Table 11.2 continued Types of Security Incidents ID No. Incident Name Incident Description 11 Insider Threat— Any type of unauthorized use of an Unauthorized Access account outside the account’s autho- rized levels of privilege for normal usage 12 Insider Threat— An unintentional security breach that Administrator Error occurs due to an administrative error (e.g., incorrect configuration) 13 Installation of Installation of software that is not Unlicensed Software approved or licensed by the agency (includes commercial software, custom code, freeware, and media) 14 IP Address Spoofing An attack where an unauthorized user gains access to a computer or a net- work by making it appear that a mes- sage or packet has come from a trusted machine by “spoofing” the IP address of that machine 15 Java or ActiveX Exploitation Any circumstance that creates exploita- tion of Java or ActiveX 16 MAC Address Spoofing An attack where an unauthorized user gains access to a computer or a net- work by making it appear that a mes- sage or packet has come from a trusted machine by “spoofing” the MAC address of the trusted machine 17 Malicious Code Indication of a computer virus, worm, or Trojan whether destructive, or harmless 18 Loss or Theft An indication that a computer, system, or media has been lost or stolen 19 Man-in-the-Middle Attack An attack where a malicious party intercepts and/or alters a legitimate communication between two friendly parties without the knowledge of the original sender or recipient www.syngress.com 178 Chapter 11 • Addressing Incident Response Continued 409_Cert_Accred_11.qxd 11/2/06 5:48 PM Page 178 Table 11.2 continued Types of Security Incidents ID No. Incident Name Incident Description 20 Network Bandwidth Attack An unusual and unauthorized increase in network traffic (possibly induced by a user downloading excessive amounts of data, or using unauthorized tools that reserve large amounts of band- width) 21 Other Attacks All other circumstances in which a security incident occurs but cannot be identified by any other predefined category 22 Packet Sniffing / A circumstance where a malicious user Network Wiretap gathers, monitors, or analyzes data communications traveling between two or more systems 23 Reconnaissance Scans Indication of a network probe by an unauthorized user (possibly gathering information such as open ports, run- ning services, operating systems, or configuration information) 24 Security Attack Any circumstance where a system or network’s security support infrastruc- ture fails, and the data on that system or network is left open to security attacks (e.g., failure of a host- or net- work-based intrusion detection system) 25 Sensitive Compromise Any theft of sensitive resources (e.g., passwords; protected, classified, or restricted data; licensed applications or software; restricted applications, soft- ware or code) 26 Stolen or Misplaced A circumstance that results in stolen or Equipment misplaced agency hardware, equipment, or media 27 Unauthorized Web Surfing Web surfing by employees to untrusted and potentially dangerous or inappropriate Web sites www.syngress.com Addressing Incident Response • Chapter 11 179 Continued 409_Cert_Accred_11.qxd 11/2/06 5:48 PM Page 179 Table 11.2 continued Types of Security Incidents ID No. Incident Name Incident Description 28 Unauthorized Access Any type of unauthorized use of a valid account by someone who is not an employee of the agency 29 Unauthorized Access and Any circumstance where an Modification of Access unauthorized user changes the Control Lists configurations of access control lists located on critical network infrastruc- ture such as routers or firewalls 30 User Data Breach Any type of circumstance that creates unauthorized loss, theft, alteration, or compromise of user data or private user information 31 Web Site Defacement Any activity that causes, or attempts to deface, or create unauthorized modifi- cation of internal or external agency Web sites Incident Response Plan Checklist Once your Incident Response Plan is finished, use this checklist to make sure you didn’t forget anything: ■ Does your plan accurately describe the systems it applies to? ■ Does your plan include a contact list of key personnel? ■ Does your plan include information on roles and responsibilities? ■ Does your plan include a diagram of the escalation framework? ■ Does your plan include how to contact the agency CSIRC? ■ Does your plan list the members of the CSIRT team? ■ Does your plan list the members of the CSIRC team? ■ Does your plan include a description of incident types? ■ Does your plan include guidance on severity levels? www.syngress.com 180 Chapter 11 • Addressing Incident Response 409_Cert_Accred_11.qxd 11/2/06 5:48 PM Page 180 ■ Does your plan include information on agency security policies? ■ Does your plan include incident handling guidelines? ■ Does your plan include a section on information forensics? ■ Does your plan include a Security Incident Reporting Form? Security Incident Reporting Form Every incident response program should have an Incident Reporting Form to standardize and track the collection of security incident information.The Incident Reporting Form that applies to the information system undergoing C&A should be included at the end of your Incident Response Plan.The information contained on the Incident Reporting Form should be consistent with the information described in the Incident Response Plan. For example, if you include a section on the form that calls for a severity classification, be sure that severities are defined in the Incident Response Plan. A sample Incident Reporting Form is shown in Figure 11.2. Figure 11.2 Sample Security Incident Reporting Form SECURITY INCIDENT REPORTING FORM Incident Report Number: Date and Time: ______________________________________ Incident Response Manager:___________________________ Alternate POC:____________________ Name: ________________________________________________________________ Phone: ________________________ Fax:___________________________________ Pager: _____________________________________________________________ Incident Geographic Location: Building: _________________________Cubical/Room: _______________________ Incident Type, Name(s) and ID: Incident Type Identification Numbers (from list): Data: Classified Unclassified www.syngress.com Addressing Incident Response • Chapter 11 181 409_Cert_Accred_11.qxd 11/2/06 5:48 PM Page 181 System Information: (Report operating system name, version, and patch level/Service Pack) Platform: Workstation Server Laptop Asset Identification Bar Code Number: ________________________ Networks and Domains Affected: Incident Summary: (Be specific. List dates and times. Include how incident was detected and resolved and describe what forensics tools and programs were used.) Incident Status: Open Closed Law Enforcement Contacted (List reasons if law enforcement was not contacted.) www.syngress.com 182 Chapter 11 • Addressing Incident Response 409_Cert_Accred_11.qxd 11/2/06 5:48 PM Page 182 Summary An Incident Response Plan formally documents the agency’s strategy for responding to security breaches. By its very nature, a security incident is a time of crisis to some degree, and during this time, more so than any other time, you need to ensure that decisions being made are levelheaded and based on sound judgments.The best way to do this is to define clear procedures and protocols for responding to the crisis before the crisis ever hits and then to train employees about these procedures and protocols.This is why the Incident Response Plan is such a vital document. The Incident Response Plan should cover all foreseeable security events, and it should lay out the rules and triggers by which agency personnel are to take action in response to the event. Although it may be impossible to predict when and where a denial-of-service attack will strike, it is somewhat easier to determine what the appropriate response should be. If this response is docu- mented and agency employees are trained on the response, then cooler heads will prevail when and if the possibility of the attack ever becomes a reality. Additional Resources This section provides you with information about organizations involved with incident response. It also includes lists of books and other material related to incident response and forensics. Incident Response Organizations The organizations listed in Table 11.3 offer valuable information on computer security incidents, vulnerabilities, and response activities. Table 11.3 Incident Response Organizations Organization and Web site Description CERT Coordination Center A federally funded research and http://www.cert.org development center operated by Carnegie Mellon University www.syngress.com Addressing Incident Response • Chapter 11 183 Continued 409_Cert_Accred_11.qxd 11/2/06 5:48 PM Page 183 Table 11.3 continued Incident Response Organizations Organization and Web site Description Common Vulnerabilities and Exposures A list of standardized names for http://cve.mitre.org vulnerabilities developed by the MITRE Corporation