‫ Responding to Various Types of Incidents- Section 2

Date: 2011-07-12
In the “Computer Security Incident Handling in Six Phases” articles, we outlined actions that are applicable to a wide variety of computer security incidents. In these new articles, we define common types of incidents and suggest specific actions appropriate for dealing with each type. In these articles we will address Malicious Code Attacks, Probes and Network Mapping, Denial of Service, Inappropriate Usage, Espionage, Hoaxes, Unauthorized Access and Intellectual Property.
Malicious Code Attacks, Probes and Network Mapping and Denial of Service were studied in the previous section. This section is assigned to Inappropriate Usage.
Type 4: Inappropriate Usage
"Inappropriate usage" is the use of computer or network resources in a manner that violates an enterprise's policies or the law. Inappropriate usage ranges from theft of resources for personal gain or amusement to the use of resources to perpetrate crimes. By far the most common serious offense is the accessing, storing, or transmission of pornographic materials. Often, inappropriate usage investigations arise from an accusation that must be either proved or disproved by examination and analysis of the subject's work environment.
Special Action 4.1: Make certain your policy is sufficient for your investigation
Does it adequately inform the subjects of the investigation that they do not enjoy any assumption of privacy or personal ownership? Do the systems carry the necessary warning banners?
Special Action 4.2: Know the law
Make certain you know the laws for all jurisdictions. Since the investigation may involve multiple jurisdictions, the laws surrounding the examination of email and live transmissions can be quite difficult to ascertain quickly. Ignorance of federal and state wiretap laws does not constitute a viable legal defense. As the investigator, you are expected to know the laws relative to your profession. When in doubt, stop and consult your counsel.
Special Action 4.3: Consult with counsel
If any part of a request for information has directly or indirectly come from law enforcement, consult with your counsel. You may become an agent of the law enforcement agency and subject to additional laws restricting your ability to examine your enterprise's resources at will.
Special Action 4.4: Advise management of contingencies
Advise management at the outset that they may lose control of an investigation if the investigation reveals certain criminal activity. For example, if child pornography is uncovered, it must be reported and turned over to authorities. Authorities may elect to assume control of the investigation at that point.
Special Action 4.5: Analyze the risk of an investigation
Investigations carry many risks (privacy infringement claims, misinterpretation of investigative laws, errors of omission, intervention by authorities, etc.). If the only desire is to change behavior, and not to take an administrative action, there may be methods that are more efficient and present less risk than a resource intensive investigation.
Special Action 4.6: Establish legal protection
Since you do not know what will be uncovered, have the initiator of an investigation contact your enterprise's counsel before taking any action. One form of protection for you and your enterprise is the "Attorney Work Product" privilege. To maintain an attorney work product privilege, you must work on behalf of the attorney. Have the requests for investigative support come from the attorney to you, and return all information to the attorney alone.
Special Action 4.7: Keep the investigative team small, and maintain strict confidentiality
Inappropriate usage investigations present a risk of legal action. You are often dealing with accusations the subject may find embarrassing. Even if an individual is proven innocent of the accusations, rumors of an investigation can damage the individual's reputation and ability to function within the organization, as well as his standing in the community.
Special Action 4.8: Coordinate with physical security department
Failing to coordinate with your enterprise's physical security department when performing a subject work area investigation may inadvertently set off alarms or raise suspicions. Physical security may respond to what appears to be an unauthorized intrusion, possibly compromising the confidentiality of the investigation.
Special Action 4.9: Know your investigative team members
Make team assignments carefully. Some people become very distressed by some inappropriate materials (child pornography, death, torture and mutilation depictions). In non-law enforcement settings, many IT security members are computer or network specialists and may not be emotionally prepared to deal with these materials. Brief your team members on what to expect, and be ready to make assignment changes when requested or when you believe they're needed.
Special Action 4.10: Create a standardized presentation format
Inappropriate materials often create different emotions in the viewers. No two people seem to agree on how to define "obscenity".
Instead of presenting the materials directly, create a matrix that profiles the subject's involvement using a rating system (PG, R, X, XXX) versus activity (downloaded, stored, sent …). This provides management and human resources with a tool for consistent administration of inappropriate usage cases without the need to show the actual materials.
Special Action 4.11: Create and use a retention policy for inappropriate usage, investigative case material
Use mandatory controlled storage for inappropriate materials collected in the course of an investigation, and destroy all copies as specified in the retention policy. Special care should be taken with materials considered to be contraband, such as child pornography. With any suspected contraband, follow the directions of your enterprise's counsel on an individual case basis.
Related Links:
Computer Security Incident Handling: An Action Plan for Dealing with Intrusions, Cyber-Theft, and Other Security-Related Events, Version 2.3.1, Stephen Northcutt, SANS Institute, 2003


بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 18 مرداد 1393



امتیاز شما
تعداد امتیازها:0