Dealing with information security incidents
Good day, dear Habrahabr!
I continue to publish articles from information security practices.
This time it will be about such an important component as security incidents. Working with incidents will take the lion's share of the time after the establishment of an information security regime (the documents were adopted, the technical part was installed and set up, the first trainings were conducted).
')
First things first you need to get information about the incident. This moment needs to be thought out at the stage of shaping the security policy and creating presentations on education in information security for employees.
Main sources of information:
1. Helpdesk.
As a rule (and this is a good tradition), any malfunctions, malfunctions or malfunctions in the equipment are called or written to the helpdesk of your IT service. Therefore, it is necessary to “integrate” in advance into the helpdesk business process and indicate the types of incidents with which the application will be transferred to the information security department.
2. Messages directly from users.
Organize a single point of contact, as reported in the training on information security for employees. At the moment, the departments of information security in organizations are usually not very large, often from 1-2 people. Therefore, it will be easy to assign a person responsible for receiving incidents, you can not even bother with the allocation of email address for the needs of IS Helpdesk.
3. Incidents discovered by security officers.
Everything is simple, and no gestures are required to organize such a reception channel.
4. Logs and alert systems.
Configure alerts in the console antivirus, IDS, DLP and other security systems. It is more convenient to use aggregators that also collect data from logs of programs and systems installed in your organization. Special attention should be paid to the points of contact with the external network and the storage locations of sensitive information.
Although security incidents are diverse and diverse, they are quite easy to divide into several categories, for which it is easier to keep statistics.
1. The disclosure of confidential or internal information, or the threat of such disclosure.
To do this, it is necessary to have, as a minimum, an up-to-date list of confidential information, a working system for electronic and paper media. A good example is document templates, for almost all situations of life that are on the organization’s internal portal or in an internal file storage facility, by default they are stamped “For internal use only”.
I will clarify a little about the threat of disclosure, in the previous post I described the situation when the document with the “For internal use only” stamp was posted in the common hall adjacent to another organization. Perhaps the disclosure itself was not (it was posted after the end of the working day, and it was noticed very quickly), but the fact of the threat of disclosure is obvious!
2. Unauthorized access.
To do this, you must have a list of protected resources. That is, those where there is any sensitive information of the organization, its clients or contractors. Moreover, it is desirable to make in this category not only penetration into the computer network, but also unauthorized access to the premises.
3. Excess of authority.
In principle, you can combine this paragraph with the previous one, but it is better to single out, explain why. Unauthorized access includes access to those individuals who do not have any legal access to the resources or premises of the organization. This is an external intruder who does not have a legal entry into your system. Excess of authority means unauthorized access to any resources and premises of the legal employees of the organization.
4. Virus attack.
In this case, it is necessary to understand the following: a single infection of the employee’s computer should not entail a trial, since this can be attributed to inaccuracy or the notorious human factor. If a significant percentage of the organization's computers are infected (here, proceed from the total number of machines, their distribution, segmentation, etc.), then it is necessary to deploy a full-fledged security incident handling with the necessary search for sources of infection, causes, etc.
5. Compromise accounts.
This item has something in common with 3 . In fact, the incident goes from 3 to 5 category, if during the investigation of the incident it turns out that the user at this moment physically and in fact could not use their credentials.
With this point in dealing with incidents, you can do two ways: simple and complex.
The simple way: take the service level agreement of your IT service and tailor it to your needs.
Difficult way: based on risk analysis, select groups of incidents and / or assets for which the solution or elimination of the causes of the incident should be immediate.
The simple way works well in small organizations, where there is not so much secret information and there is not a huge number of employees. But it should be understood that the IT service in the SLA is based on its own risks and incident statistics. It is quite possible that the printer on the CEO’s table, which has jammed the paper, will have a very high priority, in the event that it is more important for you to compromise the password of the administrator of the corporate database.
There is a special applied science - forensic, which deals with issues of criminalistics in the field of computer crimes. And there is a wonderful book by Fedotov N.N. "Forensic - computer forensics." I will not now describe in detail the aspects of forensics, I’ll just highlight 2 main points in the preservation and provision of evidence that must be adhered to.
• For paper documents: the original is kept securely with a record of the person who discovered the document, where the document was discovered, when the document was discovered and who witnessed the detection. Any investigation should ensure that the originals were not falsified.
• For information on computer media: mirror images of any removable media, information on hard drives or in memory must be taken to ensure accessibility. A record of all actions during the copy process must be maintained, and the process must be witnessed. The original medium and protocol (if this is not possible, then at least one mirror image or copy) must be kept protected and intact.
So, the incident has been settled, the consequences are eliminated, an internal investigation has been carried out.
But the work should not end there.
Further actions after the incident:
• reassessment of the risks that entailed the incident
• preparation of a list of protective measures to minimize the identified risks in case of a repeated incident
• updating the necessary policies, regulations, information security rules
• conduct training of the organization’s staff, including IT staff, to raise awareness of information security
That is, it is necessary to take all possible actions to minimize or neutralize the vulnerability that resulted in the realization of a security threat and, as a result, the occurrence of the incident.
1. Keep a log of incidents, where you record the time of detection, data of the employee who detected the incident, category of incident, affected assets, planned and actual time to solve the incident, as well as work done to resolve the incident and its consequences.
2. Record your actions. This is necessary first of all for myself, to optimize the process of solving the incident.
3. Notify employees about the incident, so that firstly they would not interfere with your investigation, and secondly, you would not use the affected assets during the investigation.
I continue to publish articles from information security practices.
