Friday, April 2, 2010

Journal Article One - Incident Response

In the article “Cost of IT security breaches jumps 97 percent” by Jennifer Kavur of Computerworld dated in Network World October 1, 2009, the impact could have been reduced by implementing the appropriate response. In 2009, IT security breaches at Canadian firms accounted for an average annual loss of $834,149, which was an increase of 97% from the year before. The majority of the increase in breaches happened in government organizations. Dr. Walid Hejazi, professor of business economics at the Rotman School of Management, said government "is a natural target" for security breaches. He believed the increase was attributed to downturn in the economy. Also contributing to the increase was that governments are custodians of confidential information and identity theft is a major target. Unauthorized access to information by employees was the fastest rising breach category, up by 112 per cent. Bots within an organization and financial fraud followed second and third, rising by 88 per cent. Theft of proprietary information rose by 75 per cent and laptop or mobile-device theft by 58 per cent.
Following the appropriate Incident Response to unauthorized access would have decreased the impact. The following processes should have been in place:

· Configure network-based and/or host-based IDPS software (such as file integrity checkers and log monitors) to identify and alert on attempts to gain unauthorized access.
· Use centralized log servers so pertinent information from hosts across the organization is stored in a single secured location.
· Establish procedures to be followed when all users of an application, system, trust domain, or organization should change their passwords because of a password compromise. The procedures should adhere to the organization’s password policy.
· Discuss unauthorized access incidents with system administrators so that they understand their roles in the incident handling process.
Appropriate responses to bots in order to reduce the impact should be implemented as follows:

· Monitor communication channels that may be used by an attacker. For example, many bots use IRC as their primary means of communication.
· Another example is that attackers may congregate on certain IRC channels to brag about their compromises and share information; however, incident handlers should treat any such information that they acquire only as a potential lead to be further investigated and verified, not as fact.
The following incident response actions can reduce the impact in theft of information:

· Responding to incidents systematically so that the appropriate steps are taken
· Helping personnel to recover quickly and efficiently from security incidents, minimizing loss or theft of information and disruption of services
· Using information gained during incident handling to better prepare for handling future incidents and to provide stronger protection for systems and data
· Dealing properly with legal issues that may arise during incidents.
Appropriate incident responses to physical hardware theft can be reduced by initiating the following:
· Enhance physical security measures. If an unauthorized access incident involves a breach of physical security, additional containment strategies should be followed.
· If an outsider is suspected of gaining access to a server room, not only should the server room be secured more strongly, but also the physical security staff or law enforcement may need to search the facility to confirm that the intruder is not still present.
· Other security changes may be merited; if the attacker can breach security in one instance, other opportunities may present themselves.