension on the end will often indicate a worm. Limit folder sharing. In general, folder sharing makes systems less secure, since it opens a conduit for someone to access a computer where none previously existed. We acknowledge this is not possible in some instances but should only be permitted when absolutely necessary. A modem should not be used to bypass a firewall in order to connect to a network with a different organisational security policy. Avoid advertisements or spam of any type; delete these messages immediately. Never allow Instant Messaging (IM) across the Internet. Back up system files regularly, in the event they are compromised or lost they can be restored. Create strong passwords for all accounts, especially for the administrator accounts. Change all passwords frequently. Use a content filter to check web traffic inbound and outbound for malicious code. Install and use a configurable content checker and block executable files Organisations within the UK government or in the UK CNI should report network attacks to http://www.niscc.gov.uk/Niscc/reportIncident-en.html Avoid email attachments when receiving email from an untrusted source. This will not be possible for every organisation, but always consider the potential damage that may occur when opening an attachment. NISCC Technical Note 01/04 ‘Increased use of Trojan Horse Programs’ - Paragraph 22 27 4.7.2 Worm Countermeasures Key Documents: NISCC Technical Note 07/03 ‘Internet Worms’ 51 57. Wormsx have had a huge impact because of their ability to self replicate and spread more quickly than humans can respond. 58. NISCC Technical Note 07/03 ‘Internet Worms’, gives some insight into the history of worms and summarises the impact of some of the worst Internet Worms seen so far. The key point to note is that all the worms exploited existing known vulnerabilities for which patches were available, but not applied. The technical note lists preventive, detection and remediation countermeasures. A summary of the preventive and detective countermeasures follows: Preventative Applying patches or workarounds for the vulnerability Deploying anti-virus software on all gateways and desktops Blocking all network services inbound and outbound for which there is no business case for Internet users Using filtering and proxy services inbound and outbound for all network services that are needed Deploying vendor tools to limit the type and function of network services allowed (e.g. IIS Lockdown for Microsoft’s IIS web server) Disabling or removing unnecessary applications and network services on the organisation’s Internet facing computer systems Running network services with least privilege so that the effect of any remote compromise is minimised Using a best practice security configuration for all Internet facing computers Running public servers connected to the Internet in their own network segment (a demilitarised zone) NISCC Technical Note 07/03 ‘Internet Worms’ - Section 6 A self-contained program (or set of programs), that is able to spread functional copies of itself or its segments to other computer systems (usually via network connections). Note that unlike viruses, worms do not need to attach themselves to a host program. (VIRUS-L/comp.virus Frequently Asked Questions). x 28 Detective Intrusion detection systems Anti-virus products Analysis of firewall logs Network monitoring software (e.g. Ethereal) Host monitoring software (e.g. Tripwire) NISCC Technical Note 07/03 ‘Internet Worms’ - Section 7 29 4.7.3 Spam Countermeasures Key Documents: NISCC Technical Note 02/04 ‘Spam Mitigation Techniques’52 The new GSi offers an optional anti-spam service that will analyse mail before it reaches the organisation’s connected network. NISCC recommends that organisations evaluate this or similar services for their GSi and Internet facing networks. 59. As recently as 2003, Researchers quoted estimates that Spamy was expected to account for 45% of the 10.9 trillion messages sent around the world in that yearz. Spam email is often crafted to protect the identity and location of the sender, and will often be delivered through a variety of deception techniques designed to get around current filtering technologies. 