Recently in Incident Management Category

Incident response is generally defined as actions taken to protect and restore the normal operating condition of computers and the information stored in them when an adverse event occurs. The goal is to reduce the impact to a level that is acceptable; senior management must define what acceptable impact levels are. Incidents must be closed and affected systems, applications and databases must be restored within the Acceptable Interruption Window (AIW) for the type of incident that has occurred. Any incident (e.g., a data security breach) that threatens to quickly escalate out of control causing massive financial loss will almost certainly have a much lower AIW than one (e.g., when a single user workstation is infected with spyware) that is less likely to spread quickly with far less financial loss.

Incident response has become an increasingly critical function in organizations over the years for several reasons:

• Incidents have become increasingly complex and costly. Consider, for example, the Aurora attacks that started late last year. So much sensitive and valuable information was stolen (almost certainly by the Chinese) that estimating the extent of financial loss that corporations suffered became virtually impossible.
• There are three main types of controls, preventative, detective and reactive controls. Preventative controls are in theory best because they can keep incidents from occurring in the first place. But the attack surface has grown phenomenally over the last few years, and it continues to do so to the point that preventative controls are resulting in much more residual risk that ever before. Information security professionals are now realizing that a greater number of detective and reactive controls are needed if there is going to be even a chance of reducing security risk to an acceptable level. Incident response is the major type of reactive control.
• Incident response has become a critical part of organizations' due care posture. For example, ISO/IEC 27001 and 27002 list incident response as one of the critical requirements for effective information security practices.
• Legal and regulatory considerations also dictate that organizations have effective incident response capabilities. For example, incident response-related requirements can be found in both NERC/FERC and FISMA.

Unfortunately, under the "heat of battle," the probability of incident response team members making mistakes increases substantially. Mistakes during the incident response process are potentially extremely disruptive and costly, and should be avoided to the maximum extent possible. I have chosen 18 mistakes that I believe are to be avoided at all costs. They are:

• Neglecting to establish an incident response effort in the first place. This is the worst of all possible mistakes. There will be no policy or procedures to guide the incident response processes; much of what is done will be based on an ad hoc basis. Incident response will invariably be inefficient, uncoordinated, incomplete, plagued with errors, and unduly costly.

• Lack of a well-defined charter. An incident response effort needs a charter, which is in many ways a type of "license to operate." Without a charter, the responsibilities of an incident response team will not be spelled out, the scope of effort for the team will not defined, the amount and boundaries of authority that the team has will be ambiguous, and the constituency and/or stakeholders and their interests will not be delineated. Accordingly, the chances for success will be miniscule.

• Failure to set up a management infrastructure for incident response. Management is particularly critical in the incident response arena, where pandemonium usually prevails. If no management infrastructure has been established, management roles are unlikely to be sufficiently specified (if at all) and lines of authority are likely to be unclear. The position in the organization chart that incident response has will in all likelihood also be ambiguous. Who is in charge when will also be unclear. The result is likely to be a continual state of confusion during incident response operations.

• Neglecting to acquire necessary forensic and incident response hardware and software in advance. Incident response staff members need to be highly proactive in anticipating their hardware and software needs. Standard procurement procedures and obtaining forensic and incident response hardware and software quickly in emergencies do not go hand-in-hand. On-the-spot decisions concerning requirements and the products that best meet these requirements are seldom adequate.

• Failing to interface with the intrusion detection capability. Many organizations have separate intrusion detection and incident response capabilities. There may be some advantages in bifurcating these functions, but doing so is likely to produce silos that result in incident response staff not being promptly informed about incidents that occur and also not receiving sufficient information about the each incident. If intrusion detection and incident response are two separate functions, one or more response staff must continually be "in the loop" regarding intrusion detection processes. Critical tasks in these processes include documenting all relevant data and occurrences, separating real symptoms of incident from pseudosymptoms, gauging the size and impact of each incident, establishing priorities and following them, dealing with forensics considerations right from the start of each incident, and preserving the integrity and availability of systems used in intrusion detection and the data that they produce.

