Wednesday, June 11, 2008

Handle security incidents in seven steps

The possibility of encountering a security incident grows each day. Don't wait until you're in the middle of a crisis before you begin to develop a rational plan for handling an attack. Being prepared for an incident is essential to the survival of your network and its resources. Incident handling begins with planning and establishing policies and procedures.

Developing a plan of attack for each type of security incident is crucial to the restoration of normal operation. Here are the most common incident categories:

  • Elevation of file privileges: A user or guest gains greater privileges.
  • Data alteration: Unauthorized users make changes to files.
  • Data theft: Unauthorized users remove data from the system.
  • Denial of service (DoS): Intruders launch an attack that denies legitimate access to the system.

An event can sometimes span multiple categories. For example, Web site defacement involves elevation of privileges and data alteration.

An essential action plan

Different events require different responses. However, you should follow these seven steps for every incident.

Step 1: Log everything.
Your documentation doesn't have to be fancy. It can be a Word document with screen shots or notes on a blackboard. The goal is to capture detailed information without destroying or contaminating potential evidence. Before you take further action, verify that you have an incident.

Step 2: Make appropriate calls.
Depending on the severity of the incident, the first call might be to your service provider, or it might be to an internal legal department to start a chain of custody for evidence. For each type of incident, develop of flow chart detailing whom to contact.

Step 3: Contain the incident.
Concentrate on limiting the extent of the damage to your network. Determine whether the incident is still in progress and requires monitoring or if you should take actions to stop the activity.

Step 4: Identify the point(s) of failure.
Discover how the incident occurred, and determine what you should do to ensure the same event doesn't reoccur.

Step 5: Solve the problem, and repair the damage.
Implement the solution you've determined is necessary to ensure that the security event doesn't happen again. This might be as simple as applying an operating system patch or adding a new rule to a firewall or router.

After you've plugged the security hole, repair any damage caused by the incident.

Step 6: Increase monitoring.
After restoring a compromised system to operation, continue to monitor for backdoors and repeat attempts. Make sure you've removed the cause of the incident, and ensure that the system is functioning normally.

Step 7: Learn from the incident.
Success yields a persistent hacker. Discover exactly what occurred, how it occurred, and what's necessary to ensure it doesn't happen again.

No comments: