‫ Responding to Various Types of Incidents- Section 5

Date: 2011-09-21
In the “Computer Security Incident Handling in Six Phases” articles, we outlined actions that are applicable to a wide variety of computer security incidents. In these new articles, we define common types of incidents and suggest specific actions appropriate for dealing with each type. Malicious Code Attacks, Probes and Network Mapping, Denial of Service, Inappropriate Usage, Espionage, Hoaxes, Unauthorized access and some of the actions related to Intellectual Property were studied in the previous sections. This section is assigned to the last part of actions related to Intellectual Property.
Type 8: Intellectual Property (Cont’d)
Special Action 16: Verify the authenticity and origin of the misused intellectual property
This will be fairly straightforward if you have identified your organization's IP through watermarks, content, or other mechanisms. It will be more challenging if you have not identified your IP or if a violator misuses portions of your IP within their own works.
There are numerous instances where violators have removed obvious copyright and trademark identifiers as well as removed the document's title in order to obscure its true owner. Thus, you may need to use multiple methods of authentication.
Special Action 17: Create a detected items log
This log will become the foundation of your evidence and may be necessary before you can receive assistance from lawyers or law enforcement. The log should include information such as IP type and locations such as a URL, filenames, timestamps, title, author, etc. When appropriate, include MD5 or SHA-1 signatures or the original and violated copies.
The Intellectual Property Incident Identification forms found at the end of the article, provide detailed examples of what information to collect.
Special Action 18: Assess the economic damage caused by intellectual property misuse
This will be much easier to do if your organization has already identified the base values of its IP. A key factor in determining damage will be how many times the IP has been misused by the violator.
For example, assume that a company that sells books in electronic form over the Internet has discovered that one of their best selling books is now being distributed for free on a violator's site. The economic damage caused by the misused version being downloaded one thousand times will be greater than if it has been downloaded only twice.
Special Action 19: Carefully collect and store evidence
Monitor and understand the current standards and techniques for digital evidence collection. Determine whether your organization has the necessary internal expertise or needs outside assistance or training. Questioning the "purity" and originality of digital evidence is a popular tactic of defense attorneys.
Perform all digital evidence gathering and analysis on bit-by-bit duplicates of the originals. Be sure to thoroughly document your collection procedures — when data was collected, what was collected, how it was collected and by whom. Properly identify each step you take. For example, if a screen shot is taken of a website containing IP misuse, you can immediately take an MD5 signature of that shot. To help maintain authenticity, be sure to keep the image creation time and MD5 creation time as close as possible together. Additionally, utilize offline browsing tools to capture a suspect's site at a specific point in time and write all evidence to media that cannot be modified, such as CD-R.
If you make an error during the collection process, do not panic. Thoroughly document the error and go on. Most importantly, try not to repeat the error again!
If in doubt, consult with your legal staff and appropriate law enforcement agencies on the proper evidence collection procedures for specific incidents.
Special Action 20: Gather appropriate information about intellectual property misusers
Utilize public sources to gather information on the violating individual or organization. Public sources include search engines, the violator's own website or storefront, publications, and public information databases. Information that should be collected includes names, locations, domain names, IP addresses, and contact information including phone numbers, email addresses, personal websites, and physical and mailing addresses. Always behave ethically and comply with all relevant laws while collecting evidence on a violator.
Special Action 21: Determine when to activate response teams
Every IP misuse incident may not justify a full response. Most organizations do not have unlimited resources or time to respond to IP misuse. Know what "battles" to fight. Such decisions are best made based on a risk assessment that identifies which IP is most important to your organization.
Special Action 22: Identify domain and ISP intellectual property protections
A significant number of ISPs and domain owners have strict IP and acceptable use policies. You can use this to your advantage if one of their customers is misusing your IP. Identify the owner of the network where the violation is occurring. Then make contact with them and describe the misuse. Many of them will then require the violator to remove the misused IP or have their web site taken down.
Special Action 23: Document all communications
Keep a log of all correspondence, phone calls, meetings, etc. that occur during an IP misuse incident. This will help identify liabilities that may exist once the final damage assessment is done. For example, if your requests to an ISP go ignored for months and during that time 1,000 more downloads of your misused IP occur, then a court may find the ISP liable for damages. Also, the individuals listed in the logs, such as DMCA agents and foreign law enforcement officials, may become key allies in future incidents. Keeping accurate and detailed notes of your communications also allows for quick retrieval of important facts as the need arises.
Special Action 24: Identify how intellectual property was inappropriately disclosed or used
This can be challenging and will be significantly based on your understanding of your organization's IP management process. For example, if the misused IP is private to your organization (e.g. trade secrets), then an employee may have leaked it or some other form of economic espionage may have occurred. However, misuse could also be due to lax permissions on your organization's website which allowed unauthorized persons to use and disclose your IP. Detailed forensics of a violator's system will usually reveal the most useful information; such access, however, will likely only be obtainable via a search warrant enforced by appropriate law enforcement.
When possible, identify and audit the actions of all persons who have interacted with the misused IP. In general this is only possible in small organizations or in larger organizations where only a small number of persons have interacted with specific IP. In such organizations, this can be an effective way to identify how IP was misused.
Once the reason for the IP misuse is identified, take appropriate steps to reduce or eliminate it.
Special Action 25: Verify that intellectual property distribution mechanisms are functioning properly
Make sure that trusted third parties or resellers of your IP have not been compromised. For example, assume your organization is a producer of electronic books and it partners with only one online company to resell them. If you find your books are being misused, you should contact the partner company to make sure that they have not been compromised. They also may be able to match a violator's Internet Protocol address or email address to an entry in their download logs.
Special Action 26: Review and update detection schemes and intellectual property management process
Utilize the information gathered during the identification and containment phases of an incident and use it to update and improve your policies, procedures and controls. This will help in preventing and responding to future IP misuse.
Special Action 27: Regularly check previously exploited vulnerabilities
If an IP misuse incident was caused by the exploitation of a specific vulnerability, regularly check to make sure that the vulnerability remains secured. If the incident was due to a breakdown or inadequacy in your organization's IP management process, establish careful auditing of appropriate IP management events.
Special Action 28: Regularly check previous intellectual property misuse web sites.
Once it has been verified that your misused IP has been removed from a web site, be sure that the violator does not simply place the IP in another location on the web site, rename it, or repost it later. Also, if a violator's ISP shuts down their website, the violator may immediately acquire a new site with a different ISP and continue to misuse your IP. Conduct regular electronic searches or use a commercial IP searching company to detect these "repeat" offenders.
Special Action 29: Keep the recovery team informed
A very significant IP misuse incident or repeated incidents over a long period of time may require an organization to recover its IP. A recovery team will likely be formed. This team will need to be kept well informed about all IP misuse incidents that could significantly impact the organization's image or profits.
Related Links:
Computer Security Incident Handling: An Action Plan for Dealing with Intrusions, Cyber-Theft, and Other Security-Related Events, Version 2.3.1, Stephen Northcutt, SANS Institute, 2003


بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 18 مرداد 1393



امتیاز شما
تعداد امتیازها:0