• Not taking advantage of Security Information and Event Management (SIEM) technology to identify incidents in real-time. For reasons I honestly do not understand, many organizations have still not implemented SIEM technology. Members of their technical staff instead tediously comb through volumes of audit log output and a plethora of alerts and warnings produced by intrusion detection and intrusion prevention systems. Consequently, organizations without SIEMs are not only wasting money (because of the amount of labor required), but more importantly are too often taking much too long to identify incidents. By the time they finally identify incidents, the incidents are likely to have escalated to the point that a myriad of systems, applications, personally identifiable pieces of data, and more has been compromised, resulting in a far higher financial cost than if the incidents had been promptly detected. The event correlation capability that certain SIEM products provide can lead to much easier and quicker detection of incidents that occur.

I'll cover the rest of the most costly mistakes in incident response in part two of this series--stayed tuned.

Not so long ago, I remember that talking about information security management brought a lot of eyebrowse up, something of a black art, kind of like UNIX Administration.
But in today's world, Cyber Security has gotten enough attention recently from the White House, Congress, Military, and Law Enforcement not only in the U.S. but across the globe that discussing the need for Cyber Security and Information Security Management in the public and private sectors is no longer considered a foreign topic or a dark black art. The discussion of Risk Management and Information Security Management are now an interwoven fabric within IT Frameworks for COBIT and ITIL.

At the NJTC meeting yesterday at the Forsgate Country Club, we had a diverse number of parties interested in our solutions to support their Information Security Management Program - from Audit and Financial executives to IT Management. Our solutions will provide a means to help IT and Data Owners identify the threats, and risks to their business processes in these times of round-the-clock international electronic business transactions. Situational awareness of today's highly complex distributed IT Service environments is no longer simply a nice to have but a necessity to survival of digital business transactions against a world of distributed Botnets and pre-zero day vulnerabilities.

I would like to thank the NJTC for giving us the ability to reach out to so many different businesses operating in across the State of New Jersey and those that stopped by to simply hear what our solutions have to offer to their Business Services.

In the below article Microsoft reviews the Waledac Botnet take down, as well as, mentions a number of botnet shutdowns that have recently taken place. The article also mentions sudosecure.net a Waledac tracking site

The article goes on to talk about Operation 49, a Botnet Take Down taskforce, an "innovative application of a tried and true legal strategy"

"On February 22, in response to a complaint filed by Microsoft ("Microsoft Corporation v. John Does 1-27, et. al.", Civil action number 1:10CV156) in the U.S. District Court of Eastern Virginia, a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals as the Waledac bot."

"This legal and industry operation against Waledac is the first of its kind, but it won't be the last"

Microsoft Technet on Waledec-takedown

Related articles by Zemanta

• Waledac Botnet TAKEDOWN: Microsoft Wins Court Approval To Topple Botnet Army (huffingtonpost.com)
• Krebs on Security: Microsoft Ambushes Waledac Botnet, Shutters Whistleblower Site (boxofmeat.net)
• Botnet Army To Be Deactivated In Microsoft Takedown (huffingtonpost.com)
• With an unusual legal move, Microsoft disrupts rampant spam botnet Waledac (seattlepi.com)
• With legal nod, Microsoft ambushes Waledac botnet (news.cnet.com)
• Microsoft's Botnet War (robbiz1978.blogspot.com)

Developing an Information Security Privacy Schedule for Service Provider Transactions by David Navetta.

This article points out the need for customers to develop Information Security and Privacy Schedules as part of their Service Provider agreements. As more and more of our Information Technology and Information Security moves to out sourced technologies, customers need to be aware that not only are they still responsible for the privacy and security of their data, but may be undertaking the risks involved with utilizing the service providers information security environment.

"The Customer should think of the Service Provider's security as an extension of their own internal security." IT Services and Information Security Management must undertake the security of how the trust relationships with their Service Providers are handled and how those relationships may impact the business, should the Service Provider be compromised or suffer a breach.

