SEC440: Incident Response Plan
Download as DOCX, PDF2 likes1,083 views
The document proposes standard operating procedures for security breaches at DeVry University. It recommends removing email addresses from websites to avoid harvesting, and using a contact form instead. Physical security policies are outlined, such as not leaving documents visible in public or unattended. An incident response plan framework is also proposed to minimize downtime from security incidents. The plan involves initial assessment, isolation, communication, recovery, reassessment and review.
SEC440: Incident Response Plan
- 1. DeVry University College of Engineering and Information Sciences Alhambra, California Proposal: Standard Operating Procedures for Security Breach By Thomas Christopher Go Ty Submitted in Partial Fulfillment of the Course Requirements for Information Systems Security Planning and Audit SEC440 Professor John Freund August 10, 2014
- 2. Standard Operating Procedure for Security Breach Experienced attackers will exploit even the simplest and neglected practice to get its hands on the target. Due to the potential risk of exploitation and prevent spamming that may lead to the possibility of Denial of Service (DoS) or Distributed Denial of Service (DDos) attacks on the email server. It is encouraged to part ways from the previous practice of having a company’s general email address in the organization’s official Web site for inbound communications. The general email address may be in the Contact Us or About Us Web pages. Email Proper Usage The practice of having the email address laid out on the Web page can be risky to spider harvesting or email address harvesting. An alternative of using a “Contact Us” button that will open a window with a list of email clients and providers can reduce email spams received by the email server. Not all threats can be detected even with an email filtering program implemented and a real-time email scanning to detect threats. The danger of setting the email filtering program to high can result in missing valid emails messages from being received by the recipient. Setting the security low can result in receiving high quantities of spam emails. It is recommended to set any security settings to its optimum level. Implementing optimum level security may have some exceptions especially when it comes on physical locations.
- 3. Physical Security Some locations within the company’s premises stores confidential data and information that may include storage rooms for anything related to money and other financial information of the clients, employees, shareholders, other stakeholders, and the organization itself. Theft can lead to fraudulent activities that may cause the company to suffer from legal consequences like law suites, fines from the United States government, and the most serious is the company closing its doors. Not well-known to the general public is the method of gathering information called social engineering. Social engineering is mostly done using observation of physical factors such as employees who wears their I.D. cards while out of the company and leaving documents in plain sight on public places and in vehicles. While many will argue worrying leaving things and documents in plain sight inside a vehicle is unjustified; the law enforcement of the State of Colorado in the City of Boulder strongly advises everyone to “Never leave valuables in plain view, even if your car is locked. Put them in the trunk or otherwise out of sight.” (Colorado Police Department) It is estimated the value of stolen vehicles exceeds $8,000,000,000.00. Sample Policy Document The following is a prototype of security policies concerning proper email usage and physical security. ---------------------------------- Sample Policy Document (beginning) -------------------------------- Securing communications and physical security Objective
- 4. This text will give a set the policies on acceptable email, secure physical locations, and respond to incidents of security breach. Purpose The policies mentioned in this text shall provide guidance to avoid and reduce security breaches perpetrated by attackers that takes advantage on lax email use and employees’ situational awareness. In addition, to protect the Organization’s assets and reduce liabilities, an incident response policy is also in this text. Audience The policies outlined here in the document are for all entities working for the Organization. Policy 1. Communications Use of E-Mail a. Client or End-Users The use of the organization’s email will only be for business related communications. Chain emails and other similar forms of spamming are prohibited. The email address field ‘BCC’ or blind carbon copy will only be used as needed or necessary.
- 5. Properly logout of the Organization’s Web mail when using a public computer; delete cookies and close the Web browser as a precaution. Always use a proper email signature for responses and forwarding of emails. Avoid a “rainbow” email where there are excessive multiple font color are in the contents of the email itself. b. Server End Non-active, dummy, and default email accounts will be disabled Email filtering and real-time email scanning will be implemented Software updates will be initiated to the Web and email servers as soon as the updates become available from the software vendor. c. Public Communications Public communications include receiving emails from external entities inquiring regarding any service, products, and concerns regarding the Organization. 2. Physical Security Physical security policies are to be followed by all employees including mobile workers. For all employees: Do not leave any documents laid around in plain sight at public places such as restaurants, airports, cafes, and hotels and even in vehicles.
