 |
|
|
|||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
|
|
|
|
 |
|||
 |
|||
|
|
|
Managing & responding to IT incidents
If you ever need advice or professional assistance to deal with serious information security incidents involving European organizations, ENISA maintains a useful inventory of European CERTs. Navigate through the map online, print it as a poster for your office or download the inventory as a PDF for the files. ENISA also offers a guide to setting up a Computer Security Incident Response Team. Since January 2003, all 19 agencies included in a US House Government Reform Committee summary reported at least one breach. The US Department of Justice maintains a chronology of ‘representative’ computer cases. In similar fashion to the chronology of privacy breaches maintained by the Privacy Rights Clearinghouse, a table of privacy breaches in 2006 tells several stories. For a start, it’s already 19 pages long after three quarters of a year. Secondly, the breaches reflect a variety of security threats (e.g. accidental disclosure, hacks, Trojans, theft of equipment/media from offices/homes/cars or in transit), vulnerabilities (e.g. no encryption, inadequate logical or physical access controls, careless disposal of information) and impacts (e.g. public disclosure of the breaches, thefts, around 50 million victims’ personal details compromised/exposed to fraud) at all sorts of organization. Thirdly, virtually all of the incidents have had to be publicly disclosed under California State Bill 1386 (presumably a similar level of privacy incidents occur elsewhere outside the remit of SB1386). Finally, the authors of the table have identified the ISO/IEC 27001 controls that appear to have been missing or inadequate in each case (sections 7 through 11 feature prominently). A story about inadequate security practices by Pizza Hut graduated to a PR nightmare thanks to the local news media in New Zealand. The incident which sparked it involved a customer noticing that the delivery boy’s delivery note included her name, address, phone number, full credit card number, credit card expiry date and cardholder’s name - apart from the lack of CVV2 data, that’s game, set and match for identity thieves, potentially including Pizza Hut staff, delivery boys/girls, their relatives/friends and indeed anyone who finds a carelessly discarded delivery note. A consumer advice site that broke the story was given the run-around by Pizza Hut and fobbed off with an unhelpful response from their PR agency. Pizza Hut NZ is evidently planning to change its systems not to print the full credit card number ... by ‘March next year’ ... so , meanwhile, Pizza Hut NZ customers were well advised to pay in cash or find a pizza supplier that actually gives a hoot about their customers’ security. Organizations often need to consider the thorny issue of disclosure after they have been hit by serious security incidents, assuming the incident is not already public knowledge. The benefits of fulfilling social responsibilities sometimes conflict with the threat of public embarrassment and reputational damage, at least for UK-based Internet gambling companies facing Denial of Service cyber extortion. This is a good topic to discuss with senior management before the Big One hits, when tempers are not frayed and rational decisions can be codified into policy statements. A stolen GE laptop has compromised the personal data of up to 50,000 employees. GE claims the hotel room theft was a “random criminal act”. “GE said it was assessing its procedures to safeguard personal information. Despite no data encryption and using only a password, the company has “strict policies in place for laptop and data security,” according to the spokesman.” [50,000 employee details on an unencrypted laptop?! No amount of desperate PR spin about strict policies can compensate for fundamental missing security controls]. Surveys are an excellent way to read about real world threats and incidents. Benefit from other people’s misfortune! Examples include the PwC/DTI UK survey, CSI and FBI, CERT and CSO Magazine, KPMG and Ernst & Young Watchguard’s excellent VML exploit video is an object lesson in technical awareness presentations - professionally produced, clear and straightforward, and just over 4 minutes long. Find out how Microsoft handles information security incidents. Microsoft advises: “The need for a consistent , straightforward approach to incident response and recovery cannot be understated; malware incidents tend to create a sense of urgency that is not conducive to instituting well thought out procedures that will remain effective and successful in the long term.” Through the use of networks of hundreds or thousands of zombie PCs (compromised PCs on high-bandwidth/broadband connections) to exploit architectural ‘features’ of the Internet, Distributed Denial of Service (DDoS) attacks by extortionists on web-based businesses are all but impossible to prevent. Online gambling and other financial sites have mostly been targeted to date. Having already been DDoS’d a year before, WorldPay was hit again. An email to customers confirmed that their data are secure and contingency plans are in place (although in practice the site was evidently reduced to a crawl), but the attack can hardly enhance the bank’s reputation with its customers. The SANS Internet Storm Center tracks and reports on Internet security incidents in real time. The daily diary entries make interesting reading - more than simply news items about the latest malware in circulation, the incident handlers give their analysis and sometimes tools to help identify or fix the issues that arise. The Forum of Incident Response Teams FIRST is a club for over 170 incident response teams worldwide. As well as helping each other, members have prepared and published a range of system security configuration guides. Information security incidents come in all shapes and sizes. This news story, for example, concerned allegations that source code had been stolen from an Indian software company. One hurdle to any investigation of the case is that the facility fell short on security, according to investigators. “It does not have a security policy, it has no log of the computer and network activity at the center, and passwords are known to all and sundry,” said technical consultant Vijay Mukhi. So much for preventive controls. In Help! I think I’ve been hacked, author Tony Bradley discusses incident response processes for individuals whose PCs have been compromised by malware, in particular. The Computer Incident Response Team’s desk reference guide is a manual describing the Federal Communications Commission’s incident response process. A piece in CSO Magazine by Ubizen’s Director of Technology includes an excellent snippet of advice on ‘the one thing I should do after a breach’ namely disconnect the system from the network. Don’t shut it down, install additional software or try to investigate it, just unplug it. Pull the plug <period>
|
A panel of experts assembled by SANS explain in an FAQ 
|
|
|
|