Welcome to this video on incident management.

No information security system is perfect; no matter how carefully a technical solution is developed, or how engaging an education programme is, security incidents happen. This might be in the form of a network attack by a hacker, a computer virus or simply from somebody not following the correct safety procedures.

The impact might be a confidentiality breach or perhaps a denial of service attack against the organization’s website. Whatever it is, it will cause disruption and possibly loss of business.

This video looks at how security incidents can be identified and the process to manage them so that business operations are restored efficiently, in a legal and ethical manner.

Within this we’ll look at how to plan and conduct digital forensics investigations and the steps required to ensure the organization learns from an incident and takes action to avoid the same thing happening again.

An incident is defined as anything that causes concern from a security perspective. This could be an unauthorised person on the premises, someone stealing data on a USB stick, a laptop being stolen from a secure computer room or anything else that might contravene security policy.

Before any incident happens, the organization should have an incident response plan and regular incident response drills should be carried out to ensure the procedures work efficiently. These drills are likely to identify process and technology issues that need to be addressed.

There are many ways to identify that an incident has occurred. For example, technical protective measures can alert the IT Team to a system virus infection, or the enterprise antivirus system recognises a virus and begins the quarantine process on infected machines; in parallel, the antivirus server sends an alert to the security operations team which initiates the incident management process.

These types of identification measures ensure the Information Security Manager can recognise that an incident has actually occurred.

The management process includes the following steps:

· Reporting

· Investigation

· Corrective action – incident response

· Assessment, and

· Review

In other cases, notification of an issue might come from an external source. For example, a data leak might be reported in a national newspaper. In these cases, the incident management process begins at the investigation phase. If plans are already drawn up, it’s much easier to manage the response and limit the damage.

Let’s move on and look at each stage of the incident management process, starting with reporting.

The incident report should contain all the relevant information to investigate, assess and close the incident.

Typically, the form would be protectively marked as Company Confidential as it may well contain sensitive information relating to system vulnerabilities or sensitive personal information.

Specifically, the report should include:

· All points of contact, including the investigative authority, the investigating officer, the information release officer and the security manager

· A summary of exactly what the incident was and what impact it had on the organization – following the ‘who’, ‘what’, ‘where’, ‘when’ and ‘how’ principle

· The notification process, listing every step that took place from the point the incident occurred to the point it was resolved

· The technical details of the incident, including details of troubleshooting, the physical, hardware or software changes required and helpdesk ticket numbers if appropriate, and

· Conclusions, including:

o A root cause analysis

o How the incident could have been prevented

o The impact it had on the organization

o The estimated costs and damages

o How the incident could be prevented from re-occurring, and

o What additional remedial work is being carried out to ensure the incident doesn’t happen again

The Incident Response Team, or IRT, is the pre-designated group who can investigate security incidents. An organization might have different IRTs who deal with different types of incidents, for example a facilities issue or an information security incident.

Incidents can be anything; a simple virus outbreak, a lost key to a secure cabinet, a terrorist attack, a flood or a power cut. To help them react to any size of incident, the IRT has emergency powers in certain circumstances providing them with the authority to take the necessary action to ensure systems and information are kept safe, and the right procedures are followed for legal investigations.

The IRT must follow proper forensic processes if the incident is likely to be the subject of legal proceedings.

All artefacts to be used by the Incident Response Team should be pre-defined and available for immediate use. Document proformas, in line with the top-level operational security policies and procedures, should be kept up to date. The IRT should be prepared for all eventualities and expect the unexpected.

The security industry generally has a mature approach to handling computer security incidents. Once an incident has been identified, systems should be set up to notify that a response is required and then a process of containment, eradication, recovery and education should be followed.

Containment means making sure the problem can’t become worse. This might mean ringfencing systems, unplugging or disconnecting equipment, deleting data from hard disks, or issuing remote wipe commands to stolen laptops.

These measures should be predefined and designed to resolve the issue once it happens.

