Information security is a critical concern for most enterprises today. While
in many cases, the security breach may be limited to a virus attack or a website
defacement, there are other and more serious implications of a breach–these
can damage a company’s reputation in the form of crippling downtime-related
losses or theft of proprietary information. An attack or breach could be from
internal or external sources, and while there are many articles that have dealt
with the source of such attacks, this report is aimed at advising enterprises on
the incident response measures that should follow a breach.
Threats from every side
A recent IS security survey by CII-PwC shows that 80% of businesses suffered
some kind of breach in 2001-02, up from 60% in the previous year. While virus
attacks accounted for a bulk of most breaches, denial of service attacks were
also on the rise. Besides these, financial fraud, identity theft, spoofing,
corporate espionage, website defacement and insider abuse accounted for the
other attacks–and all were on the rise. Also, internal security breaches
accounted for 60% of all incidents.
OS-related vulnerabilities are among the single-largest causes of IT security
breaches in India–largely in line with the global trend. However, the
proportion of primitive-level security breaches like human error and
poorly-defined access controls seem to be significantly higher in India than
internationally. Swapan Johri, head (security) at HCL Comnet says, "About
80% of all corporate intellectual property is in the digital form. This stands
exposed to a whole range of attacks, varying from insiders with malicious
intent, to terrorists, spies, joyrides, even predatory competition."
In most cases, breaches are determined through data damage, server logs or
being alerted by an employee.
Capt Felix Mohan, CEO of Delhi-based IT security firm Securesynergy, says,
"Breaches are detected by proactive and reactive methods. Proactive methods
are technical controls like intrusion detection systems, firewalls, file
integrity monitors and analysis of server logs. Reactive methods include
discovery of breach due to data loss or material damage, or when alerted by
colleagues, customers, or managed service providers."
Denial doesn’t help
Enterprises usually express denial or disbelief on determining a breach for
the first time. Only when the severity of the situation becomes clear does a
gamut of emotions ensue–anger at the perpetrator, betrayal by the security
vendors who didn’t prevent it from happening, and finally, sheer panic. By the
times a typical enterprise actually starts addressing the problem, precious time
has been lost, possibly worsening the situation.
The reason for the panic stems from the absence of an incident response plan
that serves as a guide when the system is breached. Most do not know who to call
for help, when and how to communicate the problem to employees, customers and
the media, or how to get back online. To minimize the damage, an enterprise
should have a well-defined strategy in the form of a detailed and
clearly-written incident response plan. Preparing ahead kills the possibility of
a switch to ‘panic’ mode, apart from making the recovery process faster and
smoother.
Quick-fix may not plug gaps
Most enterprises, when confronted with a website defacement, tend to take
down the site, fix it quickly, put it back up and hope that nobody noticed. But
a rushed fix can make matters worse. Many hackers also build a backdoor into
their handiwork, allowing them to easily get back in and do more damage later.
Implementing a quick fix solution, therefore, can quash a company’s ability to
track down and prosecute the perpetrator. In their haste to restore sites,
companies trample and sometimes entirely ‘erase’ the crime scene. The first
step is assessing the extent of the damage. Says Capt Mohan, "Few
enterprises document forensics guidelines that set out how to maintain evidence
during an investigation from a legal perspective, and provide technical
procedures and standards that need to be adopted for diagnosing breaches."
Five Do’s and Don’t’s |
|
The Do’s |
The Don’t’s |
n Immediately n All n Contain n Ensure n Return |
An enterprise should n Do n Do n Do n Do n Do |
(Source: Bangalore |
Backups are essential
One technique for buying time to investigate without jeopardizing the
business is to maintain backups with frequently-updated copies of all website
pages. A company hit by a security breach can then run its site from the backup
servers, while combing through evidence on the primary system. The cost of this
would vary, depending on the size and dynamics of the site. Having backup for a
larger site may be worth it when you consider the value it offers. A company can
immediately bring a clean copy of the site backup, examine the damaged site to
determine in detail what happened and avoid a rushed fix.
In-house IR team
Enterprises need an in-house incident response team consisting of
cross-functional employees to handle cases of breaches. Calling in the incident
response team should be at the top of the list of action items on a company’s
incident response plan. This group should have executives and representatives
from IS, business units, plus PR, legal, marketing and HR departments, with
training on how to respond in the event of a breach.
Investment |
||||||
Options | Benefits | Cost & Rating |
||||
Install basic hardware and software: firewalls, anti-virus programs, passwords, etc |
Basic protection. Despite a heavy initial investment, you can’t ignore these |
Cost: $$$ Security rating:** |
||||
Buy advanced HW and SW: encryption, authentication, digital certificates and signatures, keystroke loggers |
These offer far more security than the basics, but you have to pay a heavy price for it |
Cost: $$$ Security rating:*** |
||||
Hire/reassign staff to create and enforce security policies | Helps secure everyday operations | Cost: $$ Security rating:*** |
||||
Dedicate one staffer to ongoing maintenance of security systems |
This is a low-cost, highly cost-effective way to improve security |
Cost: $ Security rating:**** |
||||
Improve IT security awareness through employee training | Low-cost and effective way to quickly improve security |
Cost: $ Security rating:**** |
||||
Regular virus and patch upgrades, firewall reconfi-guration,security audits |
Worth the cost, ensures critical updates don’t get delayed/fall by the wayside |
Cost: $$ Security rating:*** |
||||
Regular security/penetration audit and assessment | Expensive but necessary. White Hat hackers will give reports/suggest improvement |
Cost: $$$$ Security rating:*** |
||||
Outsource entire process of security management | Expensive, but includes service guarantees that the enterprise will remain secure |
Cost: $$$$ Security rating:**** |
||||
|
Do not hesitate to report
The CSI/FBI 2002 Computer Crime and Security Survey in the US reveals that
only 34% of surveyed respondents reported a security breach to law enforcement
bodies. Also, 77% of the respondents patched holes and moved on with business.
Rohit Nand, senior security consultant at Bangalore Labs, opines–"The
percentage of organizations in India that would detect a security breach and
report the same to law enforcement would be far lower than that in the West.
Thus is due to factors like lower security awareness levels and budgets, apart
from the lack of a centralized IT security incident reporting body, like FBI and
CERT."
A company’s IR plan should detail whether the authorities should be called,
and in what circumstances, and by whom. For one, when an employee receives a
threat via e-mail or trade secrets have been compromised, the authorities should
be informed fast. But in case of an employee being suspected of accessing
information that’s off-limits, it could be a matter best dealt with in-house.
On the whole, reporting cybercrimes and network attacks is the right thing to
do. Only sharing information with law enforcement and industry groups will make
it easier to prosecute criminals, identify new security threats and prevent
future attacks.
Amit Sarkar in New Delhi