Fast responders

No one likes to talk about it, but criminals are using the Internet to extort money from companies, particularly those whose survival depends on processing financial transactions online. First, a company notices that its servers are under attack and online transactions with the public are blocked. Then an e-mail arrives explaining that the attack will stop only if the company pays an extortion fee.

Such attacks are an example of the growing sophistication and targeted nature of computer security incidents that afflict some businesses and government agencies. Reporting and responding to such incidents demand significant attention and resources. Companies that are models for dealing with security vulnerabilities provide training to make their employees security-aware. But increasingly, they rely on the quick response of automated detection and remediation systems to protect information on their networks.

Security officials at some of the largest companies say incident reporting is still more of an art than a science. But security officials at three corporations -- AT&T, Booz Allen Hamilton and Northrop Grumman -- agreed to discuss a topic that others said they would rather not talk about. Several experts in the information security business also offered their advice on incident reporting. Those officials and other experts said their experience might be helpful to federal officials who must not only protect government information but also comply with the Federal Information Security Management Act.

FISMA requires federal agencies to report incident data to two agencies with different reporting needs: the Office of Management and Budget and the Homeland Security Department. That is a tall order for many agencies, said Kenneth Ammon, president of MCI NetSec Global Security Services, an MCI company.

"You have two different audiences that you're trying to please here, and you probably need two different approaches to satisfy the requirements," he said.

OMB, which monitors FISMA compliance, asks agencies to report the number and type of security incidents they had in the previous year. Critics say the requirement fails to recognize that some agencies detect thousands of security incidents because they have rigorous security monitoring programs, whereas other agencies do not.

"A department that isn't looking can say we have zero incidents to report, and a department that is looking has a lot," Ammon said.

Recognizing this problem, OMB worked with DHS this year to develop a more sophisticated security incident reporting template for agencies' 2005 FISMA reports, said Karen Evans, OMB's administrator of e-government and information technology. OMB will ask agencies to verify that they followed the new DHS guidelines when they report their latest security incident numbers.

Unlike OMB, DHS has always been interested in collecting real-time technical data that could provide an early warning of emerging threats to federal networks and information systems. Ammon said DHS could discover more threats by placing anomaly- detection devices on agencies' wide-area networks.

But because most agencies have resisted its efforts to put data-collection devices on their networks, DHS continues to have problems getting useful incident data.

Ammon said DHS should offer to subsidize agencies' purchase of such devices from a short list of approved vendors in exchange for access to the incident data from those devices. Most agencies would accept that approach, he said.

As for agencies' other concerns about nondisclosure, Ammon said, the Commerce Department has figured out how to protect and aggregate economic data from U.S. businesses, and DHS could do the same with agencies' security incident data.

Hit daily by hundreds of potential security incidents, federal agencies and large companies face a major challenge in identifying incidents that require further investigation, a process that security experts call a root-cause analysis.

"It's all about sifting through tons and tons of hay to find a few needles that might be in there," said Ed Amoroso, chief information security officer at AT&T.

AT&T collects security data from its corporate firewalls, intrusion-detection systems, servers, desktop computers and databases. "My security team monitors just about everything," Amoroso said. He added that the process has become much less arduous since AT&T added firewalls, intrusion-detection tools and antivirus protection at various Internet access points where AT&T's portion of the nationwide IP backbone connects with portions owned by MCI and other carriers.

By detecting and filtering problems on the public Internet before they reach AT&T's corporate network, Amoroso said, the daily workload of security incidents that his internal staff investigates is down to about 40.

Amoroso said government agencies should demand the same kind of service. Instead, most struggle to secure their networks against threats from the Internet, he said. No agency would avoid asking the electric company to help solve power spikes or other safety hazards, and yet that's the current situation in the telecommunications industry, he said, adding "We're just saying we can help."

AT&T has packaged that help in a service it calls AT&T Internet Protect, but so far few large agencies have signed up. Buying managed security services from AT&T and other carriers might take some time to catch on, if it ever does, said Timothy McKnight, chief information security officer at Northrop Grumman. "There's a lot of value there, and I agree they should bring it to the table," he said. The greatest value of such services would most likely be for small and midsize agencies or businesses, he added.

As threats increase and new regulations require compliance, companies and agencies are adopting more structured approaches to security incident reporting. "Many regulations specifically say you need to have a methodology to identify an incident and procedures to handle it," said Tracy Hulver, senior director of product management at netForensics.

The regulations, however, are often vague about what those standard procedures should be, he said.

Agencies and companies need "a chain of command, an escalation process and some sort of corporate governance as to when [they need] to call the authorities," said Ron Gula, president and chief technical officer at Tenable Network Security.

John Pescatore, vice president of Internet security research at Gartner, said he often refers the firm's corporate clients to a computer security incident guide, called "Special Publication 800-61," published by the National Institute of Standards and Technology in 2004. He also recommends a guide developed by the Australian Computer Emergency Response Team.

