Advertisment

After the Breach

author-image
DQI Bureau
New Update

Information security is a critical concern for most enterprises today. While

in many cases, the security breach may be limited to a virus attack or a website

defacement, there are other and more serious implications of a breach–these

can damage a company’s reputation in the form of crippling downtime-related

losses or theft of proprietary information. An attack or breach could be from

internal or external sources, and while there are many articles that have dealt

with the source of such attacks, this report is aimed at advising enterprises on

the incident response measures that should follow a breach.

Advertisment

Threats from every side



A recent IS security survey by CII-PwC shows that 80% of businesses suffered

some kind of breach in 2001-02, up from 60% in the previous year. While virus

attacks accounted for a bulk of most breaches, denial of service attacks were

also on the rise. Besides these, financial fraud, identity theft, spoofing,

corporate espionage, website defacement and insider abuse accounted for the

other attacks–and all were on the rise. Also, internal security breaches

accounted for 60% of all incidents.

OS-related vulnerabilities are among the single-largest causes of IT security

breaches in India–largely in line with the global trend. However, the

proportion of primitive-level security breaches like human error and

poorly-defined access controls seem to be significantly higher in India than

internationally. Swapan Johri, head (security) at HCL Comnet says, "About

80% of all corporate intellectual property is in the digital form. This stands

exposed to a whole range of attacks, varying from insiders with malicious

intent, to terrorists, spies, joyrides, even predatory competition."

In most cases, breaches are determined through data damage, server logs or

being alerted by an employee.

Advertisment

Capt Felix Mohan, CEO of Delhi-based IT security firm Securesynergy, says,

"Breaches are detected by proactive and reactive methods. Proactive methods

are technical controls like intrusion detection systems, firewalls, file

integrity monitors and analysis of server logs. Reactive methods include

discovery of breach due to data loss or material damage, or when alerted by

colleagues, customers, or managed service providers."

Denial doesn’t help



Enterprises usually express denial or disbelief on determining a breach for

the first time. Only when the severity of the situation becomes clear does a

gamut of emotions ensue–anger at the perpetrator, betrayal by the security

vendors who didn’t prevent it from happening, and finally, sheer panic. By the

times a typical enterprise actually starts addressing the problem, precious time

has been lost, possibly worsening the situation.

The reason for the panic stems from the absence of an incident response plan

that serves as a guide when the system is breached. Most do not know who to call

for help, when and how to communicate the problem to employees, customers and

the media, or how to get back online. To minimize the damage, an enterprise

should have a well-defined strategy in the form of a detailed and

clearly-written incident response plan. Preparing ahead kills the possibility of

a switch to ‘panic’ mode, apart from making the recovery process faster and

smoother.

Advertisment

Quick-fix may not plug gaps



Most enterprises, when confronted with a website defacement, tend to take

down the site, fix it quickly, put it back up and hope that nobody noticed. But

a rushed fix can make matters worse. Many hackers also build a backdoor into

their handiwork, allowing them to easily get back in and do more damage later.

Implementing a quick fix solution, therefore, can quash a company’s ability to

track down and prosecute the perpetrator. In their haste to restore sites,

companies trample and sometimes entirely ‘erase’ the crime scene. The first

step is assessing the extent of the damage. Says Capt Mohan, "Few

enterprises document forensics guidelines that set out how to maintain evidence

during an investigation from a legal perspective, and provide technical

procedures and standards that need to be adopted for diagnosing breaches."

Five

Do’s and Don’t’s
The

Do’s
The

Don’t’s

n Immediately

inform all parties who need to be made aware of the breach, as defined in

the company’s Incident Response Plan, including the IR team, PR staff,

affected users, management, system administrators of other connected sites

etc)

n All

information about the compromised systems, including cause of intrusion,

system and network logs, network connections, processes running, users

logged in, open files etc. should be captured and securely stored. This

can be done by creating an image of the disk, without any changes to the

original data. Differences between the original system and the master copy

count as a change to the data; therefore you must be able to account for

the differences. If possible, without rebooting, make two byte-by-byte

copies of the physical disk.

n Contain

the incident to limit its extent and prevent the intruder from doing

further damage. This action would involve shutting down the system,

disconnecting the system from the network, disabling access, and

monitoring the network for further attacks

n Ensure

that the intruder has no covert means of access into the company’s

system through backdoors, or Trojans that he may have installed. Reinstall

compromised systems, restore programs and binary files from original

media, carryout vulnerability analysis and review configurations of all

protective and detection mechanisms–IDS, firewall, tripwire, access

controls etc

n Return

the system to normal operation after eliminating all means by which the

intruder may gain access. If business requirements require the systems to

be brought online fast, the risk needs to be monitored. Once restored, the

company should implement lessons learned and update its IR plan

An enterprise should

avoid the following just after a breach

n Do

not panic. Execute the company IR plan

n Do

not power a system down immediately upon the discovery of an incident.