In David Navetta's closing statement, he mentions the impact of incidents, not from the initial impact of the exploitation of an exposure but the after effects concerning liability and reputation damage. "First, it is not unusual for a security incident to yield "consequential damages" in addition to "direct damages," including loss of profits, lost customers, attorney fees, breach notice costs and other similar costs. If the overall contract contains a consequential damages disclaimer, the Customer should endeavor to get an exception for consequential damages arising out of a security incident and/or breach of the Schedule."

The credibility and reliability of your information security program is now an integral part of stability and reputation of the business along with how well you are maintaining the trust relationships with your business partners and service providers which are now part of your extended business and control environment. The days of IT involving a few core services are gone and now have been replaced by data moving in and out of the environment for outside processing and storage, site to site vpns, international privacy and security laws of internal, external data and the rise of "Cyber insurance". David's article covers a wide variety of suggestions of what can be included in the Security /Privacy Schedule in contractual agreements with Service Providers.

Related articles by Zemanta

• Cloud Security and Privacy (oreilly.com)
• National Survey Reveals Privacy Breach Notification and Reputational Damage among Top Concerns with Regards to New Privacy Rules (eon.businesswire.com)
• Why "Verified By Visa" System Is Insecure (news.slashdot.org)

According to IT World Canada ,
A Microsoft-employed forum moderator had other advice. "For the people who installed [the update but] cannot start the computer normally, it is better to wait for the next stability and reliability update," said Arthur Li on Feb. 1. "Since there are thousands of different hardware and software configurations, it is hard for Microsoft to test the updates on all the different hardware and software configurations."

Microsoft Support

If there is one thing that makes everyone kind of nervous is the instability of new operating systems being deployed in the enterprise, with IE having control issues, there would be a concern that the OS would also have stability problems.

netForensics will be at HP Universe in Hamburg Germany this week.

On December 16th through the 18th at HP Universe 2009 we will be featuring how our Information Security Management tools integrate with HP uCMDB and HP Operation Center Management. IT Enterprise frame works including the OCG's ITIL v3 and the ISACA's COBIT 4.1 call for Information Security Management, Change management. Service Asset and Configuration Management processes to be implemented across the ITIL Service Lifecycle from the Service Strategy, Service Design, Service Transition and Service Operation.

nFX SimOne provides the ability for Information Security Management and Operations Management to be closely aligned throughout the Service Life Cycle, by integrating with HP uCMDB, HP Operations Manager (OVO) and Information Security Management ( SIEM tools ), organizations will have common view of the relationships of host and host resources and applications and automatic change history. This provides organizations a common view of the Service Design and it's control environment allowing Information Security management to create effective correlation event scenarios based on the enterprise framework and business processes, providing effective event management and incident management.

HP UNIVERSE HAMBURG GERMANY 2009

The National Interest online's article by Richard Clarke outlines the difficulties in of countries in protecting their economies from disruption of processing data that manages the controls of the nations power grid, fuel supply, or food supply chains, etc... or the ability for private commerce to perform business.

Although the article concentrates on the United States economy, it is a concern world wide that the electronic infrastructure that controls physical and logical stability of nations is fragile and vulnerable and that our systems are complex and perhaps too overly complex.

There is real concern that between nations that having the superiority to disable the other nations ability to perform commerce or defend it's controls on infrastructure that supplies services to it's citizens in times of political or resource conflict is way too much of an advantage, and then there is as Richard Clarke points out the "who dun it" piece.

Although I don't necessarily think that this is limited to cyber warfare, certainly in conventional warfare through covert activities groups have tried to blame conflicts on others not involved to escalate hostility between factions already at odds with each other.

As in the recent denial of service attacks in July, was it really who we thought it was or was it some one else trying to make it look like that. It is always not the recent notification or alert that may allow you to traverse an incident but being able to perform historical correlation on transactions that were allowed through trust environments.

The other point is although not discussed, usually, where are all the electronics made? Who makes all the components inside the equipment?

Richard Clarke -
"The major differences between cyber war and conventional war--one that makes the battlefield more perilous--is what cyber warriors call "the attribution problem." Put more simply, it is a matter of whodunit. In cyberspace, attackers can hide their identity, cover their tracks. Worse, they may be able to mislead, placing blame on others by spoofing the source."