60. Recent press coverage of Spam has highlighted that these messages are being used as a vehicle for a wide range of malicious and illegal activity. See BBC: Spam reveals its darker side53. Clicking on URL links within a Spam email can potentially download malicious code. This will often not be detected by antivirus software at an organisation’s network boundary and will also not be noticeable to the users or system administrators. The ‘emergence of convergence’54 between Spammers and malicious code writers means that employing Spam countermeasures is becoming a necessity. 61. NISCC Technical Note 02/04 ‘Spam Mitigation Techniques’ lists a number of anti-Spam techniques that have been developed as a result of increased public awareness and the increased threat that Spam presents to business productivity and security. Spam countermeasures are a mix of procedural and technical controls that are applicable to an organisation’s mail server and or on the client. The following is a list of various techniques available to mitigate the threat: Delete spam messages. If possible delete spam messages without opening them. Think of it in the same context as throwing away the junk mail received at home. Never reply to a spam message. This can inadvertently cause all original addressees to receive the reply causing another flood. This result is true most often with chain letters than with run of the mill spam. Never respond to “instructions to remove me from the mailing list”. Most often the spam victim will receive a bounced mail message in reply. Typically, taking this action will add a victim’s address to many spam lists, as it serves as a confirmation that the account is active and the email is being read. There are legislative efforts underway to force organisations to adhere to their opt out commitment. Best practice is to never post to a news group or bulletin board. However, if compelled to do so, post messages using a modified email address that will never yield a reply through automated means. For example, the following legitimate address “user@isp.com” could be easily modified to y z Unsolicited email which is generally used to advertise various products or services According to research firm Radicati Group in Palo Alto, Calif., 30 “user((at))i-s-p-dot-c/o/m”. This will at least give the user a fighting chance at avoiding detection by automated harvesters. If hosting a webpage or web site, do not post any legitimate email address as a hyperlink. It’s a bit more work, but use a form instead to act as an intermediary so that a legitimate email address is never revealed. Users should remove or modify their signature block when posting to, or sending email to, any open forum. This sounds very basic but often people will forget that this automatic signing feature is populated with precisely what the spammer is looking for. Consider using a throwaway email account and use that address only when posting messages. If a throwaway account is used, be prepared to dump it for a new one when that inbox begins filling with spam. Throw away addresses can be tailored for specific events. Consider a user that will attend a business meeting and knows they will be giving their email address to new associates. Prior to attending the meeting the user creates a tailored address named after the meeting itself “meetingJanuary2004@isp.com” and distributes it only to the members of this business. This technique can be used to communicate with new business associates until they have established their credibility. Should the user receive spam at this disposable address it will point directly to the group responsible. If operating a mail server, ensure that it is configured to allow only legitimate clients to send and receive email. If operating a web proxy server ensure that it is configured to prevent unintended uses. System administrators should consider enabling the anti-spam features that are incorporated into many of the server software packages currently on the market Be selective about how email addresses are distributed, and encourage individual end users to be similarly selective Never list all the email addresses of an organisation on a single web page, and where possible do not list them as direct hyperlinks NISCC Technical Note 02/04 ‘Spam Mitigation Techniques’ - paragraph 61 31 4.8 Distributed Denial of Service Countermeasures Key Documents: NISCC Technical Note 06/02 ‘Response to Distributed Denial of Service (DDoS) Attacks’55 - Denial of service