Information systems security incident - Essay Example

Concepts of Operations Project Information Systems Security Incident This paper defines CONOP for ‘B Concepts’. The mission of B-Concepts CIRT is: “To protect communications and promote standards that give us a unique advantage”. To fulfill this mission the operational framework for security of the software, hardware and data associated with information systems is defined based on ISO 17799. CONOP outlines the key players, their roles and responsibilities in the event of information security incident. The CONOP is defined to control the information & financial loss, for business continuity, security policy review and security awareness programme. The CIRT organization structure is detailed; roles and responsibilities of the team members are defined. CIRT acts on information & security logs to anticipate security threats and to resolve the security incidents. This paper describes the types of logs that are maintained at B-Concepts, the log management system and discusses the advantages of security logs. Three types of security logs are maintained at B-Concepts: Security process logs are records of the security procedure and security policy application. These logs are recorded in the normal condition. Security fault logs are recorded in absence of security policy and risk management strategy. Security breach logs are the records of security policy breach. Information Systems Security Incident The CONcept of OPerations on information security incident is based on the severity and impact of the incident. “An incident can be thought of as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices” (GRANCE, KENT & KIM, 2004). Security Framework “ISO 17799 refers to hundreds of best-practice information security control measures that organizations should consider to satisfy the stated control objectives” (ISO 17799, 2005). The standards propose that an organization must identify the information assets and make a risk assessment for these assets. The computer security incident response policies for B-Concepts are defined in the security policy document based on the function/business and infrastructure of the organization. Computer Incident Response Team (CIRT) CIRT structure can be based on any of the 3 models: 1. Central Incident Response Team – a single team to handle incidents throughout the organization. 2. Distributed Incident Response Team – multiple teams for handling incidents of particular logical or physical segments of the organization. 3. Coordinating Team – A team that provides guidance and advice to individuals or department wide teams. The CIRT team can be partially/fully outsourced or staffed with internal employees. B-Concepts CIRT1 Roles and responsibilities: All members of the CIRT are prepared to interact with media. One member of CIRT is nominated as POC for media and law enforcement. The members of CIRT are accessible to anyone who suspects or discovers a computer security incident that involves organization interest (GRANCE and et al., 2004). Fig 1. Incident Response Lifecycle (GRANCE and et al., 2004) The responsibilities of CIRT in the incident lifecycle are: Preparation requires acquiring tools & resources, for incident handling, making a jump-kit1 and risk assessment of systems and applications for incident prevention. Detection: incident categorization based on type2 and signs (precursor3 or incident4). Analysis is done by profiling5 and understanding the network systems behavior, studying the logs and security alerts. CIRT must create a centralized logging system & log policy, it must be able to correlate events, conduct research to gain information, collect data by packet sniffers and data filtering. CIRT is also responsible for the documentation of incident information, incident prioritization to determine the impact on affected resources and notification to the concerned authorities. Containment: physical isolation of the affected resource, freezing logs & documents for evidence. Eradication & Recovery: destroying the defaulter - attacker, malicious code, or other sources of problem. The system is recovered to normal state and security is hardened. Post incident activity is objective and subjective analysis of incident logs and CIRT activities to determine the cause of security failure & performance of the team. Levels of authority include: 1. Disconnection and confiscation of equipment, monitoring suspicious activity and reporting incidents. 2. Communication with organization ISP, the attacker ISP, vendor of vulnerable software, media, external experts and CIRT. 3. Discussion with organization public affair office, legal department and management to establish policies and procedures for information sharing and incident response. 