Forum of Incident Response and An organization that specializes in Security Teams computer security incident response http://www.first.org/ SANS Top 20 A security vulnerability list maintained http://www.sans.org/top20 by SANS and development with the FBI X-FORCE Alerts and Advisories Information on Internet threats and http://xforce.iss.net/xforce/alerts vulnerabilities operated by Internet Security Systems United States Department of A central DoD Web site offering Defense CERT current information on security http://www.cert.mil vulnerabilities and incidents United States Computer Emergency Coordinates defense and response Readiness Team against cyber attacks on the U.S. http://www.us-cert.gov/ infrastructure United States Department of Publishes threat information to Homeland Security the U.S. infrastructure http://www.dhs.gov/dhspublic/ Additional Resources The following books offer useful information on computer security incident response: Farmer, Dan and Wietse Venema. Forensic Discovery. Addison-Wesley, December 2004. ISBN: 020163497X. Jones, Keith J. Real Digital Forensics: Computer Security and Incident Response. Addison-Wesley, September 2005. ISBN: 0321240693. www.syngress.com 184 Chapter 11 • Addressing Incident Response 409_Cert_Accred_11.qxd 11/2/06 5:48 PM Page 184 Kruse, Warren G. and Jay G. Heiser. Computer Forensics: Incident Response Essentials. Addison-Wesley, September 2001. ISBN: 0201707195. Lucas, Julie and Brian Moeller. The Effective Incident Response Team. Addison-Wesley, 2004. ISBN: 0201761750. Mandia, Kevin and Chris Prosise. Incident Response, Investigating Computer Crime. Osborne/McGraw Hill, 2001. ISBN: 0072131829. Northcutt, Stephen. Computer Security Incident Handling. SANS Institute, March 2003. ISBN: 0972427376. Schweitzer, Douglas. Incident Response, Computer Forensics Toolkit. Wiley, 2003. ISBN: 0764526367. Van Wyk, Kenneth R. and Richard Forno. Incident Response. O’Reilly & Associates, 2001. ISBN: 0596001304. Articles and Papers on Incident Response Various useful articles and papers on computer security incident response are listed here: Computer Security Incident Handling Guide. NIST Special Publication 800-61, January 2004 (http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf ). “Digital Evidence: Standards and Principles (Draft).” Forensic Science Communications,April 2000 (www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm). FCC Computer Security Incident Response Guide. United States Federal Communications Commission, December 2001 (http://csrc.nist.gov/fasp/FASPDocs/incident-response/Incident- Response-Guide.pdf ). Handbook for Computer Security Incident Response Teams (CSIRTS). The Software Engineering Institute,April 2003 (www.sei.cmu.edu/publications/documents/03.reports/03hb002.html). www.syngress.com Addressing Incident Response • Chapter 11 185 409_Cert_Accred_11.qxd 11/2/06 5:48 PM Page 185 “Responding to Intrusions.” CERT Coordination Center (www.sei.cmu.edu/publications/documents/sims/sim006abstract.html). Taylor, Laura.“Incident Response Planning and Management.” Intranet Journal. Jupiter Media, January 28, 2002 (http://intranetjournal.com/articles/200201/se_01_28_02a.html). Taylor, Laura.“Old-school UNIX tools help track down hackers.” TechRepublic, June 19, 2002 (http://insight.zdnet.co.uk/hardware/servers/0,39020445,2123102,00 .htm). Taylor, Laura.“Read Your Firewall Logs.” ZDNet, July 5, 2001 (http://techupdate.zdnet.com/techupdate/stories/main/0,14179,278 2699,00.html). “U.S. Department of Justice Search and Seizure Guidelines.” United States Department of Justice, November 10, 2005 (www.usdoj.gov/criminal/cybercrime/searching.html). Wotring, Brian “Host Integrity Monitoring.” SecurityFocus, March 31, 2004 (www.securityfocus.com/infocus/1771). Notes 1. Kent Kim Grance. Computer Security Incident Handling Guide. NIST Special Publication 800-61. National Institute of Standards and Technology, January 2004, p. D-2. www.syngress.com 186 Chapter 11 • Addressing Incident Response 409_Cert_Accred_11.qxd 11/2/06 5:48 PM Page 186 Performing the Security Tests and Evaluation “No law or ordinance is mightier than under- standing.” —Plato Topics in this chapter: ■ Types of Security Tests ■ Types of Security Controls ■ Testing Methodology and Tools ■ Who Should Perform the Tests? ■ Documenting the Tests ■ Analyzing the Tests and Their Results Chapter 12 187 409_Cert_Accred_12.qxd 11/2/06 5:44 PM Page 187 [...]... 