attacks, while still relatively rare, are a growing problem. In 2002, one in twenty businesses reported an attack. In 2004, the figure was nearer one in fifteen. Denial of service attacks were rarely isolated incidents. Most businesses affected were targeted many times.22% 2004 DTI Information Security Breaches Survey 62. A Denial of Service (DOS) attack is designed to interrupt the availability of an organisation’s information systems by flooding them with unwanted traffic, resulting in network services being made unavailable. One of the commonest and most effective DOS attacks is the distributed denial of service attack (DDoS) that uses malware to exploit vulnerabilities in a number of zombieaa clients enabling those clients to be used in a combined and co-ordinated attack on the victim: 63. More recently the numbers of zombie clients linked for attack has reached tens and hundreds of thousands (BBC: ‘No end in sight to Mydoom virus’56) proving that these ‘networks’ of attackers are immensely powerful. 64. Preventing your organisation’s network from being used as a platform from which to launch a DDoS attack of equal importance to mitigating an attack itself. There may be legal repercussions from the victim of an attack to which you have (unwittingly) contributed. NISCC Technical Note 06/02 ‘Response to Distributed Denial of Service (DDoS) Attacks’ covers immediate and longer term remedial measures, and aa A compromised Web site or client that is used as an attack launch point is known as a zombie. 32 also countermeasures to prevent your organisation from becoming a DDoS handler or agent. The following countermeasures are particularly pertinent: Application of patches and upgrades Maintenance awareness of latest vulnerabilities and exploits Deployment of firewalls to enforce your organisational security policy Deployment of intrusion detection systems to indicate breaches of your organisational security policy NISCC Technical Note 06/02 ‘Response to Distributed Denial of Service (DDoS) Attacks’ Paragraph 42 33 5. 5.1 Detection Protective Monitoring Key documents: Memo 22 ‘Protective Monitoring’57 (GSI access required) NISCC Technical Note 03/03 ‘Protective Monitoring – Introduction to Audit and Accounting Log Analysis’58 GSi Code of Connection Protective Monitoring on the new GSi59 (GSI access required) Technical Specification for detecting intruders and attempts at intrusion on managed IT systems (CSIA sponsored paper currently in draft) 65. Protective Monitoring (PM) is a term used to describe both accounting and audit. PM is an essential It is a process of recording network event information element of your network defence strategy. (accounting) and subsequently analysing it (auditing) and comparing to the organisations security policy. If the policy is infringed, it should identify the management actions that may follow. 66. Memo 22 ‘Protective Monitoring’, is the key guidance document on this subject. It is consistent with the requirements and controls listed in BS7799 and is intended to inform the development of organisation PM policies rather than give details. A special interest group on PM has been formed, under the auspices of the IT Security Officer’s Forum, to review this Memo and provide further detailed guidance on how to achieve effective PM. 67. NISCC Technical Note 03/03 ‘Protective Monitoring – Introduction to Audit and Accounting Log Analysis’, provides advice on the sources of logs within a network, definition of a common format for logs, attack patterns and their correlation. This technical note was produced during the development and piloting of a proof-of-concept log analysis capability and though a year has elapsed since this note was published, it is a good starting point for implementing PM after a policy has been documented. 68. The ‘GSi Code of Connection’ and ‘Protective Monitoring on the new GSi’ documents explain to GSi connected organisations the level and detail of PM required on the ‘new’ GSi and compare these requirements to what was required for ‘legacy’ GSi connected networks. 69. The document ‘Technical specification for detecting intruders and attempts at intrusion on managed IT systems’ outlines the technical requirements that organisations should consider when deciding how to defend their networks. The document intends to give organisations guidance as to what technical requirements to include in a contract with their managed service provider or managed security service provider. However, this paper is not due to be completed until November 2004. 