8/9/2019 lanak Varnostni Forum oujak 2010. - sudski vjetak informatike i telekomunikacija Saa Aksentijevi

1/3

< VI/MAREC 2010 > 11

WHAT TO DO IN CASE OF SECURITY BREACH AND

HOW TO PREVENT THEM?

tema meseca VAROVANJE KONNIH TOK (ENDPOINT SECURITY)

SAA AKSENTIJEVI

There are several typical cases when cor-porate clients ask for services of foren-sic analysis of computer systems and

analysis of front-end perimeter breaches,the most common ones being litigationsand proceedings towards current or ex-em-ployees. In this article I will try to give someadvice to those responsible for respondingto security breaches and what to do in orderto resolve the situation. It is important tounderline what to do, and even more im-portantly, what NOT TO DO when re-sponsding to security incidents. In mostcases, doing nothing is better than doingjust anything, so I will start with a list of ac-tions not to be done, and that are usually

prevalent in most organizations that do nothave well established incident response pro-cedures, or when they are entrusted ran-domly, either by hierarchy or by placementof the incident within organization, thusavoiding hot potato in their own lap.

Saa Aksentijevi spent his entire educational

and professional life in ICT area. First he

worked several years as an independent ICT

consultant, an owner of a start-up company

and a specialist for mass storagetechnologies.

During the past seven years he has been

working in one the worlds biggest

multinational companies in the oil and gas

sector which performs off shore and

onshore turnkey projects. Holds B.Sc title

in business informatics, Master title in

ICT Management and ICT Security and

ISO 27001:2005 Lead Auditor

certificate. On top of that, he works as

business strategy consultant

specialized in safety at work andhuman resource management and

he is certified ICT forensics court

expert at Commercial and

Municipal Courts. Recently, he

started his ph.d. studies in

Business economy.

phone calls. In most cases, the damage isalready done when the information aboutthe security breach or incident has be-come apparent. Even though quick re-sponse is of high importance, it is evenmore important to approach the issuecalmly and in analytical manner avoid-ing an emotional response. If there is a

reasonable doubt that there has beendamage incurred to the companys re-sources, computer and network systems,companys image and reputation, or thecomputer systems and information havebeen used in a way that is contrary to thebusiness policy and strategy or that thelocal laws have been violated, it is impor-tant to discuss the hard facts in completeconfidentiality with the highest decisionlevels within organization while mini-mizing the number of involved people.The reasoning is simple: security and in-

formation breaches are often initiated bypeople who are either highly positionedwithin organizations or have directhands-on knowledge of the informationsystem maintenance, therefore wideningthe number of people involved in inci-

Fig 1: five petals of ICT forensic investigationdonts

1 Avoid emotional response2 Do not confront suspects and avoid

evidence contamination

3 Do not avoid authorities4 Ensure consistent state of hardware5 Do not conduct internal investigation with-

out professionals

5

1

2

3

4

1. Approach the issue calmly and withoutpanic and avoid any form of written andelectronic communication including

8/9/2019 lanak Varnostni Forum oujak 2010. - sudski vjetak informatike i telekomunikacija Saa Aksentijevi

2/3

8/9/2019 lanak Varnostni Forum oujak 2010. - sudski vjetak informatike i telekomunikacija Saa Aksentijevi

3/3

< VI/MAREC 2010 > 13

VAROVANJE KONNIH TOK (ENDPOINT SECURITY)

is to preserve the computer systemsfrom any kind of change. If the compu-ter system is turned off, leave it in suchstate because turning it back on mighterase important evidence. If the compu-ter system is turned on, leave it turnedon but do not use it until it is accessedby the forensic investigator, and ensureconstant power supply. In case of pe-ripheral equipment powered by batter-ies like notebooks, mobile phones, land-line phones or palmtops, they shouldnot be used, but should be connected toexternal power source to ensure that inthe case of deep battery drainage thecontained data does not get erased.

8. In most cases, it is safe and advisable todisconnect the affected computer orcomputer system from the computerand telephone network by physical re-

moval of network and telephone cables,in order to preserve the evidence andprevent remote access to computers anddistributed removal of evidence by theperpetrator.

9. Only after joint decision of decisionmakers in the organization, those re-sponsible for information systems, lawenforcement and forensic investigators,the passwords and logins for system uti-lization should be changed, and e-mailrights and other privileges should be re- voked from those that are suspects in

the investigation in case of internal em-ployee or internal third-party securitybreaches. This decision could signalthem that they are under investigationso it should be carefully made afterbroad consensus.

10. All identified evidence should be ade-quately stored under lock and key or ina safe, the list of taken steps should bedetailed with signatures of those re-sponsible for different steps. It is possi-ble to include also external authoritiesin this process to ensure evidence valid-ity and integrity, like public notaries,

lawyers, forensic investigators, policeofficers and other various trustworthywitnesses.

