| RESPONSE: Discusses implementing an incident response strategy for the
response component of an institution’s information security program. INCIDENT
RESPONSE
After implementing a defense strategy and monitoring for new attacks, hacker
activities, and unauthorized insider access, management should develop a response
strategy. The sophistication of an incident response plan will vary depending on the risks
inherent in each system deployed and the resources available to an institution. In
developing a response strategy or plan, management should consider the following:
? The plan should provide a platform from which an
institution can prepare for, address, and respond to intrusions or unauthorized activity.
The beginning point is to assess the systems at risk, as identified in the overall risk
assessment, and consider the potential types of security incidents.
? The plan should identify what constitutes a break-in or
system misuse, and incidents should be prioritized by the seriousness of the attack or
system misuse.
? Individuals should be appointed and empowered with the
latitude and authority to respond to an incident. The plan should include what the
appropriate responses may be for potential intrusions or system misuses.
? A recovery plan should be established, and in some cases,
an incident response team should be identified.
? The plan should include procedures to officially report
the incidents to senior management, the board of directors, legal counsel, and law
enforcement agents as appropriate.
Today’s products not only can detect intrusions in real-time, but can
automatically respond to intrusions. Depending on the software, information systems
personnel can be notified on a real-time basis during an attack, rather than detect the
attack afterward during a manual log review. Methods of notification can include e-mail,
pager, fax, audio alarm, or message displays on a computer monitor. Responses can include
shutting down the system, logging additional information, and disabling a user’s
account (e.g., by disallowing a particular user account or Internet address). Access can
be disabled for a period sufficient for information systems personnel to review the attack
information or verify the user. Also, an institution can add warning banners to protected
systems, notifying users that they are accessing a protected computer system.
When determining an appropriate response, a distinction should be made between
incidents in which actual changes to a system are suspected (e.g., changing audit logs)
versus incidents in which system misuse is suspected (e.g., unauthorized system access).
Attempts to actually change the system or data may warrant notifying a security officer,
who could reconfigure the identified weaknesses and/or communication paths. An appropriate
response to system misuse may include automatic log-off, warning messages, or notifying
the appropriate personnel.
Not only are attacks often undetected, in many cases identified attacks are not
reported. Institutions should develop a plan to respond to unauthorized activities and
involve law enforcement when appropriate. Institutions should report suspected computer
crimes and computer intrusions on Suspicious Activity Reports (SARs) in accordance with
the guidelines outlined in Financial Institution Letter 124-97, "Suspicious Activity
Reporting," dated December 5, 1997. |