This time it will be about such an important component as security incidents. Working with incidents will take the lion's share of the time after the establishment of an information security regime (the documents were adopted, the technical part was installed and set up, the first trainings were conducted).
Incident Reporting
')
First things first you need to get information about the incident. This moment needs to be thought out at the stage of shaping the security policy and creating presentations on education in information security for employees.
Main sources of information:
1. Helpdesk.
As a rule (and this is a good tradition), any malfunctions, malfunctions or malfunctions in the equipment are called or written to the helpdesk of your IT service. Therefore, it is necessary to “integrate” in advance into the helpdesk business process and indicate the types of incidents with which the application will be transferred to the information security department.
2. Messages directly from users.
Organize a single point of contact, as reported in the training on information security for employees. At the moment, the departments of information security in organizations are usually not very large, often from 1-2 people. Therefore, it will be easy to assign a person responsible for receiving incidents, you can not even bother with the allocation of email address for the needs of IS Helpdesk.
3. Incidents discovered by security officers.
Everything is simple, and no gestures are required to organize such a reception channel.
4. Logs and alert systems.
Configure alerts in the console antivirus, IDS, DLP and other security systems. It is more convenient to use aggregators that also collect data from logs of programs and systems installed in your organization. Special attention should be paid to the points of contact with the external network and the storage locations of sensitive information.
Categorize the incident
Although security incidents are diverse and diverse, they are quite easy to divide into several categories, for which it is easier to keep statistics.
1. The disclosure of confidential or internal information, or the threat of such disclosure.
To do this, it is necessary to have, as a minimum, an up-to-date list of confidential information, a working system for electronic and paper media. A good example is document templates, for almost all situations of life that are on the organization’s internal portal or in an internal file storage facility, by default they are stamped “For internal use only”.
I will clarify a little about the threat of disclosure, in the previous post I described the situation when the document with the “For internal use only” stamp was posted in the common hall adjacent to another organization. Perhaps the disclosure itself was not (it was posted after the end of the working day, and it was noticed very quickly), but the fact of the threat of disclosure is obvious!
2. Unauthorized access.
To do this, you must have a list of protected resources. That is, those where there is any sensitive information of the organization, its clients or contractors. Moreover, it is desirable to make in this category not only penetration into the computer network, but also unauthorized access to the premises.
3. Excess of authority.
In principle, you can combine this paragraph with the previous one, but it is better to single out, explain why. Unauthorized access includes access to those individuals who do not have any legal access to the resources or premises of the organization. This is an external intruder who does not have a legal entry into your system. Excess of authority means unauthorized access to any resources and premises of the legal employees of the organization.
4. Virus attack.
In this case, it is necessary to understand the following: a single infection of the employee’s computer should not entail a trial, since this can be attributed to inaccuracy or the notorious human factor. If a significant percentage of the organization's computers are infected (here, proceed from the total number of machines, their distribution, segmentation, etc.), then it is necessary to deploy a full-fledged security incident handling with the necessary search for sources of infection, causes, etc.
5. Compromise accounts.
This item has something in common with 3 . In fact, the incident goes from 3 to 5 category, if during the investigation of the incident it turns out that the user at this moment physically and in fact could not use their credentials.
Incident classification
With this point in dealing with incidents, you can do two ways: simple and complex.
The simple way: take the service level agreement of your IT service and tailor it to your needs.
Difficult way: based on risk analysis, select groups of incidents and / or assets for which the solution or elimination of the causes of the incident should be immediate.
The simple way works well in small organizations, where there is not so much secret information and there is not a huge number of employees. But it should be understood that the IT service in the SLA is based on its own risks and incident statistics. It is quite possible that the printer on the CEO’s table, which has jammed the paper, will have a very high priority, in the event that it is more important for you to compromise the password of the administrator of the corporate database.
Collect evidence of the incident
There is a special applied science - forensic, which deals with issues of criminalistics in the field of computer crimes. And there is a wonderful book by Fedotov N.N. "Forensic - computer forensics." I will not now describe in detail the aspects of forensics, I’ll just highlight 2 main points in the preservation and provision of evidence that must be adhered to.
• For paper documents: the original is kept securely with a record of the person who discovered the document, where the document was discovered, when the document was discovered and who witnessed the detection. Any investigation should ensure that the originals were not falsified.
• For information on computer media: mirror images of any removable media, information on hard drives or in memory must be taken to ensure accessibility. A record of all actions during the copy process must be maintained, and the process must be witnessed. The original medium and protocol (if this is not possible, then at least one mirror image or copy) must be kept protected and intact.
After eliminating the incident
So, the incident has been settled, the consequences are eliminated, an internal investigation has been carried out.
But the work should not end there.
Further actions after the incident:
• reassessment of the risks that entailed the incident
• preparation of a list of protective measures to minimize the identified risks in case of a repeated incident
• updating the necessary policies, regulations, information security rules
• conduct training of the organization’s staff, including IT staff, to raise awareness of information security
That is, it is necessary to take all possible actions to minimize or neutralize the vulnerability that resulted in the realization of a security threat and, as a result, the occurrence of the incident.
Some tips
1. Keep a log of incidents, where you record the time of detection, data of the employee who detected the incident, category of incident, affected assets, planned and actual time to solve the incident, as well as work done to resolve the incident and its consequences.
2. Record your actions. This is necessary first of all for myself, to optimize the process of solving the incident.
3. Notify employees about the incident, so that firstly they would not interfere with your investigation, and secondly, you would not use the affected assets during the investigation.
Source: https://habr.com/ru/post/154405/
All Articles