Computer Security Incident Handling

Background

This document will supply guidance to be used before, during, and after a computer security incident occurs on a host, network, site, or multi-site environment. The operative philosophy in the event of a breach of computer security is to react according to a plan. This is true whether the breach is the result of an external intruder attack, unintentional damage, a student testing some new program to exploit a software vulnerability, or a disgruntled employee. Each of the possible types of events, such as those just listed, should be addressed in advance by adequate contingency plans.

Traditional computer security, while quite important in the overall site security plan, usually pays little attention to how to actually handle an attack once one occurs. The result is that when an attack is in progress, many decisions are made in haste and can be damaging to tracking down the source of the incident, collecting evidence to be used in prosecution efforts, preparing for the recovery of the system, and protecting the valuable data contained on the system.

One of the most important, but often overlooked, benefits for efficient incident handling is an economic one. Having both technical and managerial personnel respond to an incident requires considerable resources. If trained to handle incidents efficiently, less staff time is required when one occurs.

Due to the worldwide network most incidents are not restricted to a single site. Operating systems vulnerabilities apply (in some cases) to several millions of systems, and many vulnerabilities are exploited within the network itself. Therefore, it is vital that all sites with involved parties be informed as soon as possible.

Another benefit is related to public relations. News about computer security incidents tends to be damaging to an organization's stature among peer institutions and current or potential students and clients. Efficient incident handling minimizes the potential for negative exposure.

A final benefit of efficient incident handling is related to legal issues. It is possible that in the near future organizations may be held responsible because one of their nodes was used to launch a network attack. In a similar vein, people who develop patches or workarounds may be sued if the patches or workarounds are ineffective, resulting in compromise of the systems, or, if the patches or workarounds themselves damage systems. Knowing about operating system vulnerabilities and patterns of attacks, and then taking appropriate measures to counter these potential threats, is critical to circumventing possible legal problems.

What Constitutes a Security Incident?

A security incident can be defined as any event that exposes information resources to accidental or intentional disclosure, modification, destruction, or decreased service levels. Security incidents may include, but are not limited to:

  • Unauthorized access on a host machine
  • Unauthorized sniffing (akin to wiretapping) the data network
  • Unsolicited bulk e-mail (spam) originating or passing through a VCU system
  • Denial of Service attacks
  • Unauthorized modification of web pages
  • Compromised desktop PCs (Back Orifice, Netbus, worms, virus and Trojan horse attacks, etc.)

The following guides should be used by technical staff as an aid in discovering intrusions and system compromises that constitute security incidents:

Reporting an Incident

In many instances the resolution to a problem is clear and can be handled at the departmental level. In these cases the Information Security Officer and VCUCERT do not necessarily need to be involved with the resolution phase. Minor incidents must still be reported in case the local symptoms are a part of a larger pattern of attack.

Suspected computing security incidents should be reported to the CERT team for handling. Please use these guidelines for reporting an incident:

If the compromise/attack is critical, please report the incident immediately to:

  • Steve Werby, 828-1015 (smwerby@vcu.edu) or Jesse Crim, 827-1074 (jcrim@vcu.edu). In addition, please also complete this online form and report this serious incident to the Help Desk (see #2 below) so that the ticket can be tracked.
  • To report other computer security incidents, please call the Help Desk at 828-2227 and ask that the security incident ticket be forwarded to the Computer Incident Reponse Team (Security Group). Please also submit a report via this online form.

Reports of incidents from outside the University typically will arrive via one of two mechanisms. There is an expectation that all e-mail servers will have an account to reach the host administrator and many people will use this mechanism to report problems. Others may know to look up the Domain Name Server (DNS) registration information for VCU.EDU.

All systems capable of receiving e-mail should have the administrative accounts POSTMASTER and ABUSE set up. The administrators of these accounts should be VCU employees familiar with the mechanism of reporting security incidents internal to VCU. The administrator of the primary VCU e-mail host should monitor POSTMASTER@VCU.EDU and ABUSE@VCU.EDU.

The primary and secondary contacts listed for DNS registration should be VCU employees familiar with the mechanism of reporting security incidents internal to VCU.

The Information Security Officer will ensure timely and reliable reporting and response to security incidents. Mechanisms may include a secure web page, e-mail, and voice reporting mechanisms. An on-going educational program for host administrators and help desk personnel should be established.

Revised 8/27/06

Six Primary Phases in Computer Incident Handling:

  1. Preparation: assignment and training of Computer Incident Handling Team
  2. Indentification: gather event information to analyze and determine if incident actually occurred
  3. Containment: prevent spread of problem
  4. Eradication: removal of artifacts of compromise/attack
  5. Recovery: restore impacted system(s) to production
  6. Lessons Learned: document events and improve response capabilities

Objectives for dealing with incidents include:

  • Discover how it happened.
  • Find out how to avoid further exploitation of the same vulnerability.
  • Avoid escalation and further incidents.
  • Assess the impact and damage of the incident.
  • Recover from the incident.
  • Update policies and procedures as needed.
  • Find out who did it (if appropriate and possible).
  • Take actions to prevent and/or deter the action from recurring.

Document the incident and preserve evidence where possible for reporting purposes and effective resolution of an incident.

Depending on the nature of the incident, there may be a conflict between analyzing the original source of a problem and restoring systems and services. Overall goals (such as maintaining the operation of critical systems) may supersede the goal of detailed analysis of an incident. The final decision will be made jointly between the Information Security Officer and the Manager or Director of the functional unit, but all involved parties must be aware that without analysis the same incident may happen again. If a mutually acceptable agreement cannot be reached, the decision will be escalated to the Chief Information Officer.

Revised 8/27/06

Security Incident Response Priorities:

Actions to be taken during an incident should be prioritized before an incident occurs. An incident may be so complex that it is impossible to respond to everything at once, so priorities are essential.

An important implication for defining priorities is that once human life issues have been addressed, it is generally more important to save data than to save system software and hardware. Although it is undesirable to have any damage or loss during an incident, systems can be replaced. However, the loss or compromise of data (especially classified or proprietary data) is usually not an acceptable outcome.

Another important concern is the effect on others, beyond the systems and networks where the incident occurs. Within the limits imposed by government regulations it is always important to inform affected parties as soon as possible. Due to the legal implications, it should be included in planned procedures to avoid delays and uncertainties for administrators.

The following are the priorities:

  1. Protect human life and safety; human life always has precedence over all other considerations.
  2. Protect classified and/or sensitive data. Prevent exploitation of classified and/or sensitive systems, networks or sites. Inform affected classified and/or sensitive systems, networks or sites about penetrations, bearing in mind local, state and federal laws and regulations.
  3. Protect other data, including proprietary, scientific, managerial and other data, because loss of data is costly. Prevent exploitation of other systems, networks or sites and inform affected systems, networks or sites about successful penetrations.
  4. Prevent damage to systems (for example, loss or alteration of system files, damage to disk drives, etc.). Damage to systems can result in costly down time and recovery.
  5. Minimize disruption of computing resources (including processes). In many cases it is better to shut a system down or disconnect from a network than to risk damage to data or systems. Sites must evaluate the trade-off between shutting down and disconnecting, and staying up. The damage and scope of an incident may be so extensive that the VCUNet infrastructure is compromised and mandates a shutdown.

Rapid and effective responses to security incidents are vital to the continued well being of the computing environment at VCU. The management of all units at VCU, especially those providing VCU CERT members, should make it a high priority to respond to security incidents above important projects and day-to-day tasks.

VCU CERT and Leadership

The Information Security Officer (ISO) is responsible for overall leadership and decision-making during a security incident. The ISO interprets policy and decides how to proceed when resolution is not clear. The ISO will also develop guidelines for reporting incidents to the Virginia Information Technology Agency, Carnegie Mellon CERT CC, SANS, or other pertinent bodies.

The ISO has assembled a VCU Computing Emergency Response Team (VCU CERT) capable of analyzing and responding to computing security threats. The members are trained in incident handling and computer forensics and have expertise in the various operating system platforms and in the network infrastructure. The team and the ISO together should develop technical contacts in all units in order to facilitate problem resolution.

