What is an Incident?
Incidents can be hard to recognize. They may best be described as unusual or unauthorized system or network activity. Activity that adversely impacts or effects normal operations; thereby, causing either monetary damage or loss of system integrity and confidence. The following is a short list of typical Incidents:
- unauthorized modification of a system either via an individual or via malicious software
- elevation of system privileges without authorization
- unauthorized use of a systems resources (storage, cpu, memory, processes, etc.)
- denial of service to a network
- programmatic manipulation of a system or network to attack a third party
How often do incidents occur?
Incidents occur every second of every day. Automated port scanners, worms, slammers and viruses are constantly probing systems throughout the Internet. But these automated scripts are not the real threat. They are normally just the precursor to a directed attack. One anecdotal example of how hostile the Internet is today, was performed at the San Diego Supercomputer Center in 1999. An off-the-shelf unpatched Redhat Linux 5.2 installation was placed on the Internet. After 8 hours it received its first scripted probe, after 21 days it had received over 20 hack attempts, after 40 days the system was completely compromised.
A stronger indicator of the current fight facing companies on the Internet are the statistics reported by CERT/CC of the University of Carnegie Mellon. The number of reported incidents has increased each year between 55 and 140 percent, and the latest data from CERT indicates that 2006 will be no different.
Internal incidents can be even more damaging then external attacks. The insider knows your systems, and has more time to plan and execute the attack. He knows your administrative and logical safeguards. Recent internal incidents which have resulted in significant financial loss or loss of customer confidence include:
- Employees used financial institution computers to obtain customer information and commit fraud using the customer information.
- An individual was charged with trafficking in passwords and similar information that would have permitted others to gain unauthorized access to his employer's computer network.
- Former employee of arrested on charges of hacking into company's computer and destroying data.
What Should I do?
Prevention and Planning
An excellent start is the development of a Computer Incident Response plan. The plan should supplement your Business Continuity Plan (BCP). It should include a general response plan with a designated incident leader. Team memebers with all of their contact information should be available to the leader. The companies BCP will be relied upon for other issues such as: media response, facilities management, disaster recovery, etc. If your company does not have an Incident Response plan, Information Risk Group has experience professionals who can aid your company with it's development.
Another preventative measure your company should consider is a security assessment.
An annual security assessment should be performed against your companies administrative, technical and physical safeguards. The assessment will enable your company to concentrate its limited budget on its information security weaknesses. Response
It is important that you do not panic when your systems are under attack. Active incidents are among the most technically stressful and challenging events your IT employees will ever face. They require experience and advanced knowledge to solve and prosecute. Minimally consider performing the following actions:
- Do not turn the system off, if you have to stop the attack because you are losing proprietary information then remove the cable from the machine.
- Document what is occurring on a separate system or on paper. Document the system and the individuals performing any valid interaction with the system.
- Observe the intruder by monitoring and recording events occurring on the network.
- Recall backup tapes in preparation to restore the system.
- Follow your incident response plan and if necessary ask for outside help.
If your company is not ready to react to this type of incident it is important that you contact an external vendor now. Information Risk Group LLC is prepared to provide you with the latest tools and techniques to verify, suspend and trace an incident against your systems. Let us help you mitigate your losses by providing the necessary expert services to resolve your crisis. When possible we will provide you with the necessary information to go to the authorities. Our emergency response team has worked with the FBI, the US Customs Service, and state authorities on various cases throughout the years and is available to offer our expertise in this area 24 hours a day.
Please contact us with any questions you may have on this subject or any other services Information Risk Group offers.
Information Risk Group LLC
3220 Henderson Blvd.
Tampa, FL 33609
Information Risk Group offering information security and risk management services to companies throughout the Americas.