The U.S. continuity-of-operations movement, intended to ensure that businesses as well as offices and agencies at all levels of government – non-government organizations as well – has changed significantly since 9/11, and seems likely to change even more in the foreseeable future.
Continuity-of-operations planning, which concentrates primarily on consequence management and recovery from all types of disaster, both natural and manmade, is not a new concept. However, prior to 9/11, the planning focused on reacting to localized disasters or failures – i.e., protecting the bricks-and-mortar aspects of operations. Since 9/11, the continuity of operations has become increasingly dependent upon technology, and it is this technology that now poses a major risk to operations, which in recent years have become more and more digitized. What were once legacy systems are now connected to the Internet, and cyberspace itself has become a hostile environment.
FBI, World Bank, and DHS (Department of Homeland Security) studies have all documented an exponential growth in cyber attacks in recent years. In 2002, FBI Director Robert Mueller said that fighting cyber crime had become his “Number One” priority. Additional evidence of the continuing growth in cyber crime was provided by the 2005 E-crime Watch Survey – carried out by the U.S. Secret Service and the Carnegie Mellon CERT Coordination Center – which reported that 68 percent of those responding to the survey had experienced at least one electronic security incident, and that the average number of electronic crimes or intrusions experienced by the organizations surveyed was 86 events. According to the same survey, “outsiders” – i.e., perpetrators who were not members of the organization(s) per se – had committed an estimated 80 percent of the electronic crimes reported.
The fact that so much espionage, sabotage, and other crimes now occur in the virtual world is clear evidence that today’s hackers possess an ever-growing ability to harness the technological capabilities of powerful and evolutionary malicious code. That ability permits the hackers to become “digital insiders” who, once inside a compromised system, can use these malicious pieces of code to act both autonomously and stealthily, frequently if not always escaping the notice of an organization’s security controls.
Responding to Cyber Security Incidents
In large part because of the growth in cyber crime that has been documented, the ability of an organization to react both quickly and effectively to security incidents has becoming an increasingly essential component of an overall security plan. An organization’s continuity of operations depends on its ability to provide timely information to its staff in the form of electronic data. If that ability is crippled or compromised, the organization’s continuity of operations cannot be guaranteed.
An incident response plan (IRP) is the primary document most organizations use to establish how they will identify, respond to, correct, and recover from computer security incidents. Whatever the plan is called, though, all organizations of any size should have comprehensive IRPs in place, and should test them periodically. Moreover, all employees of an organization should be trained in the correct procedures to follow in the event of a computer incident. Following are some guidelines to follow in the development and promulgation of an effective incident response plan:
- The organization’s security, legal, and public relations departments all should participate in the development and implementation of the organization’s incident response policy.
- All incident-response agencies responsible for the security of an organization’s site should be contacted when a security incident has been determined (or is suspected). Among the more important of those agencies are the National Infrastructure Protection Center, the Computer Emergency Response Team, European Computer Emergency Response Teams, the Electronic Crimes Taskforce, and the Forum of Incident Response Security Teams.
- Out-of-band methods (phone calls, for example) should be used for communications when an incident has been detected, or is suspected, to ensure that intruders do not intercept information they do not already have. Arguably, this is the most important element of the IRP, because it identifies certain situations or conditions and postulates in detail how to respond to those situations or conditions. The term incident notification describes the procedures to be used in notifying the computer user population when an incident has been confirmed. For that reason, this section of the plan clearly identifies those who must be notified in the event of an incident, and also provides the critical contact information required and the contact procedures that should be followed.
A Flood of Information – Or a Trickle
During a natural or “physical” disaster – hurricanes, earthquakes, floods, and tornadoes, for example – a massive amount of information usually is provided to the general public through a variety of sources, including media reports and public statements by government agencies.
However, when a business or other organization experiences a cyber event, the information available to it is generally limited to whatever that organization or business has found out on its own. For that reason alone, effective proactive planning and timely responses are significantly improved when an organization is able to understand both the types of attacks that are possible, and how to defend against them.
Individual users also can greatly enhance the reaction of an organization to a cyber attack. Basically, if a computer is believed not to be operating normally, the individual user should immediately disconnect the computer from the Internet and from all wireless access points. Any or all of the following should be considered suspicious behavior: The computer is operating slowly; it will not allow the user to close a given window; the computer screen is blue; and/or the computer seems to be running multiple programs that were not previously running.
The next step should be to call the IT specialist, through a landline, to notify him or her of the suspected incident. If an IT specialist cannot be found the individual user not only should follow the procedures spelled out in the organization’s IRP but also consider the following additional actions: (a) Isolate the virus scanner, then start a full scan on the C: drive; (b) Update all critical software patches; (c) Delete temporary files; and (d) Change his/her password and advise all other employees to do the same.
When a website or network has been compromised, one of the remediation techniques some organizations use is to restore from backup. But when an organization has no way to determine when the site was compromised, it cannot accurately determine when the last acceptable backup had been collected. In these circumstances, a “restore + patch” procedure might seems to be a logical move, but that might simply restore the backdoor Trojan or malware to its previous state. In most organizations the backup systems already in place could regenerate yesterday’s threats if not properly audited and cleaned for malicious code. The most important point to remember is that effective incident response is the paramount consideration in the battle to clean and preserve classified data.
If nothing else, the 9/11 terrorist attacks should have taught Americans not to underestimate the sophistication and resolve of this nation’s enemies--whose capacity to use technology against the United States is still growing. This is a grim fact of modern life that should be recognized, and acted upon, by all agencies and organizations charged with the creation and promulgation of timely and effective incident response plans.
http://www.nipc.gov (National Infrastructure Protection Center)
http://www.cert.org (Computer Emergency Response Team)
http://www.cert.dfn.de/eng/csir/europe/certs.html (European Computer Emergency Response Teams)
http://www.ectaskforce.org/Regional_Locations.htm (Electronic Crimes Taskforce)
http://www.first.org/team-info/FIRST (Forum of Incident Response and Security Teams)