4. Documentation of contacts, communications and logs for federal liabilities and evidentiary purposes. Organization & Structure: The following factors are considered for constituting the team: 24x7 availability of team members, full-time/part-time according to the organization requirement and budget, employee moral, quality of work and expertise6. The sensitivity of the information shared and the need to correlate logs with internal data are considered for hiring external expert. Security Measurement – CIRT Logs Security incident logs are the records of security events such as: security process, security fault or security breach. The types of incident logs that are generated are: 1. Security logs (e.g. intrusion detection & prevention, security device logs, audit logs), 2. OS logs (e.g. user account, error codes), 3. Application logs (e.g. FTP, HTTP, SMTP, malicious code) These logs can be categorized as security attack, fraud or inappropriate usage. The authenticity of the log source7 is important to determine the accuracy of log information. Information security performance metrics provide a means for the monitoring and reporting of agency implementation of security controls. They also help assess the effectiveness of these controls in appropriately protecting agency information resources in support of the agency’s mission (CHEW, CLAY, HASH, BARTOL & BROWN, 2006, page 17). Advantages of security incident logs are many. “Using information gained during incident handling to better prepare for handling future incidents and to provide stronger protection for systems and data“(GRANCE and et al., 2004) 1. Security performance metrics is generated with routine log analysis. The vulnerable information assets are identified; policy violations or fraudulent activity by internal employees or external factors is checked. The information and security system operational problems are identified and fixed. 2. Based on security logs new security policies and controls are drafted and implemented. 3. In the event of security breach these logs are used for forensic analysis. 4. The security logs are useful in performing audits on organization security8 expenditure. This data is input to the management decision making process and the security awareness program. 5. Security logs are stored to comply with Federal legislation and regulations: FISMA, HIPAA, SOX, and GLBA. Security logs review: This process includes archiving old records and destroying records that are not needed. The logs are analyzed to prepare reports for the management. The security records are used for security incident anticipation and determine the organizations financial savings by security policy implementation e.g. user authentication attempt. Security Log Management The challenges are: 1. Generation of security logs from many sources with different log formats & size. 2. Protection of logs by filtering9, archiving, size limitation10 and safe storage. 3. Pro-active analysis of logs to avoid impending problems, e.g. catch the defaulter for login attempts before security breach. A 3-tier log management infrastructure is designed to meet these challenges. “A log management infrastructure consists of the hardware, software, networks, and media used to generate, transmit, store, analyze, and dispose of log data” (SOUPPAYA & KENT, 2006, page 23). Tier Activity to overcome challenges Log Generation 1. Implement organization policy for log collection, 2. Audits to confirm log standards and guidelines. Log consolidation & storage 1. Robust & secure log storage for confidentiality, integrity & availability of log data. 2. Filtering, aggregation, normalization and correlation of logs to reduce log data. Log Monitoring Training for log reduction, clearing, rotation11, log parsing, log archiving & log analysis. Table 1. Log Management Infrastructure The B-Concepts CIRT responds to security incident logs according to the organization security policy for the event. References: 1. Chew, Elizabeth., Clay, Alicia., Hash, Joan., Bartol, Nadya. & Brown, Anthony. (May 2006). Guide for developing Performance Metrics for Information Security. NIST. Retrieved September 24, 2006, from http://csrc.nist.gov/publications/drafts/draft-sp800-80-ipd.pdf 2. Grance, Tim., Kent, Karen. & Kim, Brian. (Jan 2004). Computer Security Incident Handling Guide. NIST. Retrieved September 26, 2006, from http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf 3. ISO 17799 / ISO 27002. (2005) The international standard Code of Practice for Information Security Management. Retrieved September 24, 2006, from http://www.iso27001security.com/ 4. Souppaya, Murugiah. & Kent, Karen. (April 2006). Guide to Computer Security Log Management. NIST. Retrieved September 24, 2006, from http://csrc.nist.gov/publications/drafts/DRAFT-SP800-92.pdf Bibliography: 1. Hellman, Gretchen. (n.d.). From Logs to Logic. Information Systems Security. Retrieved September 27, 2006 from http://www.infosectoday.com/Articles/logstologic.htm 2. Kabay, M.E. (July, 2004). CIRT Management: Rapid Alerts. Network World. Retrieved September 27, 2006 from http://www.networkworld.com/newsletters/sec/2004/0712sec2.html Appendix A. Glossary CMS – Code Management System CSIR – Computer Security Incident Response DMS – Document Management System DMZ – Demilitarized Zone FISMA – Federal Information Security Management Act GLBA – Gramm Leach Bliley Act HIPAA – Health Insurance Portability and Accountability Act OS – Operating System PCB – Printed Circuit Board POC – Point of Contact SOX – Sarbanes Oxley Act Appendix B. B-Concepts CIRT The CIRT organization chart comprises of representatives from the given departments (Model 1). CIRT member is nominated as manager. Fig 2. CIRT Organization Chart The members provide CSIR support for: 1. System Administration – the external & internal security threats & incidents to the organization computer network. 2. Product release – the security incidents related to the under-development organization products. 3. Quality Assurance – the CMS/DMS & released products incidents 4. External Experts – formulating policies and assistance where internal expertise is lacking. Read More