Home > Articles > Security > Software Security

Responding to Customer's Security Incidents--Part 3: Following Up After an Incident

  • Print
  • + Share This
The third in a five-part series, this article focuses on following up after an incident and presents the best practices that should be executed in the follow-up phase. These topics include acquiring incident data, resorting to legal actions when deemed necessary, and conducting post-incident activities such as taking inventory of the affected assets, assessing the damage, and capturing the lessons learned. This article is intended for advanced readers such as computer security managers, security policy developers, system administrators, and other related staff, who are responsible for the creation or operation of a computer security incident response policy and service.
Like this article? We recommend

The pressure of working and reacting in Internet time and protecting organizational or personal assets is constantly mounting on all of us. Adversaries are getting more sophisticated as the Internet is maturing. Both Nimda and CodeRed are recent examples of the advanced nature of threats combining software vulnerabilities and spreading of multiple vectors of infection. Security incidents have become widespread and difficult to contain in some situations. Yet, globally, enterprises working with various private and public security organizations, investigative agencies, IT vendors, governments, and academia must keep abreast of current incidents, plan for future incidents, cooperate in a concerted effort, and respond to incidents effectively.

The first article in this series discussed establishing a computer security incident response team (CSIRT) and a security policy. The second article discussed executing the policy. Security Incident Response (SIR) is the combination of resulting processes and actions an organization takes in responding to a security incident. It should be obvious that each and every security incident response program will contain unique elements that exist and make sense only for that organization. Before you read this third article, you should be familiar with the concepts described in the first two articles.

This third article focuses on following up after an incident. In this article, only the salient topics for best practices that can be executed in the follow-up phase are presented. These topics include acquiring incident data, resorting to legal actions when deemed necessary, and post-incident activities, such as taking inventory of the affected assets, assessing the damage, and capturing the lessons learned. The best practices presented in this article are generally preceded by a recovery phase and are only starting points for a more detailed analysis for building a policy with the associated processes and procedures.

This article is intended for computer security managers, security policy developers, system administrators, and other related staff, who are responsible for the creation or operation of a computer security incident response policy and service.

Understanding Key Points of the Follow-Up Phase

Why is follow-up so important to have an article dedicated to it? The follow-up, to a large extent, provides the closure on the incident by analyzing it, taking action against the cause of the incident, recording it in detail, and learning from it to improve the processes and procedures that are in place for the organization. Some unexpected or unusual questions might come up:

  • If the incident information was received sooner, would the outcome be different?

  • What would the staff do differently next time?

  • Did management (at the customer site or at the organization providing the service) prove to be part of the problem and/or part of the solution? If yes, how?

On the other hand, a simple people communication issue might surface in the follow-up phase. For instance, a few years ago, in response to a local incident, a European CSIRT contacted the U.S. National level CSIRT (CERT/CC) before contacting its own national CSIRT. This was a procedural or execution-level lapse due to miscommunication among the teams in the same country. In another instance, at the U.S. federally funded agency, CIAC (http://www.ciac.org/ctac/), failures were reported in noting telephone numbers and email addresses of those who reported an incident. This procedural gap was spotted and fixed in the follow-up phase meeting.

Social Sciences

From a broad perspective, the integration of social sciences into incident response is critical for forming, applying, and reusing the skills of a CSIRT. The human aspects of social sciences can make or break a case. They involve the victims, the workers at the affected customer's site, the executives, and the perpetrator(s).

Take, for example, insider attacks, which are not uncommon. There are three important aspects that a CSIRT and the geo-based security officer must remember about these attacks:

  • Everyone at the site is a suspect because the perpetrator is still part of the affected customer's enterprise.

  • An insider attack could cause stress to many employees.

  • The way the incident is processed will reflect on the reputation of the CSIRT and its parent organization and enterprise.

Peripheral Aspects

During the follow-up phase, several peripheral aspects that are beyond the security incident itself need attention. The investigators employed by the worldwide security team for an incident being handled by a virtual CSIRT (VCSIRT) must consider the possible media exposure, the customer's state of behavior, and reaction to the incident. In addition, attention must be paid to the visibility of the case within law enforcement, the interaction with external attorneys, such as those from the district attorney's office, and the interaction with the suspect's attorney. Lastly, the political aspects of the incident, particularly if it is a high-visibility case, cannot be ignored.

Documentation

Throughout the security incident response (SIR) follow-up phase, the responsible geo-based security officer must ensure that the answers to the following are properly captured in a document: what, when, who, why, and how. The documentation should include a chronology of events that can form a basis for prosecution, if needed, a postmortem analysis, and a lessons learned document so that security policies can be improved. The geo-based security officer should maintain this critical information for possible future use.

Incident Classes

Security incidents do not fall into a single, expected pattern. However, the analysis of an incident must address the scope of the incident very clearly. There are two general classes of incident analysis to consider:

  • Intra-incident analysis

  • Inter-incident analysis

The most common types of intra-incident analyses involve a specific incident. For instance, the analysis might involve items such as log files, artifacts left by the intruder (such as rootkits), software environments, and web-of-trust (that is, which person trusts which person, and which component trusts which component in a customer's infrastructure within an incident).

Inter-incident analysis involves relationships between incidents. This is aimed at finding symmetries between separate incidents that might indicate equivalent or related sources of intruder activity. For example, in the same week, if there are multiple attacks on the sites of an organization, it makes sense for the investigating VCSIRT to correlate log data from firewall and intrusion detection systems (IDSs) at these sites and to search for similarities between security events. A series of log entries qualifying as an event might contain several attack patterns.

Evidence

One general meaning of evidence that applies to security incident response is testimony—facts in support of something. The legal meaning that is more applicable in the context of this article is information given personally or drawn from documents, tending to establish fact. This explains what is required of the incident data if it needs to be used in a court of law. Without a doubt, security incident data that is gathered as evidence can make or break a case if a customer wants to prosecute the perpetrator. Note that there are options to prosecution. Throughout the investigation, vigilant collection of circumstantial evidence and use of a chain of custody is important. The evidence might be needed in a grand jury hearing or a trial, but remember that the definition of permissible evidence is not the same in every country.

Chain of Custody

The chain of custody is accomplished by having verifiable documentation indicating the sequence of individuals who have handled a piece of evidence and the sequence of locations where it was stored (including dates and times). For a proven chain of custody to occur, the evidence must be accounted for at all times, and the passage of evidence from one party to the next must be fully documented. If your organization has policy for preserving and proving chain of custody, ensure that your actions are in keeping with this policy. In reality, the concept of chain of custody in the context of a crime is well-known to law enforcement personnel, but not to field engineers or administrators of a VCSIRT or a servicing organization at the customer site. In addition, country-level laws differ for the handling of evidence. Thus, training of the legal implications of custody of the evidence collected during an incident must be provided to the worldwide security team. The aim of a carefully crafted chain of custody is not only to protect the evidence, but also to make it difficult for a defense attorney to find a weakness in the custody process.

Scope

FIGURE 1 shows the scope of activities during the follow-up phase. The acquisition, authentication, preservation, analysis, response plan determination, and post-incident activities occur in almost every case. Legal and investigative activities occur only in specific cases. The VCSIRTs or security officers involved should determine the need for legal and investigative activities, based on the requirements of the customer affected by the incident.

Figure 1FIGURE 1 Follow Up Activities

The following sections highlight the salient points of the various activities of the follow-up phase, as shown in FIGURE 1.

  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020