If necessary, the authorities should be notified. Many countries have a national organization, known as Computer Security Incident Response Teams (CSIRTs). They are in communication with each other about the spread of infections and the emerging threats that cyberspace creates. They also provide organizations in the public and private sectors with advice and guidance on how to deal with computer security incidents.

Eradication is about removing the threat. For example, by quarantining systems and running virus removal software.

The recovery stage focuses on resuming the service for those affected, through restoring data from backups, rebuilding systems, or maybe even failing over to a resilience site with limited capability to keep the organization running during an outage.

Finally, the incident should be documented, and a root cause analysis completed to enable the organization to learn from it. Every incident is an opportunity to learn and better respond in the future.

After the incident response stage comes the assessment stage.

A simple quantification process can be used to assess the effect an incident has had on an organization. Each aspect of the incident is assessed, and a score is allocated to it in relation to its business impact.

For example, if the scope of the incident affected more than 50% of customers or systems, the score might be 4, however, if just one customer is affected, the score might be 0.

· The credibility rating relates to any negative PR or other consequences. The greater the consequences, the higher the score

· The operations rating might be 0 for no work interference, through to interference with core functions of the organization scoring 4

· The urgency rating relates to the timeframe over which the resolution was required. Resolution of the issue in a short space of time would warrant a low score, whereas if the incident was proliferating it would warrant a high score, and

· A score of 0 would be given if the priority to resolve the issue is very low, whereas an incident demanding an immediate and sustained effort using all available resources in the organization or IRT might score 4

After an incident has happened and the IRT has resolved the issue, a formal review should be conducted as the final step of the management phase. This should identify:

· Who was responsible

· What happened

· Where it happened

· Who was affected

· What were the reasons for the incident, and

· Over what timeframe did the incident occur?

It should be a formal meeting with minutes and actions recorded. The meeting should formally review:

· The processes and work instructions

· The systems that were included in the incident

· The overarching policies that determine the organization’s security posture, and

· A root cause analysis to identify what went wrong

At the end of the meeting, corrective actions should be agreed and signed-off, with authority delegated to relevant individuals to implement a remediation programme.

We’ve seen the importance of the investigation stage and the robust approach for managing computer security incidents. However, with the proliferation and sophistication of cybercrime, there’s a much larger requirement to recover and investigate digital evidence from a computer or electronic crime scene. This branch of forensic science is known as digital forensics.

Digital evidence is defined as:

‘Any data stored or transmitted using a computer that supports or refutes a theory of how an offense occurred or that addresses critical elements of the offense such as intent or alibi.’

Forensic science provides legal evidence, so it has a set of requirements for handling and extraction of evidence that must be rigorously adhered to. If the rules of handling evidence are not followed, the evidence can be deemed inadmissible and can often lead to the breakdown of a case.

The discipline of computer forensics involves:

· Evidence acquisition

· Evidence authentication, and

· Evidence analysis

Digital evidence, such as a log file, is often transparently created by a computer’s operating system without the knowledge of the computer operator. It’s the job of the forensic investigator to find this evidence and ensure it’s handled, interpreted and presented correctly. Often, the forensic investigator will act as an expert witness in a court case.

In several countries including the US, UK and Ireland, law enforcement officers must apply to the courts for a legal search warrant specific to the case, the target of the investigation, the premises being searched, and the equipment suspected as being used in the crime.

In the UK, the Centre for the Protection of National infrastructure (CPNI) provides security advice and guidance to organizations that form part of the UK’s national infrastructure, including electricity companies, water and gas agencies, emergency services, financial services, health services, and transport organizations who are considered critical to the economy of the country.

CPNI have released a technical note called ‘An Introduction to Forensics Readiness Planning’. This outlines a ten step-approach to forensic readiness planning, covering everything an organization should be aware of to ensure digital investigations proceed unhindered and have the maximum impact.