After initially struggling to create definitions, such as determining what a security incident is, Booz Allen officials set up standardized procedures for identifying and responding to incidents. They based those procedures on a process framework called the IT Infrastructure Library, which originated in the United Kingdom.

Daniel Gasparro, a senior director of operations at Booz Allen, said the company's implementation of that framework ensures an appropriate incident management response to whatever hits the corporate network.

Using that framework, Booz Allen's IT staff contained a coordinated denial-of-service attack that recently targeted the company. "Those are the ones you always get concerned about," Gasparro said. But with a detailed response plan that included having certain scripts ready to run, the company prevented a major corporate network outage, he said.

At Northrop Grumman, information security officials made several recent procedural changes to improve security incident reporting. They set up a toll-free number and single-purpose e-mail address for reporting incidents. They created the Computer Security Incident Response Team of business managers, corporate communications officials and security experts, who follow a documented plan when they respond to security incidents.

"We can't have every executive calling the line and telling them what they want them to do," McKnight said. The team members train and practice their response as if they were conducting a fire drill, he said.

The focus on security incidents and the creation of security operations centers are fairly recent corporate activities. Unlike network operations centers, which have been around for a while and operate according to well-defined procedures, security operations centers are still maturing, Hulver said. Security center "operators are more apt to say, 'Gee, something weird is happening. Let me go dissect what's going on,'" he said. But because businesses and agencies often have both types of centers, he added, it is important that they have standard operating procedures for communicating and passing tasks to one another.

Effective sharing of security incident information has largely been an elusive goal for many companies, just as it has been for DHS. "Aggregation is a powerful thing," especially when aggregated data reveals patterns of activity, said Mike Caudill, incident manager of Cisco Systems' Product Security Incident Response Team. Sharing incident information "can help minimize the impact of an incident or put a stop to an incident."

But most companies have been reluctant to share incident information with other companies or the U.S. government. A group of private-sector information sharing and analysis centers set up to share security incident information within different industry sectors and with DHS have been failures, with one exception, Pescatore said. Because DHS does not share incident information with the centers, he said, "the benefit back to them does not exceed the risk they perceive in making that information available."

The one exception is the financial center, which is working, Pescatore said. But managed security providers have some of the most valuable collections of security incident data. Companies such as Counterpane Internet Security, VeriSign and Symantec manage thousands of firewalls for hundreds of corporate customers, he said.

With that managed security data, a company can learn, for example, whether it is the target of an attack or simply a random casualty of a mass attack. "That's a mechanism where we've seen information sharing work pretty well," Pescatore said. The danger of targeted or customized attacks is that the hackers will create a Trojan horse to harm a specific company, he said.

Security companies usually don't respond by writing an antivirus signature if a virus attacks a single company, Pescatore said, adding that "the rise of targeted attacks has poked big holes in a lot of companies' intrusion-detection strategies."

Corporate security officials say companies and agencies should spend what they can afford to automate their security incident reporting. Security reporting works best "if data is being collected from everywhere in real time," Amoroso said. "What industry and AT&T are trying to do is automate as much as possible because the social process and the human interaction around [incident reporting] will always be very imperfect."

Having real-time incident-detection capabilities also produces a desired social response, Amoroso said.

"If you have powerful tools that are collecting data and you're very successful at detecting even minor changes in the infrastructure, people are going to be very careful," he said, adding that they will think twice about attempting to sabotage a corporate network.

How to handle incidents without getting burned

The government has given up counting computer security incidents and attacks on the nation's Internet infrastructure. The Homeland Security Department's U.S. Computer Emergency Readiness Team (US-CERT), which coordinates nationwide defenses and responses to cyberattacks, no longer tallies security incidents because there are too many of them. Instead, it merely reports on information security vulnerabilities as they appear.

But most individual agencies still count security incidents. By law, they are supposed to report such occurrences internally, to US-CERT and, if warranted, to law enforcement authorities and the news media.

Several information security analysts say the National Institute of Standards and Technology offers some of the best guidance on reporting and handling security incidents, and they recommend NIST guidelines to their public- and private-sector clients.

From "Special Publication 800-61: Computer Security Incident Handling Guide," here are some tips from the security experts at NIST:

  • Create a policy that defines incidents, establishes an organizational structure for responding to them, and outlines roles and responsibilities.
  • Establish procedures for sharing incident information with US-CERT and, when necessary, law enforcement authorities and the news media. Solicit the assistance of public affairs staff members and legal advisers.
  • Practice handling large-scale incidents on a regular basis through exercises and simulations. Because such incidents are rare, response teams need practice if they are to handle real events effectively.
  • Be prepared by having incident-handling tools ready before they are needed. A preparedness kit should include lists of contacts and
phone numbers, encryption software, network diagrams and inventories, backup devices, forensic software, and security patches.

-- Florence Olsen

NEXT STORY: ITAA backs breach notification law

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.