Computer Security Incident Procedures

Depending on your organization's size and requirements, a computer security incident response team may be required or recommended. In any event, someone in your organization should be in charge of performing the security incident procedures. In addition, the personnel performing these procedures will require a certain level of authority so the organization's management must support this effort.

If you have no security incident procedures an analysis should be done of the types of security problems you are having. The following should be considered:

• What types of incidents are occurring? Are they virus attacks, denial of service, hacked systems, user account compromise, or other attacks?
• How much of your IT staff time is being spent dealing with each type of attack?
• What is the damage in staff time and loss of productivity due to each type of attack?
• What is the damage to data due to each type of attack and what is the cost of this?
• What is the risk in damage to the organization due to compromised data or lost data due to each type of attack?
• What is the overall risk to the suvival of the organization due to each type of attack?

The answers to the above questions will help your organization decide how much effort should be put into defining the security response and how much should be spent on computer security measures in general.

Computer Security Incident Procedure Steps

There are three main actions that must occur during a security incident. These are intrusion detection, containment, and removal. The containment and removal process are covered in the computer security incident procedure steps listed below which are recommended by the SANS Institute and several government agencies. These steps are based on the SANS Institute's guide on "Computer Security Incident Handling: Step-by-Step"

1. Prepare - Create your policies, checklists, and procedures. Perform and test backups regularly in case data must later be restored. Post warning banners on against intruders. When writing policies and procedures consider outside organizations that may be affected if you have a security incident. Determine who handles the security incidents.
2. Identify - Have methods in place to detect an incident and provide a trail of evidence. Determine if an incident really occurred and evaluate the evidence. Notify and coordinate the appropriate incident handling personnel other appropriate personnel and managers who may be affected.
3. Contain - Assess the situation in such a way the intruder does not know you are aware of their presence until you are ready to implement your response. Pull any critical data off the network that may yet be compromised. Take countermeasures, possibly pull the affected system(s) off the network and change passwords.
4. Eradicate - Remove malicious code or possibly re-install the system to be sure to remove all back door or malicious code, and possibly restore from backups. Determine the cause of the incident, analyze the intrusion method and vulnerability, implement a protection technique to prevent further intrusion, improve defenses, and test for vulnerablilties.
5. Recover - Validate the system, monitor for re-infection, restore operations when it is appropriate and the vulnerability has been removed.
6. Lessons learned - Make recommendations to prevent a similar incident, create an incident report, and modify your computer security incident procedure if necessary.

In order to contain and remove an intruder, a very important part of the process includes detection. Your organization must have some mechanism in place to detect a security incident. Therefore the following items are important to consider.

• Your organization should have someone check your server status and logs on a regular basis.
• You should consider some type of intrusion detection device on your servers depending on the importance of your data and cost of the intrusion detection device.
• You should consider some type of intrusion detection device on your network (search for suspicious traffic) depending on the importance of your data transmitted and stored on your network with consideration for the cost of the intrusion detection device.

Incident Form Items

Several items that should be included in your computer security incident form include:

• Incident date and time
• Computer system(s) name and/or numbers affected.
• Affected system location(s)
• Operating system(s) on the system affected.
• Type of system affected (workstation, mail server, file server, etc.)
• Type of intrusion (data compromise, virus incident, denial of service attack, etc.)
• How the intrusion was discovered
• Effect of the intrusion
• How the intrusion occurred
• How the intrusion was removed
• Steps taken to prevent the same type of intrusion again
• Who was notified about the intrusion.
• Time spent handling the intrusion and cost of the intrusion to the organization