"The "critical infrastructure" of the transportation, finance, energy and communications sectors are owned and operated by nongovernmental entities, corporations that have proven highly resistant to regulation. The Federal Energy Regulatory Commission (FERC) issued new cybersecurity guidelines to U.S. power companies in January 2008, requiring greater separation of the operations systems from the public Internet."

Richard Clarke was special adviser to the president for cybersecurity in the George W. Bush administration. He is now chairman of Good Harbor Consulting. His book Cyber War, coauthored with Robert Knake, will be published by HarperCollins in the spring.

National Interest Article on War from Cyber Space

On 11/2/2009 Microsoft published it's Security Intelligence Report.

Microsoft published that Windows XP users experienced significantly more security violations compared to Window Vista users and that the Conficker infections is the top threat in enterprise environments but not even in the top 10 in home computing environments.

Microsoft from their statistical data points out that there are differences in the types of threats per country while the U.S. and UK seem to have a high presence in Win32/Alureon and Win32/Vundo while some EU countries saw Win32/Wintrim as most active and in China Win32/BaiuSobar, Win32/Frethog also in Brazil it is Win32 Bancos.
Client side and Server Side Polymorphic Viruses seem to account for the large amount of the Virus Misc variations, polymorphic viruses can mutate its structure to avoid detection by antivirus programs. It can mutate usually by changing a variable or variables in its code without changing its overall algorithm.

There is a lot of interesting data published in this report that is about 232 pages long with information about organizations that are actively involved in mitigating exploits.

Microsoft Security Intelligence Report

References:
Conficker Working Group

This document covers the People's Liberation Army conceptual framework for delivering "integrated Network Electronic Warfare". This includes Space and Satellite warfare and EMP attacks. The document also points out the the U.S. Military NIPRET are a high priority of attack. The article mentions that organizations are still not doing enough to use analyzer tools like SIEM products. While the article sites that SIEM products may rely on signature based solutions, nFX One products correlate events beyond IDS/IPS based signature events from a number of disparate Operating Systems, Netflows, and other host and network security devices to alert on abnormal behavior and provides built-in Incident Response Management work flow and integratrion with ITIL uCMDB processes.

The document provides a graphic on the "Timeline of Significant Chinese Related Cyber Events 1999-Present, including pointers to the very public GhostNet cyber espionage events as well as information on the National University of Defense Technology (NUDT)."

Reference:
US-China Economic and Security Review Commission Report on the Capability of the People's Republic of China to Conduct Cyber Warefare and Computer Network Exploitation
National University of Defense Technology

It is amazing and rather disturbing that a US federal judge has recently ordered Google to lock a gmail user out his own account despite the fact that he has done nothing wrong.

It seems that a bank accidentally sent this user a file containing sensitive information. They asked the user to destroy it without reading it, but didn't receive an answer. At that point the bank sought legal action.

Again, I am left with questions and thoughts:

- How did this happen? Did someone intend to send this sensitive file via email to a different address and simply mistyped? If so, was the sender not aware of the inherent risks in sending unencrypted email?

- Does the bank have a policy regarding sending unencrypted sensitive information over the Internet using an insecure protocol like SMTP? If so, do they have any tools to enforce it?

- How did the bank discover this mistake? Did the sender realize his or her mistake and informed the compliance / security group, or was some automated detection system in place?

- What legal responsibility does the innocent email recipient have? Sure the data is sensitive, but it was freely given to him. Can't he do what he pleases with it (short of committing crime, such as theft)?

- As much as I would like to see the prevention of information leakage, I am still disturbed by the legal precedent set here. What if they send it to a corporate email system next time? Does the government have similar authority to disrupt the business of a private organization by forcing a shut down of their Internet connection?

The onus of correcting this problem should fall 100% on the bank. They should have to compensate the affected customers. They should have to compensate the email recipient for any harm they cause him. And most importantly, they should learn their lesson and prevent this type of leak from happening again.