Research

SecureWorks - On the Radar Newsletter - January 2009
On the Radar

Essential Series: Security Information Management

In The Essentials Series: Security Information Management, readers will learn about the fundamental processes and technologies that support security information management (SIM) operations, as well as the business justification for SIM. This series includes an examination of different options for implementing SIM and evaluation criteria for selecting the best options for a particular organization.

Learn More about the Essential Series

Security 101: Building a Computer Security Incident Response Plan

When a breach occurs, being well-prepared to respond can mean the difference between a minor event and a widespread incident. And with internet threats growing in number and sophistication, having a Computer Security Incident Response Plan (CSIRP) is more important now than it ever has been. A CSIRP provides invaluable guidance amidst the chaos and urgency of a security breach. Without a CSIRP in place, organizations find themselves wasting time and resources as they scramble to respond – leading to higher costs and more damaging incidents.

What is the purpose of a CSIRP?

A Computer Security Incident Response Plan provides structured guidance for mitigating a successful attack, whether by an outside assailant or a malicious insider, on your IT systems and data. Specifically, a CSIRP helps you:

  • Determine what happened
  • Determine how it happened
  • Assess the impact/damage
  • Contain the incident to prevent further damage
  • Recover from the incident
  • Prevent similar incidents in the future
  • Identify the attacker (if possible)
  • Document the incident

Preparing a CSIRP

For a CSIRP to be effective during crisis it must have an appropriate balance of thoroughness and usability. It’s not possible to conceive of every potential attack you could face in the future. Even if it were possible, the resulting lists of procedures would be so extensive that referencing them during a crisis would be too time-consuming to be useful. When developing your CSIRP, you want to build flexible guidelines for response and recovery that can be readily applied to any incident situation.

The first step towards developing a CSIRP that is both flexible and thorough is determining the set of priorities that will govern your response activities. For example, if your organization is a hospital your first priority during a security incident is to prevent the loss of life. So during a security incident, actions to prevent the loss of life supersede all others. Establishing priorities will align your response activities with what is best for your organization.

Once you have established your priorities, the next CSIRP development step is defining generic action plans for common incident situations that lay out high-level procedures for response and recovery based on those priorities. For example, upon receiving a report of abnormal host behavior an initial plan for action may be to first isolate the system and then review available information from security controls such as anti-virus, host intrusion prevention software and network and host logs to verify the abnormal behavior and determine if there is an incident. Having action plans in place removes ambiguity regarding how to best follow priorities in a given situation.
 
A CSIRP also needs to define roles and responsibilities during an incident to eliminate potential confusion and delays during the response and recovery process. This means not only assigning responsibility for specific tasks but also granting appropriate levels of authority to those involved in response activities. Even with guidelines and priorities established, decisions will have to be made while responding to an incident. Select members of your CSIRP team need to have sufficient authorization to make those decisions and take action accordingly in a timely fashion. There also needs to be clear escalation paths to any individuals whose approval is needed prior to taking actions that will have a significant impact on the organization.  

CSIRP Review and Testing

Once you have prepared your CSIRP, it needs to be reviewed and tested to see how it performs and identify areas in need of improvement. Periodic reviews should be performed on a regular basis afterwards to ensure it is up-to-date. Tabletop exercises where the CSIRP team is placed in theoretical incident situations and walks through response and recovery activities are a very good way to evaluate CSIRP performance and familiarize team members with their roles and responsibilities. You can also conduct war games where you execute a full incident scenario in a simulated environment complete with “bad actors” going up against your response team. This is a good way to test more mature CSIRP plans that have already been subject to numerous tabletop exercises and reviews.

You should also conduct a “lessons learned” session with CSIRP team members after you experience a real security incident to take advantage of the opportunity to review CSIRP effectiveness. Were your priorities correct and properly aligned with your organizations goals? Were action plans sufficient to minimize incident impact? Analyzing CSIRP performance after an incident will help you identify revisions that can be made to improve CSIRP effectiveness during future incidents.

Additional SecureWorks Resources for Computer Security Incident Response:

 

Vendor Management: Background Checks

The importance of a background check is often underestimated during the process of selecting a vendor or service provider.  A low-cost, basic background check is simply not sufficient when protecting your most sensitive information.  This article will detail the necessary due diligence and best practice tasks that should be performed during background checks for vendor, contractor and service provider personnel that may have access to your critical systems and data.