This could destroy critical evidence. Powering off will destroy the

volatile data of the system before a forensic image of the system can be

created. Besides this, the the attacker might have Trojan-ed the startup

and shutdown scripts, Plug-and-Play devices may alter the system

configuration and wipe out temporary file systems. Rebooting is even

worse, and should be avoided

n Do

not get the compromised system online without undertaking a thorough

vulnerability analysis, and hardening of the system’s protection and

detection mechanisms to ensure that the perpetrator cannot re-enter. The

hardening should include a thorough sanitisation of the system to ensure

no backdoor or Trojan exists before getting the system up again.

n Do

not ignore the incident - even if it may seem insignificant and

potentially harmless. Incidents should be escalated and dealt with as per

the procedures set out in the Incident Response plan.

n Do

not start looking through files, as this could lead to loss of vital

evidence such as time stamps. Any programs you use should be on read-only

media (such as a CD-ROM or a write-protected floppy disk), and should be

statically linked. Do not start looking through files - This might lead to

loss of crucial evidence like timestamps.

(Source: Bangalore

Labs , SecureSynergy)

Backups are essential



One technique for buying time to investigate without jeopardizing the

business is to maintain backups with frequently-updated copies of all website

pages. A company hit by a security breach can then run its site from the backup

servers, while combing through evidence on the primary system. The cost of this

would vary, depending on the size and dynamics of the site. Having backup for a

larger site may be worth it when you consider the value it offers. A company can

immediately bring a clean copy of the site backup, examine the damaged site to

determine in detail what happened and avoid a rushed fix.

Advertisment

In-house IR team



Enterprises need an in-house incident response team consisting of

cross-functional employees to handle cases of breaches. Calling in the incident

response team should be at the top of the list of action items on a company’s

incident response plan. This group should have executives and representatives

from IS, business units, plus PR, legal, marketing and HR departments, with

training on how to respond in the event of a breach.

Investment

on IT Security: Stretch Your Buck

Options Benefits Cost

& Rating
Install basic hardware and software: firewalls, anti-virus

programs, passwords, etc
Basic protection. Despite a heavy initial

investment, you can’t ignore these
Cost: $$$

Security rating:**
Buy advanced HW and SW: encryption, authentication, digital

certificates and signatures, keystroke loggers
These offer far more security than the basics, but

you have to pay a heavy price for it
Cost: $$$

Security rating:***
Hire/reassign staff to create and enforce security policies Helps secure everyday operations Cost: $$ 

Security rating:***
Dedicate one staffer to ongoing maintenance of security

systems
This is a low-cost, highly cost-effective way to

improve security
Cost: $

Security rating:****
Improve IT security awareness through employee training Low-cost and effective way to quickly improve

security
Cost: $

Security rating:****
Regular virus and patch upgrades, firewall

reconfi-guration,security audits 
Worth the cost, ensures critical updates don’t get

delayed/fall by the wayside
Cost: $$

Security rating:***
Regular security/penetration audit and assessment Expensive but necessary. White Hat hackers will

give reports/suggest improvement
Cost: $$$$

Security rating:***
Outsource entire process of security management Expensive, but includes service guarantees that

the enterprise will remain secure
Cost: $$$$

Security rating:****
*May/may

not be required  
**Needs careful

evaluation  
***Important  
****Critical urgency

$—Inexpensive  $$—Consider

spend  $$$—Heavy spend  $$$$—Top dollar, RoI

study a must

Do not hesitate to report



The CSI/FBI 2002 Computer Crime and Security Survey in the US reveals that

only 34% of surveyed respondents reported a security breach to law enforcement

bodies. Also, 77% of the respondents patched holes and moved on with business.

Rohit Nand, senior security consultant at Bangalore Labs, opines–"The

percentage of organizations in India that would detect a security breach and

report the same to law enforcement would be far lower than that in the West.

Thus is due to factors like lower security awareness levels and budgets, apart

from the lack of a centralized IT security incident reporting body, like FBI and

CERT."

A company’s IR plan should detail whether the authorities should be called,

and in what circumstances, and by whom. For one, when an employee receives a

threat via e-mail or trade secrets have been compromised, the authorities should

be informed fast. But in case of an employee being suspected of accessing

information that’s off-limits, it could be a matter best dealt with in-house.

On the whole, reporting cybercrimes and network attacks is the right thing to

do. Only sharing information with law enforcement and industry groups will make

it easier to prosecute criminals, identify new security threats and prevent

future attacks.

Amit Sarkar in New Delhi

Advertisment