34 5.2 Intrusion Detection Systems Key documents: NISCC Technical Note 09/03 ‘Understanding Intrusion Detection Systems’60 NISCC Technical Note 10/03 ‘Deployment Guidance for Intrusion Detection Systems’61 70. An Intrusion Detection System (IDS) is a useful tool that can assist in the analysis of intrusion attemptsbb. It is viewed as a second line of defence to other security devices deployed on an organisation’s information systems and may be thought of as a burglar alarm, its function being to detect intrusions. Some IDSs are also capable of taking pro-active security measures on discovery of intrusion attempts. 71. NISCC Technical Note 09/03 ‘Understanding Intrusion Detection Systems’, introduces the concept of IDSs and aims to increase the technical awareness of the reader, enabling them to determine what types of IDS would be most appropriate for their organisations network. 72. NISCC Technical Note 10/03 ‘Deployment Guidance for Intrusion Detection Systems’, supplements NISCC Technical Note 09/03. Its purpose is to assist organisations which are thinking about implementing, upgrading or procuring an IDS (be it self-managed or part of a managed service), and provides them with basic knowledge to be able to enter into discussions with vendors and managed service providers. 73. The following diagram gives an example of where and what type of sensors can be placed on a simple network. The accompanying table explains the reasoning behind each placement: bb The CISSP Prep Guide – Krutz and Vines 35 Priority 1 Reasoning The high Internet threat combined with the concern for public image make the Internet facing servers a priority. A network sensor could be deployed, but a host based sensor is more likely to detect attack in encrypted traffic such as HTTPS. Network To protect the remaining network, a network sensor is deployed to 2 monitor all traffic entering the internal networks from the Internet. Network The only remaining connection out of the network is then monitored 3 with a further network sensor. This sensor will not only identify incoming attacks, but will also alert if a network is being used to attack the sister organisation. Host At this stage there may be no way of detecting internal activity. As the 4 internal servers contain the most valuable information, host sensors are deployed to protect them. In many organisations the priority of internal servers may be even greater than that of Internet facing servers. Network A network sensor is deployed to monitor traffic to/from the 5 workstations. This is the most low cost way of protecting the workstations and may also detect any attempts to launch attacks from them against other parts of the network. Host The workstations themselves are then protected with host sensors 6 offering a far greater level of security. Network This network sensor is almost redundant as all traffic visible to it 7 should either be seen by sensor 2 or 5. Network The final sensor to be deployed is a network sensor outside the 8 firewall. The organisation decided that it did not have the resources or skills required to constantly monitor the alerts from this sensor, but considered that it might be useful for identifying port scanning activity or problems such as DoS (although this information can generally be obtained by analysis of firewall logs). NISCC Technical Note 10/03 ‘Deployment Guidance for Intrusion Detection Systems’ - paragraph 19 Sensor Host 36 6. Incident Response Key Documents: Guidance for reporting electronic attack incidents to UNIRAS62 S(E)N 04/01 ‘Guidance on Security Incident Reporting’63 (GSI access required) Computer Security Incident Response Team Handbook64 74. Incident Response comprises that set of actions taken to deal with an incident when it occurs. These actions normally represent some form of intervention to negate or minimise the impact of the incident.cc Effective identification of incidents and incident reporting are essential components of a system’s risk management, governance and overall information assurance. 