- : Executing a Policy
- Security Incident Response
- Computer Security Incident Response Teams
- Preparing for Incident Response
- Management of Security by Teams
- Execution of an Incident Response
- Evaluation of a Security Incident
- Containing the Incident
- Eradicating the Incident
- Recovering From an Incident
- Article Series
- About the Author
- Ordering Sun Documents
- Accessing Sun Documentation Online
Management of Security by Teams
Because security teams typically have high profiles, attacks on their systems and networks can be expected. Intruders might retrieve critical information, such as past mission-critical intrusions; hence, the team's operational information and associated infrastructure are attractive targets. For example, a smart attacker could alter the parameters of an internal firewall that the organization's VCSIRT is using and allow certain destructive services to enter into the team's internal network. That is why, in addition to having their own security policies, security teams such as incident response teams must place great emphasis on guarding their own security by considering the following factors in the execution of their policies and procedures.
Teams should get what is allowed and what they are supposed to get, nothing more. There is a lot of information gathering that occurs during the process of resolving issues during an incident. The teams should be careful not to violate the confidentiality of any individual or organization. Legal advise and guidance should be sought, as required or deemed necessary.
Teams should get what is needed and when it is needed. For example, without having timely information for analysis, the teams cannot proceed and would need to stop at certain junctures of the incident response process. This can adversely impact the recovery of the affected constituent's business.
Teams should be sure the information stays the way it was intended. There must be inherent trust built between teams for the sake of information exchange and integrity of the information so that it remains untainted.
Teams should know where the information is from and who the possible owner is. This is not always easy to know, but the CSIRTs must make a serious attempt to identify and record sources and ownership of the information each time it is received.
Teams should assure that only the intended recipients can use the information as specified. As stressed in the first article, building trusting relationships between teams is extremely important. This, of course, results from continued contact and agreement development and maintenance at various national-level and international-level organizations and agencies. A large organization of a multi-billion dollar enterprise could exert more pressure in establishing guidelines and specifications for information sharing and exchange than a smaller enterprise with a few million dollars in revenue. Intended recipients have a responsibility to process the information as specified and expected by the agreed on terms.
Teams should guarantee that the interests of persons and organizations are protected. Privacy laws are changing continuously in most of the progressive countries around the world. In addition, these laws differ from country to country. Certain information can be considered sensitive in one country, but not in another (for example, a country that is a member of the European Union versus the United States). Careful planning, along with professional guidance, must be made in retrieving, storing, and transmitting such information.
Teams should guarantee that the due diligence requirements are fulfilled. There is an overriding, unwritten obligation to do the right thing for the benefit of all of the parties involved in servicing the incidents and the constituents. This means, for example, the use of required tools (such as encryption) with consideration towards export controls and regulations of the countries involved when information needs to cross national boundaries to reach another national-level CSIRT. In addition, although physical security needs attention, a CSIRT might not typically have full authority to implement all aspects of physical security because its parent organization usually has that authority. For instance, in the context of this article, a VCSIRT relies on the worldwide security team of the organization to possess such authority.