Security Incidents

Simply put - Things will go wrong. Information will be lost or abused. Storms will knock out the power and communications to your building. Employees, intentionally or unintentionally, will break your systems. Sensitive marketing, merger or product development information will find its way into the wrong hands. It is only a matter of time. You need to have a security incident response team (SIRT) in place to respond to these events. The challenge is creating a SIRT process that meets Rule #6 of the Seven Simple Rules -"Do we know if there is a problem and do we know about it soon enough so that we can take appropriate action to minimize and contain the problem?" We need to have systems and procedures in place to detect when a problem or incident occurs, to communicate information about the breach to the appropriate security personnel and management and to react to the event soon enough so that the business can take appropriate action to minimize and contain the losses.

Keep in mind that security incidents cover a wide range of possibilities. Consider the ramifications of the following information security incidents:

  • Unencrypted backup tapes containing sensitive customer information are lost while being transported to an off-site storage site
  • An employee steals proprietary company information and uses it to set up a competing business
  • An employee shares their password with their manager
  • An employee downloads one of the following to their company computer:
    • Pornography
    • Unlicensed music
    • A copyrighted political cartoon (without permission)
    • A sexually explicit cartoon
    • White Supremacist literature
  • A clerk shares their password with their manager
  • A "script kiddie" runs an automated scan of your company Web site looking for vulnerabilities
  • A hacker hired by a foreign crime syndicate sends out "phishing" emails to your customers
  • A disgruntled manager leaks a sensitive internal email to the press
  • A member of the night cleaning crew rifles through an executive's trash basket and finds plans for a major acquisition

These events present very complex issues requiring support from experts in security technology, law enforcement, building security, human resources, criminal law and copyright law along with business management. This requires a "team" approach to security incidents that can quickly assemble the necessary resources and effectively focus them on limiting the damages. This SIRT process needs to address:

Detection The first line of defense is automated systems that detect and report security breaches - intrusion detection systems, anti-virus monitors, audit logs, firewalls, fire/heat detectors, network capacity monitors, etc. The second line, and the most important, is people - People who can manage the automated systems, who are trained in security technology, common attack profiles, technology security policies, etc. More importantly, you need a broad base of employees who are trained in common social engineering techniques, who can identify malicious emails and other communications, and who are committed to maintaining a secure business environment.

Communication People don't like to report problems, especially if it means additional work, if they are not sure if it really is a problem if it involves fellow workers or if they are unsure of the consequences. Automated security systems love to report problems, to the point that the activity logs and warning messages become overwhelming. You need to find processes and systems that encourage workers to report incidents. Consider deploying a simple Web based form along with a 7x24 hot line for reporting incidents. Train your BISO's to welcome any concerns from employees and to encourage employees to report incidents no matter how trivial they may appear. Also, when you deploy security systems, devote a significant amount of time to planning what events will be monitored and what specific events you will want to detect. Then build alert and monitoring routines that easily and concisely provide information on the specific events (i.e. they do not flood security administrators with useless information and "cry wolf" false alarms). Finally, designate a leadership team for security incidents. While most security incidents can be handled by a small group of experts, significant or enterprise incidents require close communication and coordination with multiple layers of management. There is nothing worse than an enterprise security incident conference call that begins with, "Who's in charge?" The next worst is a conference call lead by a manager who has no experience or training in security incidents.

Containment The best detection and communication systems in the world will be rendered useless if your security systems and SIRT team can not respond quickly enough to prevent significant damage. Your monitoring systems may alert you that a virus is spreading on your corporate network, that hundreds of computers are sending out millions of messages that are bringing your network to a standstill and that a simple virus .dat file update and a patch to the operating system on each of the computers will stop the spread of the virus and protect the computers in the future. But what if it will take days or even weeks to upgrade all of the computers, because you have no way of automatically installing the upgrades? You need to be prepared for security incidents. Make sure you have the ability to isolate portions of your network or even shut down all network communications with the outside, so that you can confine the spread of any malicious code. Deploy operating systems and anti-virus software that allow you to automatically update all devices connected to the network for security updates. Most importantly, designate a team of security experts trained in computer forensics, security incidents and criminal investigations. Create a clear, document process and make sure the team follows it.

Finally, treat all of this as a variation on business continuity planning processes. Test your plans, make sure you have contact numbers (home & cell numbers, personal email, home fax, etc.) for all critical players, and ensure everyone is familiar with the process. Once you have done all this, sit back and wait, because something will go bump in the night often when you least expect it.

As BISO you need to ensure the employees in your business understand when to report suspicious incidents and how to communicate the issue. Your training and awareness program should acquaint employees with the vulnerabilities that typically threaten your business. They should be familiar with social engineering techniques and how to identify suspicious emails and other documents. You should develop strong lines of communication with the employees in your business. Employees should feel comfortable asking you questions about suspicious activities and know that you will treat their questions knowledgeably and with discretion.

The three biggest issues you will face are:

  • Is it really a security incident? You will seldom be confronted with a clear security incident. Typically you will be given insufficient, conflicting or wrong information. Even if the information is clear, you will often have to make significant assumptions and even run the risk of “stepping on people’s toes”. As you develop experience, you will learn that the majority of security concerns that are reported to you do not result in formal security incidents, but do not let that stop you. Any concern should be fully investigated until you are satisfied there is no threat or that you need to report it to SIRT.

    Time is of the essence. Do not defer investigating the issue. If you can not resolve the situation quickly and there is a possibility that an incident has occurred, then report it anyway.
  • Who Ya’ Gonna Call? In those rare situations where there is clear evidence of a specific security incident with a serious or significant impact on the business, report those incidents directly to SIRT and follow-up with a call to Corporate. In less serious situations or when you are not sure if an incident has occurred, contact your Group Information Security Officer, BISO Coordinator or the Corporate Center IS Utility Head. Most importantly, when in doubt, file a SIRT report.
  • Don’t Try This at Home – Investigating a security incident is a time consuming, complex process that requires extensive experience in investigative techniques, security technologies and common vulnerabilities and threats. Do make sure you do a thorough job of accumulating the necessary information to report the incident to the appropriate levels of security management, but resist the temptation to play detective. Leave it to the professionals. There is nothing worse than incorrectly handling a significant security incident, especially when reputation, money and peoples’ careers are at stake.

When in doubt, follow one simple rule – if you are not sure if there is a security incident, report it.

For more detailed information on establishing a SIRT process, see:


©2009 ISRMC, LLC