75. Having an incident response capability is increasingly viewed as an essential part of exercising ‘due care’ i.e. if an organisation were to experience a security breach and there was no adequate response capability in place to contain the impact, it is arguable that the organisation has not fulfilled its responsibilities associated with ‘due care’. 76. The Computer Security Incident Response Team Handbook is an industry best practice guide with regards to creating and running an Incident Response Team. NISCC will be running a number of workshops towards the end of 2004 to help Government organisations develop an incident response capability and identify what is needed to set up an incident response team. 77. UNIRAS (the UK Government Computer Security Incident Response Team), which is part of NISCC, has a 24/7 help line available to Government, List X companies and private sector CNI companies and encourages these organisations report incidents to UNIRAS immediately. The UNIRAS web site and S(E)N 04/01 ‘Guidance on Security Incident Reporting’ clarify what should be reported. Effective reporting enables UNIRAS to respond with help when needed, warn others and identify determined attacks across a number of targets within the community. 78. Reports to UNIRAS should be made in the first instance via the telephone or via alternate contact details below: Telephone: 0870 487 0748 Email: uniras@niscc.gov.uk UK Government CERT, PO Box 832, London, SW1P 1BG cc Incident Response ‘A strategic Guide to Handling System and Network Security Breaches’ (Shultz & Shumway) 37 Appendix A – Reference to other key documents and useful links (Documents primarily applicable to the Government Community, such as the Manual of Protective Security or other Government Policy documents, are only available to GSI connected users) A. - General Protective Security Guidance The Manual of Protective Security65 (GSI access required) B. - Where is Policy Published? Cabinet Office Security Education Notices S(E)N’s66 (GSI access required) CESG Infosec Bookstore67 (GSI access required) C. - NISCC Best Practice Guidelines Border Gateway Protocol Filtering Guidelines68 Telecommunications Resilience69 NISCC Assurance Report for “The CNI Organisation” Generic Example June 200470 NISCC’s Information Exchanges – Example Membership Guidelines71 D. - NISCC Technical Notes not referenced NISCC Technical Note 02/03 ‘Understanding Common Criteria Evaluation’72 NISCC Technical Note 04/02 ‘The Security of 802.11 Wireless Networks’73 NISCC Technical Note 12/03 ‘Understanding the Security of ADSL’74 38 http://www.niscc.gov.uk http://www.ogcbs.gov.uk/products/it_telecoms/gsi/GSI.pdf 3 http://www.pwc.com/Extweb/ncsurvres.nsf/docid/845A49566045759E80256B9D003A4773 4 http://www.pwc.com/Extweb/ncsurvres.nsf/docid/845A49566045759E80256B9D003A4773 5 http://www.cesg.gsi.gov.uk/bookstore/docs/cesg/memo2.pdf (Access to the Government Secure Intranet is required to view this site) 6 http://www.icaew.co.uk/index.cfm?AUB=TB2I_6242,MNXI_47896 7 http://www.itgi.org/Template_ITGI.cfm?Section=ITGI&CONTENTID=6658&TEMPLATE=/ContentManagement/Co ntentDisplay.cfm 8 http://www.bsi-global.com/Global/bs7799.xalter 9 http://www.cesg.gsi.gov.uk/bookstore/docs/hmg/hmg1.pdf (Access to the Government Secure Intranet is required to view this site) 10 http://www.cert.org/octave/ 11 http://www.cesg.gsi.gov.uk/bookstore/docs/hmg/hmg2.pdf (Access to the Government Secure Intranet is required to view this site) 12 http://www.cesg.gsi.gov.uk/bookstore/docs/cesg/memo21.pdf (Access to the Government Secure Intranet is required to view this site) 13 http://www.warp.gov.uk 14 http://www.niscc.gov.uk/niscc/infoEx-en.html 15 http://www.niscc.gov.uk/niscc/docs/re-20040601-00395.pdf?lang=en 16 http://www.itsof.gsi.gov.uk/ (Access to the Government Secure Intranet is required to view this site) 17 http://www.niscc.gov.uk/niscc/respToIncidents-en.html 18 http://www.cabinetoffice.gov.uk/csia 19 http://www.cesg.gsi.gov.uk/bookstore/docs/hmg/hmg3.pdf (Access to the Government Secure Intranet is required to view this site) 20 http://www.cesg.gsi.gov.uk/bookstore/docs/hmg/sen043.pdf (Access to the Government Secure Intranet is required to view this site) 21 http://www.ogcbuyingsolutions.gov.uk/ products/it_telecoms/gsi/code_of_connection.pdf 22 http://www.niscc.gov.uk/niscc/docs/re-20020301-00476.pdf?lang=en 23 http://www.cesg.gsi.gov.uk/bookstore/docs/cesg/memo13.pdf (Access to the Government Secure