When a situation occurs that has not been planned for, such as an intrusion into a computer system, the next biggest question one asks is "what next?" Unfortunately, there are millions of possible answers to that question. If a person has never had to deal with an intruder before this time, the intruder may get away simply because the trail will become stale, or the "red tape" the administrator must deal with will be too unbearable.
At the time of this writing, about seven cases of computer crime actually are taken to resolution in courts each year, which one would probably consider to be shocking considering the overwhelming numbers of incidents that have been reported. This means that the emphasis of administrator responsibility is to keep intruders out, because once they get in, one is probably unlikely to successfully recoup their losses.
Likewise, policy oversights don't necessarily need to involve an intruder. Simple "Acts of God" such as weather, fire, electrical damage, and hardware failures fall under possible triggers for this category of vulnerability. The establishment of a robust and complete policy for handling incidents should be committed to paper and approved by somebody with power of attorney within every company.
This document is not an example of how to write policy but instead it shows examples of where policy fails or can be overlooked. A professional policy writer should investigate each situation individually, and a risk assessment needs to be performed to determine the worth of information.
The complete security policy guidelines should cover the following (usually overlooked) areas:
• recovery of data
• recovery of failed hardware
• investigation of intruders
• investigation of when the company is accused of intruding on others
• prosecution of intruders
• prosecution of criminal employees
• reporting of intruders and criminal employees to the proper agencies
• physical security of the site
• electrical security of the site
• Theft of equipment
• Theft of software
Recovery of Data
There are volumes of text written about adequate data backups. Many systems require special actions to successfully protect information. If the information is lost on computer systems for periods of time in excess of 24 hours can seriously affect work flow in a company. Intruders who are particularly malicious may attempt to alter or destroy company information, and thus will require data recovery from backups. It should be considered that recovery of data from before the intrusion took place may guarantee that the data might not have been tampered. In many cases, a trojan horse program may be inserted into distributed source code, executables, or patches at a site to allow the hacker easy intrusion to other computers in the future.
Computer Vulnerabilities
Hardware fails, for whatever reason. From the point a computer is turned on, it slowly builds up mishandled energy in terms of heat, light, and other emissions which is called entropy. The system will continue to "build entropy" until the system finally fails. Policy needs to understand that systems will fail regardless of how much effort is put into keeping the system free of failures.
Furthermore, other things may cause hardware to fail - such as dropping, lightning, fire, water, being physically brutalized, and a thousand other possible destructive forces which unexpectedly occur. A good policy will either have a replacement part available, or have a way to acquire a replacement rapidly enough to assure there is no downtime.
Investigation of Intruders
Once an intruder enters your network, it should be investigated immediately. However, this may prove difficult if one doesn't know what the intruder is doing. Even at the time of this writing, tools for intrusion analysis don't exist with exceptional pinpointing certainty. However, there are "Intrusion Detection Systems" which aide with this, as well as many software packages that can look for signs of intrusion on a host. Having a plan to investigate these computers and knowing which software packages are available should be a part of the plan to investigate intruders.
Investigation of when the Company is Accused of Intruding on Others
Sadly, this happens all the time. Despite careful screening of whom a company employs, there are always criminals and unscrupulous individuals that believe they can hide themselves in great numbers. Due to the rapid growth of information about computer crime, it isn't easy to determine who is responsible for such an action. The company needs to establish a policy on exactly how they handle these investigations, what is on a need to know basis, and do what they can to avoid lawsuit and reduce their liabilities.
Prosecution of Intruders
It may be easy to cause trouble for a computer hacker that can be actually traced and identified, but to actually participate in a court proceeding involves a number of different elements. First of all, it will require someone in the company with power of attorney to be willing to press charges. Secondly, there will be witnesses, signed statements, presentation of evidence, and more. It is a long process that will probably cost the company thousands of dollars in man-hours to do properly. In many cases, it has been determined it isn't worth the time and effort to prosecute. Policy needs to reflect the level of reaction the company wishes to take.
Prosecution of Criminal Employees
When an employee is found guilty of a crime against other companies, one would hope that it would be a terminating offense. Information about the individual should be given to the proper investigative authorities but not leaked across the company or to other organizations. The fact the individual did the work on their own, outside the company scope, should be legal grounds to reduce liabilities but having a policy in place will help support that.
Reporting of Intruders and Criminal Employees to the Proper Agencies
Because spreading information about a suspect in a company creates the possibility of a slander case, it may be a good idea to know which agency to report the problem to. In cases where an investigation is
being done with the intent of a "cease and desist" message, then CERT (Computer Emergency Response Team) will be glad to handle cases. However, they are not a law enforcement agency. For cases which will be focused on criminal investigation and court proceedings are a possibility, then the proper investigative group needs to be contacted - the FBI or local special investigation agencies.
Physical Security of the Site
A common policy, and usually the most abused, security at the site needs to be enforced. As is common, employee thefts, unlocked doors, inadequate identification checking, improper disposal of sensitive information and so forth can lead to all sorts of problems. A robust security policy needs to be written and enforceable at every site.
Electrical Security of the Site
In many cases electricity will actually cause the bulk of computer failures at a site. If information should not be lost, then an uninterruptable power supply may be suggested. Likewise, large sites may use large conditioned electrical power sources. The bottom line is that computers don't function without electricity, and the value of the work needs to be weighed against the risk of power outages. A good policy protects computer assets from unstable electrical conditions.
Theft of Equipment
Equipment can be stolen for any number of reasons at any time. Good inventory practice can be used to determine what is missing and what is present. Items that are stolen can often be written off on taxes. Items should be tagged which identifies them, and tracking of these items should be somebody's assigned task.
Theft of Software
Software is often much harder to prove stolen than hardware. A good policy is to protect software source code to prevent it from being originally taken. If the software is taken, a plan should be drafted to prove ownership. Software patents and copyrights are excellent ways of preventing companies from prospering off of stolen source code.
No comments:
Post a Comment