To quote from the CPNI document:

‘Forensic readiness is…the ability of an organization to maximise its potential to use digital evidence whilst minimising the costs of an investigation.’

Typically, external organizations are employed to undertake a forensic investigation. The discipline is varied, with organizations specialising in areas like computers and servers, mobile phones, networks, routers and switches, and web systems.

Two important concepts in digital forensics are chain of custody and evidence integrity.

Chain of custody, as the name implies, accounts for all aspects of the handling of evidence, from acquisition to presentation in court. Evidence integrity ensures that evidence has not been altered or corrupted.

Techniques for effectively handling evidence include:

• Using write blockers, which are devices that allow acquisition or copying of information from a disk drive without accidentally damaging the source drive’s contents. They do this by allowing read commands to pass to the target disk drive whilst blocking write commands;

• Physically and/or electronically sealing the evidence, for example, cryptographically signing the data. This ensures that evidence integrity is maintained, and the evidence can’t be altered. Hashes can also be used to show that data has not been modified;

• Maintaining control of the evidence by the custodian signing, dating and sealing it. This shows who has current and previous control of the evidence and attests to the chain of custody during the whole process;

• Keeping evidence in an evidence locker.

Accurate forensic examination of a computer disk can add an important dimension to an investigation.

If there’s evidence that a criminal offence has occurred, the authorities should be advised immediately. It’s common for large organizations to form relationships with digital forensic service providers and specialist computer crime units so that forensic examinations can be carried out almost immediately.

An expert witness is an individual who has special training or experience in a specific field and is permitted to state their opinion concerning those technical matters even though they were not present at the event. If someone needs to give evidence in court, it is important to check that they have the knowledge and skills to perform this activity.

A Forensic Readiness Plan, or FRP, ensures any incident response that requires the acquisition of digital evidence can be conducted effectively and efficiently. The plan must conform to the forensic readiness policy.

An FRP is an important part of a strategic incident response plan and allows for the proactive planning of digital investigations. This is done through the identification of scenarios, sources of admissible evidence, and related monitoring and collection processes.

The organization must have a plan in place outlining the following elements as a minimum:

• The organization’s objectives for forensic readiness;

• A clear statement of what the organization hopes to achieve after a security incident;

• Responsibilities for the co-ordination of any response should the plan be called upon. The person should be identified by post rather than an individual name and their responsibilities must be documented;

• Contact details of how and when pre-arranged external forensic support can be obtained, including the provision of post-incident support, for example, via expert witnesses;

• How evidence will be stored safely and how its integrity will be retained;

• The escalation process for incidents, including when to report events to senior management and law enforcement; and

• Contact details of local law enforcement bodies for reporting an offence.

If the incident leads to criminal investigations, then it’s likely that law enforcement will be involved.

Extraction of evidence from a system should be conducted by expert forensics teams, where special handling procedures are used to ensure the evidence is not tampered with and is admissible in court.

The organization should have a single point of contact who can act as the Evidence Custody Officer. They will ensure that all digital evidence artefacts are properly handled, labelled and identified. The Chain of Custody is a vital element in managing evidence and will be required in court.

External organizations involved in investigations should sign a contract and an NDA. This will help protect their integrity and provide the all relevant parties with legal cover should a breach of trust occur.

The NDA should also contain:

· The standards required for information handling

· How information should be transferred between the parties covered by the agreement, and

· The review requirements and disclosures required of the third party during the investigations

Most countries that deal with crimes involving IT now have complex and prescriptive rules about how evidence should be extracted, analysed, handled, presented and proved to have retained its original integrity.

In the US these are the Federal Rules of Evidence, and in the UK they’re the Police and Criminal Evidence Act and the Civil Evidence Act.

The UK police force has also published the ACPO Good Practice Guide for Digital Evidence which details exactly how digital evidence should be handled and secured. This is supported by the ACPO Manager Guide for Good Practice and Advice Guide for Managers of e-Crime Investigation.

That’s the end of this video on incident management.