Intranet is required to view this site) 24 http://www.cesg.gsi.gov.uk/bookstore/docs/cesg/manm.pdf (Access to the Government Secure Intranet is required to view this site) 25 http://nsa1.www.conxion.com/support/guides/sd-7.pdf 26 http://www.cesg.gsi.gov.uk/bookstore/docs/cesg/memo24.pdf (Access to the Government Secure Intranet is required to view this site) 27 http://www.cesg.gsi.gov.uk/bookstore/docs/cesg/memo26.pdf (Access to the Government Secure Intranet is required to view this site) 28 http://www.cesg.gsi.gov.uk/bookstore/docs/cesg/memo27.pdf (Access to the Government Secure Intranet is required to view this site) 29 http://www.cesg.gsi.gov.uk/bookstore/docs/hmg/sen991.pdf (Access to the Government Secure Intranet is required to view this site) 30 http://www.cesg.gov.uk/site/ast/index.cfm?menuSelected=4&subMenu=4&displayPage=400 31 http://www.niscc.gov.uk/niscc/docs/re-20040714-00589.pdf?lang=en 32 http://www.niscc.gov.uk/niscc/docs/re-20031210-00731.pdf?lang=en 33 http://www.niscc.gov.uk/niscc/docs/re-20030630-00724.pdf?lang=en 34 http://www.niscc.gov.uk/niscc/docs/re-20030110-00721.pdf?lang=en 35 http://www.cesg.gsi.gov.uk/bookstore/docs/cesg/manp.pdf (Access to the Government Secure Intranet is required to view this site) 36 http://www.nsa.gov/snac/downloads_winnt.cfm?MenuID=scg10.3.1.1 37 http://csrc.nist.gov/itsec/ 38 http://www.niscc.gov.uk/niscc/docs/re-20040325-00157.pdf?lang=en 39 http://www.niscc.gov.uk/niscc/docs/re-20040325-00158.pdf?lang=en 40 http://www.cesg.gsi.gov.uk/bookstore/docs/cesg/mann.pdf (Access to the Government Secure Intranet is required to view this site) 41 http://www.niscc.gov.uk/niscc/docs/re-20021025-00481.pdf?lang=en 42 http://www.niscc.gov.uk/niscc/docs/re-20030801-00726.pdf?lang=en 2 1 39 http://csrc.nist.gov/publications/nistpubs/800-44/sp800-44.pdf http://www.niscc.gov.uk/niscc/docs/re-20030801-00725.pdf?lang=en 45 http://www.niscc.gov.uk/niscc/docs/re-20040319-00147.pdf?lang=en 46 http://www.cesg.gsi.gov.uk/bookstore/docs/cesg/memo12.pdf (Access to the Government Secure Intranet is required to view this site) 47 http://www.cesg.gsi.gov.uk/bookstore/docs/cesg/memo21.pdf (Access to the Government Secure Intranet is required to view this site) 48 http://www.niscc.gov.uk/niscc/docs/re-20040216-00080.pdf?lang=en 49 http://www.niscc.gov.uk/niscc/docs/re-20030911-00728.pdf?lang=en 50 http://www.niscc.gov.uk/niscc/docs/re-20040618-00343.html?lang=en 51 http://www.niscc.gov.uk/niscc/docs/re-20030805-00727.pdf?lang=en 52 http://www.niscc.gov.uk/niscc/docs/re-20040227-00102.pdf?lang=en 53 http://news.bbc.co.uk/1/hi/technology/3893363.stm 54 http://www.vnunet.com/news/1152727 55 http://www.niscc.gov.uk/niscc/docs/re-20021025-00481.pdf?lang=en 56 http://news.bbc.co.uk/1/hi/technology/3451059.stm 57 http://www.cesg.gsi.gov.uk/bookstore/docs/cesg/memo22.pdf (Access to the Government Secure Intranet is required to view this site) 58 http://www.niscc.gov.uk/niscc/docs/re-20030324-00723.pdf?lang=en 59 http://www.gsi.gov.uk/main/notices/coco/protective-monitoring-gsi-v1.1.PDF (Access to the Government Secure Intranet is required to view this site) 60 http://www.niscc.gov.uk/niscc/docs/re-20031119-00729.pdf?lang=en 61 http://www.niscc.gov.uk/niscc/docs/re-20031119-00730.pdf?lang=en 62 http://www.niscc.gov.uk/niscc/reportIncident-en.html 63 http://www.cesg.gsi.gov.uk/bookstore/docs/hmg/sen041.pdf (Access to the Government Secure Intranet is required to view this site) 64 http://www.cert.org/archive/pdf/csirt-handbook.pdf 65 http://www.security-matters.gsi.gov.uk/GSI/default.asp(Access to the Government Secure Intranet is required to view this site) 66 http://www.security-matters.gsi.gov.uk/GSI/default.asp (Access to the Government Secure Intranet is required to view this site) 67 http://www.cesg.gsi.gov.uk/bookstore/index.html(Access to the Government Secure Intranet is required to view this site) 68 http://www.niscc.gov.uk/niscc/docs/re-20040401-00392.pdf?lang=en 69 http://www.niscc.gov.uk/niscc/docs/re-20040501-00393.pdf?lang=en 70 http://www.niscc.gov.uk/niscc/docs/re-20040601-00394.pdf?lang=en 71 http://www.niscc.gov.uk/niscc/docs/re-20040601-00395.pdf?lang=en 72 http://www.niscc.gov.uk/niscc/docs/re-20030121-00722.pdf?lang=en 73 http://www.niscc.gov.uk/niscc/docs/re-20020814-00479.pdf?lang=en 74 http://www.niscc.gov.uk/niscc/docs/re-20031218-00732.pdf?lang=en 44 43 40