- 6. The use of notebook privacy screens or privacy filter is a must if need to open any electronic documents while in public places. Do not leave unattended under any circumstances any bags (backpacks, suitcases, messenger bags, etc.) containing documents relating to the Organization and or notebooks containing the Organization’s data. Do not post the Organization’s building layout on public forums. Employees must wear their identification cards (I.D. cards) issued by the Organization while at work. Employees are prohibited from wearing I.D. cards issued by the Organization outside of the workplace. All rooms that stores sensitive and confidential information will be locked. Only authorized personnel are allowed to enter the server room and other locations within the Organization’s geographic location. All guests and visitors are required to be escorted by authorized personnel and have a guest/visitor I.D. card visibly worn while in the premises. Exception No one is exempted from the policies outlined herein. Enforcement The mentioned policies in this text shall be strictly enforced. Failure to follow the policies outlined in the text will be subject to disciplinary actions that may not be limited to the following. Employment suspension without pay
- 7. Employment termination or separation Legal actions and suits Definition of Terms Organization – a business entity where the employee works and is different from business owners and shareholders End-user – referring to the stakeholders of the Organization External entities – individuals or groups not directly related to the company Public forums – any place or location, physically or on the Web, that the public can freely access Business owners, shareholders, stakeholders, employees – referring all entities working for the Organization Revision History References Frei, Stephan, Silvestri, Ivo, Ollman, Gunter. Mail Non-Delivery Notice Attacks. Retrieved from http://www.techzoom.net/publications/mail-non-delivery- attack/index.en National Institute of Standards and Technology (September 2012). Guide for Conducting Risk Assessments. Retrieved from http://csrc.nist.gov/publications/ nistpubs/800-30-rev1/sp800_30_r1.pdf ---------------------------------- Sample Policy Document (end) --------------------------------
- 8. Incident Response When a disaster or an incident strikes, having an incident response plan reduces downtime in operations compared to having none at all. Can you imagine what the world will be if there are no firefighters to combat fire and emergency medical technicians (EMTs) for ambulatory services? While each field has its own set of policies and response guidelines, the same goal can be reflected. That is, to respond to each succeeding incidents better than the last one. In the field of information security, it is the same goal but the specifics are different. The general idea is to have initial assessment, isolate, communicate, recover, re-assessment, and review. Initial assessment will show the initial damage and overview of the incident. This will help in executing an appropriate response instead of second guessing avoiding loss of precious time and decreasing costs for the organization. The longer the downtime the higher the cost it can create for the company. That is especially true for an environment like call centers that contracts service providers for its business. Long downtimes will create a friction between the two businesses and possibly a breach of contract and a lawsuit by service provider to the call center management for not delivering as stated in the contract. Isolating the problem can prevent further damage in addition to the damage already done in the company. The incident response team can then focus on the problem and not “run around”. In addition to isolation, it is important to communicate with each member of the team and with other stakeholders within the company avoiding
- 9. miscommunication and unnecessary actions. The recovery phase reinstates the information systems to its working and stable operating conditions. The system can be restored from a backup (tape backups) or redirect the operations to an existing system that is on standby. The latter is more costly to implement than tape backups. After the operation is back to stable condition, a reassessment of the damage and a review of the existing security policies and documents are done. That is, to revise the pre-existing policies and documents as needed. Conclusion Although there is no one-hundred percent secure systems in existent. The risk and damage from security breaches can be reduced or avoided if proper actions are taken. Even the simplest and neglected practices by the general public can be used by an experienced attacker against any company, group, or individual to obtain the attacker’s goal. Proper behavior and use of company resources are the beginning to a more secure information system.
- 10. Works Cited Safety for your Vehicle. Retrieved from https://bouldercolorado.gov/police/ safety-for-your-vehicle Frei, Stephan, Silvestri, Ivo, Ollman, Gunter. Mail Non-Delivery Notice Attacks. Retrieved from http://www.techzoom.net/publications/mail-non-delivery- attack/index.en National Institute of Standards and Technology (September 2012). Guide for Conducting Risk Assessments. Retrieved from http://csrc.nist.gov/publications/ nistpubs/800-30-rev1/sp800_30_r1.pdf TechNet. Responding to IT Security Incidents. Retrieved from http://technet. microsoft.com/en-us/library/cc700825.aspx#XSLTsection125121120120