Incident Response (How Prepaired Are We)

Recently there seems to have been a rash in Data Breaches, and one of them in particular (SAIC warns of possible data breach) made start to analyze Incident Response Programs in detail. Just how prepared is an organization for a Data Breach and how well are our Preparation and Identification phases documented and “Followed”.

This breach was not a hacking incident, loss of backup tapes, stolen or misplaced documents, or accidental posting of sensitive information on the internet. It was, based on their web site, a mis-configured FTP server that was not placed behind a firewall, against SAIC policy.

What worries me, and should worry other Info Sec personnel is, how prepared are we to detect an issue before it goes into a production environment. Here is how I see it, there should be a strong change management process in place that alerts the info sec personnel to new systems going online, a strong SDLC in place, and a process in place that continuously scans IP space for potential new systems placed on line with out info sec’s knowledge (this could also be performed in a passive way by using a product like arpwatch). These principles should be applied to internal systems and teams, and built into any contract with a vendor the CU may have.

In the six step incident handling process (As taught in the SANS SEC504 class), the first two phases, preparation and identification, are the most important.

Phase 1. Preparation speaks for itself, make sure you have a defined incident response program that would cover most, if not all, of the types of incidents you could encounter. With all the data breach laws going in place and different types of breaches happengin, I would recommend you include all types of incidents. Here is a list of just a few.

1. Lost or stolen back up tapes
2. Member information lost of stolen in paper form
3. Phishing incidents
4. Configuration issues
5. Improper disposal of member information in any form
6. Web based application attacks
7. System or network based attacks
8. Malware attacks our outbreaks

Phase 2. Identification is another key phase in this process. I can not stress enough how important this phase is in the over all process. In January of this year TJX Companies Inc. announced that they had suffered a breach of security that exposed 46.5 Mil card numbers. It was determined that the intruder(s) had access to the system(s) for an estimated 18 months. With this data breach alone it shows you how important the Identification phase is. Here is a list of just a few items that can be done to aide in Identification.

1. Log review
2. Intrusion Detection/Prevention systems (host and network based)
   1. These should be placed on all networks and systems
3. Proper auditing and controls in place
   1. This can be a daunting task if you really sit down and think about it
4. Anti-Malware programs
5. Email filtering
   1. Both for content and attachments
6. Ingress and Egress filtering on the firewall
   1. Make sure you review the drops in the log, they can be very revealing
7. Scan your systems
   1. Port and Vulnerability
   2. Internal and External
8. Monitor and audit the change management process, make sure that all changes are following the procedure

Web server log review

I have had numerous conversations with people on the reviewing of web server logs and with that comes many different ideas on the importance of web server logs. For marketing staff it is of course web analytics, for network/system staff it is for determining why the site is not displaying images, and of course for security persons it is much more.

What do you review your web server logs for.

The Confusion (RA, VA, & PT)

Over the past few months I have heard a large amount of people talking about Risk Assessment, Vulnerability Assessment, and Penetration Testing, however each one of them presents each of these topics differently.

What is a Risk Assessment versus a Vulnernability Assessment versus a Penetration Test?

Instead of posting what I think they mean, please add a comment as to what you think they are. In a couple of days I will summarize what readers thought and add in my thoughts.