Revised 8/27/06

Security Report Tracking:

The ISO was appoint one member of the VCU CERT to act as a single point of contact for each security incident. The designee should have the technical expertise to coordinate and implement a response to the incident. The designee has the authority to make appropriate contacts both inside and outside of VCU as necessary to gather information about the incident and implement a resolution. The designee is responsible for updating the event report documentation as fact finding and resolution progresses. The ISO is responsible for verifying that the documentation is kept current.

Information recorded for each incident will include:

  • Date and nature of the incident's initiation.
  • Names of institutions involved.
  • Nature of the incident, including the nature of exploitation where applicable.
  • Date of incident's closure.
  • How the incident was resolved.
  • General nature of any disciplinary actions taken.
  • Type and nature of actions taken to end the incident or reduce future vulnerability to this type of exploitation.

Additional documentation may need to be archived as described in later sections.

Security Investigative Results:

Team members, bearing in mind the need to preserve all relevant logs, communications and other electronic evidence of an alleged security violation, will follow proper incident handling procedures to ensure that the evidence is handled correctly. Any hardcopy documents, fax communications or other evidence shall be secured under lock in a location designated by the Information Security Officer and a log established to preserve a chain of custody.

In the event of an incident that has legal consequences, it is important to establish contact with investigative agencies as soon as possible. The Information Security Officer will decide if law enforcement involvement is warranted. VCU Police should be the first law enforcement agency contacted.

It is vital to verify that any person who calls asking for information is a legitimate representative from the agency in question. Unfortunately, many well-intentioned people have unknowingly leaked sensitive details about incidents, allowed unauthorized people into their systems, etc., because a caller has masqueraded as a representative of a government agency.

Team members will establish or disprove the existence of a bona fide security incident. Team members, after investigation and based on professional expertise in consultation with other team members, and other involved institutions, will recommend action to the involved parties to end the incident or reduce future vulnerability.

Team members will complete detailed report forms that each member has in his/her jump bag. These forms will be used throughout the incident cycle and during the Lessons Learned phase. The forms will then be stored along with other documentation pertaining to the incident.

Interim Security Safeguards

Team members may certify to the Information Security Officer that a present threat exists to other institutions or individuals. In such a case, the Information Security Officer will approve appropriate interim measures to safeguard the interests of affected institutions and inform the appropriate VCU manager of those actions.

When devising interim safeguards, as time permits, the Information Security Officer will consult the appropriate VCU manager(s) for appropriate interim measures.

Interim measures may include blocking a site's network traffic at the VCUNet router or switch port as well as confiscating a compromised device.

Revised 8/27/06

Public Relations

VCU CERT members and other individuals involved with resolving a security incident should not divulge information about any incident unless necessary to resolve an incident or warn others that their systems may have been compromised or are under attack. The Information Security Officer should create guidelines for reporting incidents to VITA, CERT CC, SANS, and other external security organizations. Requests for information from general users or the public should be referred to the Information Security Officer.

VCU General Council and the External Relations division should be involved as soon as possible after it is determined that a serious event is underway. A serious event is defined as one that is likely to result in significant negative publicity or liability for VCU. In general, there are many legal and practical issues, a few of which are:

  • Whether VCU is willing to risk negative publicity or exposure to cooperate with legal prosecution efforts.
  • Downstream liability--if another computer or system is damaged because the attack originated from or passed through a VCU system, VCU may be liable for damages incurred.
  • Distribution of information--if VCU distributes information about an attack in which another site or organization may be involved or the vulnerability in a product that may affect ability to market that product, VCU may again be liable for any damages (including damage of reputation).

Revised 8/27/06

Other VCU CERT Duties

VCU CERT will monitor the Carnegie Mellon CERT CC web site, SANS Internet Storm Center and other authoritative resources to stay current on developing computing security issues and alerts. The VCU CERT will make recommendations to the Information Security Officer for modifications to VCU security policies, standards and recommendations. VCU CERT will also make recommendations for firewall configuration changes, intrusion detection monitoring, vulnerability probing, and other issues concerning computing security.

Revised 8/27/06

 

701 W. Broad St., Box 843059
Richmond, VA 23284
(804) 828-1177
RSS

 
VCU