11. Finally, the best advice to all corporateorganizations and even mid-sized or-ganizations is to have either umbrellaframe agreements, or at least establishedcontacts with computer forensics ex-perts or consultants, in order to ensureright perimeter breach and incident re-sponse.

Technical and organizational measuresthat can be undertaken in order to prevent

or mitigate the risk of perimeter breaches toany part of ISMS can either be proactive orreactive. Forensic response described aboveis a part of the reactive process that not onlyestablishes back endangered services, butalso manages the incurred damage and con-

sequentially discloses the perpetrator. How-ever, in most cases, the key is in the preven-tion or the proactive behavior. There arefive basic groups of measures that can beimplemented in advance, in order to miti-gate these risks:1. Procedures of purchase and procurement

of hardware equipment should be alignedwith basic policies of internal and exter-nal perimeter security to ensure bothservice availability and data and systemsconfidentiality and integrity.

SOCIAL ENGINEERING AWARENESSIS USUALLY IMPORTANT FOR THEORGANIZATION, BECAUSE ALONG

WITH THE TECHNICAL,ORGANIZATIONAL AND FORENSICRESPONSE, IT SOMETIMES NEEDED

TO ADDRESS THE ISSUES OF SOCIALENGINEERING WITHIN THE

ORGANIZATION THAT MIGHT HAVEGRANTED UNAUTHORIZED ACCESSTO THOSE ENTERING THE SECURITY

PERIMETER.

2. Hardware and software systems that pre- vent misuse of peripheral, exposedequipment should be in place and alignedwith real business needs. These systemsshould be implemented in order to en-

sure encryption, rights management oncertain services and document classes,impose service denial or limitation tocertain groups of users, set priorities anduse heuristics to identify possible breach-es and none granted attempts of access.These systems in fact heavily rely on or-ganizational component of ISMS andthey are only as effective as is internallyestablished ISMS. Therefore, investingin intrusion prevention software andhardware without investment in proce-dures and human resources can be some-times expenditure that is not justified by

obtained results, and that should behigher level of integral security of thesystem or organization as a whole.

3. As already described, clear policies ofISMS implementation, detailed analysisof procedures and contingency proce-dures, communication channels andhardware resources, disaster recoveryand business continuity and clear SLAwith consultants that are specialists forsecurity incident response are both basicand clear prerequisites for effective man-agement of security breaches in the or-

ganization. These consultants typicallyoffer services of incident managementon a technical level and they are special-ized to stop any attack or mitigate alreadydone damage.

4. Social engineering awareness is usually

important for the organization, becausealong with the technical, organizationaland forensic response, it sometimesneeded to address the issues of social en-gineering within the organization thatmight have granted unauthorized accessto those entering the security perimeter.Sometimes, the organizations want toidentify a single culprit for certain se-curity incident, yet it is clear that multi-ple points-of-failure are often the causeof a security breach. Therefore, the goalof every organization should be in pre- vention and not reactive behavior. Theonly way to mitigate social engineeringrisk is to educate those that are in chargeof technical maintenance of informationsystem components, and also to educatetheir users.

THE BEST ADVICE TO ALLCORPORATE ORGANIZATIONS AND

EVEN MID-SIZED ORGANIZATIONS ISTO HAVE EITHER UMBRELLA FRAME

AGREEMENTS, OR AT LEASTESTABLISHED CONTACTS WITH

COMPUTER FORENSICS EXPERTS ORCONSULTANTS, IN ORDER TO

ENSURE RIGHT PERIMETER BREACHAND INCIDENT RESPONSE.

5. Alignment of incident response withgoals of the organization. Very often therisk of information security or secure pe-rimeter breach is simply accepted, evenwhen it is very high, because the organi-zations silently accept their exposure bytrying to minimize the costs related tocontracts, services, hardware and soft-ware that should be purchased or ob-tained to mitigate the real risk. It is up toevery organization to carefully leveragethe cost of possible data theft, corrup-tion, deletion or security breach againstyearly investments and costs related to

mitigation measures and possible con-tracts with third parties related to foren-sic and incident response and even pre-vention. Most corporations still have rel-atively modest numbers of in-house au-thorized forensic staff, so they should bevery careful not to fall in the trap of cost-cutting where it is not exactly advisable.Proven fact is that return of investmenton ICT forensics is clearly qualitative andnot quantitative this is something thatstakeholders usually do not value highly.It is even worse when ICT systems are

not a part of overall business strategy butmerely support functions. In such sce-narios, it is clear that there will be moresecurity breaches and also the forensicand incident response will be difficult,delayed and maybe inadequate.