11/2/06 5: 44 PM Page 208 Chapter 12 • Performing the Security Tests and Evaluation (ST&E) Hoagland, Greg and Gary McGraw Exploiting Software: How to Break Code Addison-Wesley, 2004 ISBN: 020178 659 58 Howard, Michael and David LeBlanc Writing Secure Code Microsoft Press, December 2002 ISBN: 07 356 17228 Long, Johnny et al Penetration Tester’s Open Source Toolkit Syngress Publishing, November 20 05 ISBN: 159 7490210... Media, May 2001 ISBN: 059 600 157 6 Splaine, Steve Testing Web Security Wiley, 2002 ISBN: 04712328 15 Viega, John and Matt Messier Secure Programming Cookbook O’Reilly Media, July 2003 ISBN: 059 6003943 Whittaker, J., H H.Thompson, and H.Thompson How to Break Software Security Addison-Wesley, May 2003 ISBN: 0321194330 Articles and Papers Related to Security Testing Various useful articles and papers that may... Sizes and Security Strengths by Federal Agencies.” NIST Special Publication 800 -57 Part 1 National Institute of Standards and Technology, 2006 (http://csrc.nist.gov/cryptval/) 2 “Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program.” National Institute of Standards and Technology Communications Security Establishment, March 28, 2003 Last Update: October 5, 2006... OMB Memorandum 99-18 and specifically prohibits the use of persistent “cookies” on Federal Web sites.3 ■ OMB Memorandum 99- 05, Instructions on complying with President’s Memorandum of May 14, 1998 ‘Privacy and Personal Information in Federal Records’, includes what actions agencies must take for compliance and requirements for agencies to track disclosure of private information.4 ■ OMB Memorandum 99-18,... Regulations, and Rights On May 22, 2006, after it was thought that private information of 26 million U.S Veterans was stolen on a USB flash drive, Clay Johnson III, the Acting Director of the OMB, issued an important memorandum on privacy to heads of departments and agencies.The memo can be viewed at www.whitehouse.gov/omb/memoranda/fy2006/m-06- 15. pdf The memorandum reminds heads of departments and agencies... books and articles to refer to for more information on security testing Books Related to Security Testing The following books offer useful information on testing the security of your systems: Doar, Matthews B Practical Development Environments O’Reilly Media, September 20 05 ISBN: 059 60079 65 Graff, Mark G and Kenneth van Wyk Secure Coding: Principles and Practices O’Reilly Media, June 2003 ISBN: 059 6002424... installed and correctly configured within the agency infrastructure Code and Memory Analyzers If your information system undergoing C&A uses code that is custom written and is not associated with any commercial off-the-shelf product, it is a good idea to scan your source code for coding gaffes and vulnerabilities Code and memory analyzers can help you uncover source code vulnerabilities and memory... well as network and operating system vulnerabilities Network and Application Scanners Once configured and set up, network scanners run automated scans of your systems and networks looking for well-known security vulnerabilities Nonintrusive network scanners do not try to exploit the vulnerabilities they find Intrusive network scanners find vulnerabilities and then try to exploit them, and therefore are... date of birth, and financial status are subject to exposure.The point of a Privacy Impact Assessment is to determine if systems, Web sites, and applications comply with all federal laws, regulations, and security policies.Threats to privacy and mitigating factors should also be noted in a PIA.The assets that store the data subject to privacy policy provisions and laws should be determined and understood... procedures and results are listed in Table 12.1.You’ll want to be sure to include the date and version number for every test you perform For each test performed, you’ll need to describe the expected results and the actual results If the actual results do not match the expected results, the test has failed www.syngress.com 409_Cert_Accred_12.qxd 11/2/06 5: 44 PM Page 1 95 Performing the Security Tests and Evaluation . 076 452 6367. Van Wyk, Kenneth R. and Richard Forno. Incident Response. O’Reilly & Associates, 2001. ISBN: 059 6001304. Articles and Papers on Incident Response Various useful articles and papers. 183 Continued 409_Cert_Accred_11.qxd 11/2/06 5: 48 PM Page 183 Table 11.3 continued Incident Response Organizations Organization and Web site Description Common Vulnerabilities and Exposures A list of standardized names. 0201761 750 . Mandia, Kevin and Chris Prosise. Incident Response, Investigating Computer Crime. Osborne/McGraw Hill, 2001. ISBN: 0072131829. Northcutt, Stephen. Computer Security Incident Handling.