Comprehensive background checks allow you to identify personnel risks in advance so those that are unnecessary can be avoided. For example, a comprehensive background check on the consultant you're considering to test your network for vulnerabilities may reveal past convictions for hacking and identity theft. Is it worth the unnecessary risk to "hand him the keys to your kingdom" when another consultant with a clean history is available?

In terms of civil and criminal record searches, there are a handful of valuable searches. 

  • County Civil Record Search provides information regarding civil suits filed by or against the individual in the county of the state where the suit was filed. Civil records are filed by name.
  • County Criminal Record Search provides felony and/or misdemeanor convictions and/or charges located at the county level.
  • Federal Civil Record Search provides information regarding civil suits filed by or against the individual. The Federal Civil Record Search is conducted through the Federal District Court and may involve disputes greater than $75,000, suits filed between parties residing in different states or a subject in violation of Federal law.
  • Federal Criminal Record Search is also conducted through a Federal District Court and may include federal offenses such as bank robbery, embezzlement, tax evasion, mail fraud, crimes occurring across state lines or crimes occurring on federal property.
  • Federal Criminal National Record Search is very much similar to the Federal Criminal Record Search, including offenses listed in the same areas. The individual's name is searched in all available online Federal District Courts. For those with common names, results are returned with a coinciding Social Security Number Trace and/or Address Locator.
  • Statewide Criminal Record Search includes felony and/or misdemeanor charges or convictions where available in a State database, usually from State law enforcement or the Administrative Office of the Courts.
  • Sex Offender Registry Search involves registered sex offenders in most states, where results are filed by subject name.
  • US Criminal Records Indicator Search is a database search of records including information from State Sex Offenders Registries, multiple online county records, Office of Foreign Assets and Control, Designated and Blocked Individuals List, and Interpol Most Wanted list.
  • World Check is a database of highly structured profiles on heightened risk individuals and entities such as terrorists, fraudsters, narcotics traffickers, shell banks, politically exposed persons, organized crime, sanctioned entities, and many other categories. World Check is constantly updated and is derived from hundreds of thousands of public sources.

Besides the in-depth civil, criminal and sex offender registry searches, there are other fundamental components to the background check package. 

  • Consumer Credit Report provides an individual's credit history including information such as places of employment or prior addresses, credit account types, terms, accounts past due, loan types, balances, public records, high credit, dates accounts were opened and closed, payment patterns, credit limits and modes of payment. Individuals in financial duress are more likely to use their access for illegitimate gains.
  • Education Verification is another important element in which institutions are contacted where degrees were attempted or received. The report may also include dates of attendance, major or course of study, degrees received and dates of graduation.
  • Employment Verification Report validates through the employer's Human Resources Department dates of employment, position, duties, eligibility for rehire, salary, attendance, and performance. In relation to Employment Verification, Professional Licenses and References can be checked as well.
  • Professional License Verification can be done by contacting the applicable state or national licensing board or agency to verify information such as license type, license number, status, original issue date and disciplinary action.
  • Professional References should be contacted and can provide information such as length of time the reference has known applicant, the applicant's weaknesses or developmental needs, recommendations, and other functions related to the applicant's performance.
  • The Office of Foreign Assets Control provides information by the US Treasury Department, which administers and enforces economic and trade sanctions. These sanctions apply to targeted foreign countries and individuals, terrorism sponsoring organizations and international narcotics traffickers based on US foreign policy and national security goals as established by the Department of State.
  • Social Security Number Trace and Address Locator Database is a key search that may provide information including name and name variations used by the individual, such as maiden, divorced or previous names, current and former addresses associated with that SSN as well as date of birth.
  • Motor Vehicle Report by State. This report verifies the driver's license number, status, state of issuance, and may provide information such as full name, and physical description, as well as recent moving traffic violations and accidents.

When executing some of the above checks you may not be provided with all of the background information requested. For example, some companies have policies for reference checks that limit the information they are able to provide. Incorporating as many of the above checks as possible into your process helps to compensate if an individual check fails to provide adequate background information.

To protect your organization and your customers, extensive in-depth background checks should be performed for any individuals with potential access to your organization's critical data and systems. Not requiring sufficient background checks for your employees, vendors and service providers presents unnecessary risks that could lead to significant costs for your organization.   The items listed above detail the elements a thorough background check should include.

SecureFacts:

Total Number of Vulnerabilityes

Source: Counter Threat UnitSM

 

 

Take our Poll

Next Steps
Start With SecureWorks Request More Information Now
Call SecureWorks Call Us Today
877-905-6661

Info Request

Newsletter Signup

* First Name:
* Last Name:
* Email Address: