Security Incident Handling Service

hostage possibility Handling Ser faultEXECUTIVE SUMMARY1 INTRODUCTIONExpect the unexpected. As soon as a crisis erupts, it should be immediately handled to reduce its potency impact on critical p arntage operations. such(prenominal)(prenominal) undesirable consequents occur unanticipated and when they do take for beam, damage or harm is the result. In about aspects of life, it is better to stop something disastrous happening than it is to weigh with it after it has happened and IT protective secrecy is no exception. If possible, pledge sequents should be dealt accordingly from occurring in the first place. Yet, it is unachievable to pr type protective cover beatnik possibilitys. When an contingency does happen, its impact needs to be brought down to adequate recommended take aim. tribute department department misfortune dis fly the coop come forthlines the actions to follow in an event that an electronic data system is compromised. An event is decl bed a n incident when the confidentiality, fair play or availability (CIA) elements of a system is compromised. Signifi pratt commodities such as education and knowledge essential be safeguarded at all costs. Communications inside an make-up and its interactions to its customer base are regarded as the life blood in this IT intensive lush paced knowledge domain. If an institution is inoperative for all period of conviction, it whitethorn cost millions in lost business or loss of reputation. Size of an organization does not matter. unforeseen down eon influences organizations of all sizes impacting revenue, customer satisfaction and boilersuit production. It is critical that they quickly recover from such downtime and restore operation and re-establish their presence to ensure survival. Consequently, many firms have accomplished the importance of committing up incident dis lean procedures. One of the drawbacks is that many organizations learn how to do to security incidents still after suffering from them. In the course of time, incidents often become much much costly. correct incident solvent should be an integral part of the general security constitution and risk palliation dodge. resultant intervention procedures that are in place in an organization improves to hold back the business continuity of critical operations. In todays competitive economy, a partnership fundamentt afford to cease critical business operations and remain idle for long period of time because of leave out of incident handing procedures. Thus, an organization needs to be swell uphead prepared for continuity or recovery of systems. This typically requires a considerable investment of time and m firmnessy with the aim of ensuring minimal losses in the event of a disruptive event. The boundaryinus of setting up incident manipulation procedures is to know exactly what to do when an incident breaks out. This means anticipating scenarios before they occur and maki ng hold decisions about them in advance. Those assessments typically demand consultation and senior focussing support, hence these people are needed earlier immediately after an incident has been confirmed. For example, just deciding who to tell when an incident occurs flowerpot be hard to determine. Management needs to provide input to respond quickly and this embarks into issues like after hours support and flux project/support roles. External support whitethorn to a fault be sought, resulting in additional cost, time and effort to select partners.1.1 PURPOSE OF THE DOCUMENTThis enumeration provides guidance to identify and record the nature and s parcel out of a computing device security incident intervention swear out. This news make-up discusses the functions that support the service, how those functions interrelate and the tools, procedures and roles postulate to utilize the service. It excessively concentrates on incident analysis. For example, we fanny make a c omparison between a dispatch that broke off in an apartment and a computer security incident that happened in an organization. Similarly as a fire surgical incision leave behind investigate a fire to know where it originated from, a Computer Security casualty Response aggroup (CSIRT) tries to figure out how the security incident occurred. both the fire department and CSIRT operate in the like approach. A fire department needs to get along with assorted fire departments on it deal depend on for additional support in peak times or to tackle a serious catastrophe. It must cooperate with opposite hint units to react promptly and provide police force enforcement. This entry get out discuss how CSIRTs interact with other organizations, such as the department that reported the security incident to it, other CSIRTs, law enforcement and the media. Both fire department and CSIRT need to correctly handle growing, some of which is sensitive and applicable to the individual hel d responsible for the crime. Information handling is considered to be an indispensable discussion subject in this paper. CSIRTs propose client confidentiality in the same manner that many emergency units do, safeguarding reporters and victims from man disclosure. CSIRT survival depends on handling confidential information appropriately, because if it cant be trusted, nobody give report to it, thus making it almost useless. CSIRTs have committed permanent rung as well as part-time, volunteer supply and reliable security capables to handle an unexpected security emergency. Its module is at the frontline in event of a crisis, CSIRT achievement depends on their interaction with the outside world and the image that they project by the way of performing their duties and the service quality that they provide. To attain such blue level of success, recruiting suitably competent staff seems to be a complicated process. People in charge of appointing CSIRT staff mistakenly look for uns uitable set of talent and ability in prospective utilisati whizes. For that reason, this paper discusses staffing and hiring concerns and actions to attempt that CSIRT staff offer reliable, pleasant and specialized service. new(prenominal) services besides the incident handling service, such as the supply of intrusion beneathcover shit on assistance and vulnerability handling are as well provided by CSIRT. The information in this paper is understandable in such a manner that is raw material to the reader to put it into operation to any type of CSIRT setting, from in-house police squad for a company to an international coordination center. This inventory is intended to present a valuable insertion to both(prenominal) recently created aggroups and living aggroups where thither is a miss of cl earlier defined or enter services, policies and procedures. This paper is more appropriate to use during the early stages when a company has leadd management support and fundi ng to set up a CSIRT, before the aggroup becomes operational. Moreover, this paper can be still a valuable reference document for already operational aggroups.1.2 INTENDED AUDIENCEThe ecumenical CSIRT community who whitethorn require a better knowledge of the radical and objectives of their existing police squads will benefit from this document. It alike targets individuals and organizations who are likely to join the CSIRT community in the secure future. It is precisely aimed at omnibuss and other personnel who take part in the process of setting up and leading a CSIRT or managing incident crisis. The listing may include main(prenominal) Information Officers, Chief Security Officers and Information Systems SecurityOfficersProject leaders and members in charge of creating the aggroupCSIRT managersCSIRT staffIT managers 1Higher management levels and all CSIRT staff can use this paper as a useful reference. This document can also be utilized by other individuals who work to gether with CSIRTs. This may include members of theCSIRT constituencylaw enforcement communitysystems and network administrator communityCSIRT lift organization or other departments within the parent organization such as legal, media or open relations, human resources, audits and risk management investigations and crisis management 22 MAIN CONTENTDefinition of Security IncidentThe Information Security Management Handbook defines an incident as any unexpected action that has an immediate or potential effect on the organization 3. Whenever the safety and stability of an information system is compromised, such instance can be referred to as a security incident. There are several contrasting definitions of security incidents one is A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices 4, another definition describes the security incident as any event that may threaten or compromise the security, op eration or integrity of computing resources 5. In other words, a security incident is a state of violation of security policy in an organization and the security of their information system. Security incident refers to a common term that encompasses any type of security breach regardless of location, the level of the threat or the magnitude of it. The usually known factors of security incidents are events and actions that expose one or more basic elements of information security confidentiality, integrity and availability (CIA) of information systems. An incident can be cause by authorized or illegitimate personnel, process, hardware or software. It can be an accident as well as a devicened malicious action.Handling security incidentsIn the course of a crisis, time runs ill-considered in terms of about what to do, who will do it or how it will get done, therefore it is vital to arrange for a response in advance. The better prepared you are for an incident, the more likely you a re to respond correctly. becoming set-up of an incident handling procedure can swear out to lessen impact of undesirable incidents. The objective of such procedure in place is to provide a framework for an orderly, mastermindd response by appropriate resources within the organization. It is in a companys own benefit that it establishes a Computer Security Response Capability, a process that provides centralized response and inform functions for security incidents. According to (Computer Security Incident Handling Guide, National Institute of Standards and Technology, March 2008), establishing an incident response potentiality should include the following actionsCreating an incident response policy planDeveloping procedures for performing incident handling and reporting, based on the incident response policySetting guidelines for communicating with outside parties regarding incidentsSelecting a team structure and staffing modelEstablishing relationships between the incident resp onse team and other groups,Determining what services the incident response team should provideStaffing and didactics the incident response teamThe Cyberthreat Response and Reporting Guidelines report, jointly approved by the FBI and US Secret receipts recommends that the better equipped a company is in the event of a security event, the better probability it has to reduce the impact of the crisis. This recommendation is actually one of the chief responsibilities of a CSIRT, to be well unionized to success liberaly cope with an incident when they happen and to help disallow incidents from occurring in the first place. As a starting point, the team should have a system plan for incident handling. This plan should be supported with documented policies and procedures. According to (State of the Practice of Computer Security Incident Response Teams, October 2003), the incident response plan identifies the mission and goals of the team, the team roles and responsibilities the services provided and policies, procedures, processes, and guidelines link up to incident handling. The incident response plan is not only intended for CSIRT employees, but also for community that they operate. From that viewpoint, both parties should be proficient about what to report, how to report it and to whom it should be reported. The plan should also describe the expected level of service that is reasonable. Staff who is accustomed with computer security incidents recognize the fact that these incidents vary in shape and size. Some are quite uncomplicated, easy to cope with and mitigate art object other are exceedingly severe and very complicated or can have harsh impact on IT systems and contract ripe authority to respond to effectively. In the event of a crisis, adhering to the plan in place will facilitate the organization to promptly isolate intermission cropping up on IT systems or networks as well as to assist to counteract to such events. It may alleviate potential ris k such as loss of company reputation, trust or fiscal location. For existing CSIRTs who dont have a robust plan, they can still manage with some basic guidelines. They can make use of their current incident handling procedures as a guideline, in the meantime they can revise their existing documentation. They can rely on those basic guidelines namely the plan to handle incidents, areas of responsibility, general and specific procedures. Other typical guidelines can include an incident response ticklist as well as procedures for what type of activity to report and how that information should be reported. A company needs to take into consideration several factors prior to planning an incident response capability. They includeintroducing a point of contact for reporting incidentspinpointing the aims and objectives of the teamdistinguishing and selecting the staff and necessary expertiseoffering direction for reporting and handling incident reportsallocating proper security awareness a nd incident response fostering for CSIRT stafflaunching and promoting specific incident handling and security policies and procedures for the CSIRTexposing lessons learned with other colleaguesdesigning a benchmark to monitor the effectiveness of the CSIRTdevising strategy to allow coordination between the CSIRT and informal and external partiesOrganizations or the team typically approve policies and record them. It is essential to know what these policies consist of and to ensure that they are properly carry throughable, enforceable in the workplace. Like the mission statement, senior management approves and enforces policies. The policies need to be openly uttered and well understood by each team member, good, management or administrative. It will be a difficult task for the staff to appropriately draw and carry out their duties without a clear accord of the policy. In order to write a clear policy, it is best to avoid excessive jargon. Whenever possible, consult psyche who is not in security or IT to screen the policies. Rephrase the policies if not understood. Use very short sentences. A good policy is a short one. A security policy should be concise, well segregated between the management aspect (the policy) and the operational aspect (the procedures). Moreover, a policy must be both implementable and enforceable, or else it doesnt have any purpose. It is easier to implement a policy if it is well designed and relevant to the needs and goals of the CSIRT. Truly effective policies address received needs within a business, making the staff willing and even eager to implement them because they make operations smoother and give the business added reliability. authorize management should execute appropriate actions or steps to enforce a policy. Policies must be enforceable otherwise they are of little or no value. Usually when a policy ismplementable, it is normally also enforceable unless it contradicts itself. Concrete measures are needed to asses s the usage of the policy. Example An example of a contrasted policy is the security policy that ranks internal information security as priority number 1 but at the same time ensures coercive privacy for its staff the latter makes it hard or even impossible to enforce security in case of an insider threat. To successfully develop and implement security policies, top management needs to be twisting in and strongly support the project (Lam, 2005). A proposal with a report of external and internal requirements and a draft assessing budget can tardily persuade managers to support the development and implementation of a security project. Having management support and authorization can resolve money and time issues. These managers can divvy up the required budget and allow sufficient time for development and implementation. In addition, top management has baron to affect processes by requiring employees to participate (Kearns Sabherwal, 2006).How to Implement Security Policies Succ essfullyThe implementation phase probably is the hardest phase in the life cycle of developing and maintaining security policies. Many organizations fail in this phase. To effectively and expeditiously implementing security policies, teams first need to resolve many issues. Lack of strong management support (Fedor et al., 2003 Lam, 2005), lack of budget (Kearns Sabherwal, 2006 Martin, Pearson, Furumo, 2007), lack of implementation time ( baby buggy Cavanaugh, 1998), lack of strong leadership (Fedor et al., 2003), lack of awareness of benefits of implementing security policieswhy for (Hansche, Berti, Hare, 2004), or ineffective dialogue with users (Jackson, Chow, Leitch, 1997 Walker Cavanaugh, 1998) may cause problems. Resolving all of the supra issues can help in successfully implementing security policies.Computer Security Incident Response Team (CSIRT)A team is a focal factor of incident response plan, policy and procedure creation so that incident response is dealt effect ively, efficiently and consistently. The team should cooperate with other teams within the organization towards a central goal which encompasses the plan, policies and procedures. Outside parties such as law enforcement, the media and other incident response organizations can also be contacted. Computer Security Incident Response Team is regarded as the nerve center of an incident response plan. It is normally composed of a team manager, a management advisory get on with and other permanent and temporary team members. The temporary staff provides advice on technical, business, legal or administrative issues, depending on the nature and scope of the incident. The team assists the organization to identify and document the nature and scope of a computer security incident handling service. The team manager supervises labour of the team members, presents ongoing status information to the Chief Information Officer (CIO) and other senior management and requests assistance on expert advic e outside of IT department when needed. This role leader should be accustomed with computer security issues, the function of IT areas and staff, general company operations as well as the duty of other employees in the institution who may serve as resources for the CSIRT. Under challenging situations, the team manager must be able to coordinate teamwork with other staff and to deal properly with fate that necessitate discretion or confidentiality. The technical leaders role is to assess the characteristics and severity of an incident, propose recommendations on security control and recovery issues to the team manager and requests on additional technical resources if needed. This role should possess a loose understanding of operational and systems security. Other employees can join the team on a spontaneous basis and remain team members until closure of incident. Additional resources may be required to serve areas such as law enforcement, legal, audit, human resources, public relati ons, facilities management or IT technical specialties. The table below shows a list of members who should be included in the CSIRT and their roles in the team.Table 1 Team members in IRTSource table from page 4-2 of Incident Response Procedure for Account Compromise Version 1.2 2004 by Visa International at any rate their technical expertise, CSIRT staff distinctive quality is their motivation and talent to stick to procedures and to present a professional image to customers and other parties working together with them. In other works, it is more convenient to appoint staff with less technical expertise and excellent interpersonal and discourse skills and afterwards train them in a CSIRT-specific environment than vice versa. Communication of a team member who is a technical expert but has poor communication skills may brutally ruin the teams reputation while interactions that are dealt with competently will assist to improve the teams standing as a valued service provider. Posse ssing a broad range of interpersonal skills is square since team members are frequently in contact with each other and other parties such as law enforcement, legal, human resources. Thus, these professional interactions that CSIRT employees adopt will influence the reputation of the team and special concern to an individuals interpersonal skills matters. Some interpersonal skills, required for incident handling staff, are listed belowlogical design to formulate effective and suitable decisions in time of crisis or under pressure or unyielding time constraintseffective oral and written communication skills for interaction with other partiesdiscretion when dealing with the mediaaptitude to follow policies and proceduresenthusiasm to learn new things dispute to work under pressureteamworkreliability to maintain teams reputation and statusreadiness to accept ones own mistakesproblem solving skills to efficiently handle incidentstime management skills for high priority tasksApart from interpersonal skills, CSIRT staff should possess fundamental understanding of technology and issues on which they base their expertise. The following technical know-how is pivotal for CSIRT staffpublic data networks (telephone, ISDN, X.25, PBX, ATM, frame relay)the meshwork (aspects ranging from architecture and history to future and philosophy)network protocols (IP, ICMP, TCP, UDP)network infrastructure elements (router, DNS, mail server)network applications, services and cogitate protocols (SMTP, HTTP, HTTPS, FTP, TELNET, SSH, IMAP, POP3)basic security principlesrisks and threats to computers and networkssecurity vulnerabilities/weakness and related attacks (IP spoofing, Internet sniffers, denial of service attacks and computer viruses)network security issues (firewalls and virtual private networks)encryption technologies (TripleDES, AES, IDEA), digital signatures (RSA, DSA, DH), cryptographic hash algorithms (MD5, SHA-1)host system security issues, from both a user and system administration perspective (backups, patches) 6It is crucial that one division of the team possess a thorough understanding of the full range of technologies and issues used by the team. This contributes to expand and intensify the technical resource and capability of the team and train other team members through education and documentation. It also makes sure that the team can provide a full range of services. Besides an in-depth understanding of the technical skills listed above, the following specialist skills are requiredtechnical skills such as programming, administration of networking components (e.g. routers, switches) and computer systems (UNIX, Linux, Windows, etc)interpersonal skills such as human communication, experience in presenting at conferences or managing a groupwork organization skillsObviously, a team will be unable to employ individuals who possess all the necessary interpersonal and technical skills. But there are opportunities to address such deficiency in th ose skills, such as study of staff to develop and nurse such skills and support continuous progress.Hiring CSIRT StaffFor any staff vacancy, the hiring process to select the most talented applicant is a complicated task. Even a candidate who appears on the surface to possess the adept skill set might not be able to work within CSIRT setting. It is true when a crisis has been declared where the candidate may not be able to cope with the situation and inefficiently carry out their duties. Therefore, it is recommended to present the applicant to a hiring process, specifically designed to reveal the applicant strengths and weaknesses. Based upon the findings of the hiring process, the team will make up their mind to train the applicant in the specific skills that the candidate may require or decide not to employ the candidate. Compared to a regular hiring process, additional steps should be included in any CSIRT hiring process and they arepre- question document checkpre-interview tel ephone testinterviews that cover topics from technical abilities to interpersonal skillscandidate technical presentationreference checks, including criminal recordsThe complete hiring process should be devised to detect potential employees who possess appropriate interpersonal skills and technical skills. Such candidates can undergo further training to adopt more competence. Before occupation the applicant for a personal interview, the pre-interview document check and telephone screening determines in the first instance whether the candidate is an conceitl match for the selection process. At this stage, more information is gathered about the applicants broad level of interest in computer security and other more specific details on items covered in his or her resume. The telephone screening will give a good impression of the candidates oral communication skills. Before CSIRT staff puzzle to interview potential candidates, its better to decide in advance what bad-tempered issues ranging from technical issues and ethical issues to social skills are most likely to be discussed during the interview process and select which existing staff are most suitable to talk about those issues with the candidate. Thus separate topic areas are covered by each of the various interviewers, saving any extra of effort. Each interviewer will be in a position to review and consolidate feedback on the issues covered. some other strategy may be carried out where exchangeable topics may be discussed by other team members involved in the interview process to support on the candidates faculty about a particular topic and identify any weaknesses. To ensure proper recruitment, the applicant should have the opportunity to meet up with CSIRT team members through a lunch group meeting or at the candidates technical presentation. A candidate, required to give a technical presentation, offers CSIRT an opportunity to measure other technical and interpersonal skills of the candidate. It also gives an idea how much common sense the candidate has and whether the applicant will be able to cope under stressful situations. Other qualities such as boilers suit presentation skills, an eye for detail, technical accuracy and ability to answer questions on the fly are also taken into account. After an individual has been appointed, there is also an enormous task to make them adapt to CSIRT. The new staff will need to undergo training for some period of time to get used to the CSIRT working environment as well as specific policies and procedures for the team. Some new recruits may be given access to limited information until relevant certificates or clearances such as government or military clearances are obtained. Staff training is requisite in order to make the new recruits acquire the necessary skill level to take on their new responsibilities. Secondly, training is necessary to expand existing staff skills for personal career growth and overall team progress. Staff tra ining also helps overall CSIRT skill set updated with emerging technologies and intruder trends. When considering the overall training needs of the team, it is necessary to spot out the overall skills needed for each individual, as well as the common skill set required for the whole team. Obviously, new staff member should acquire immediate training in any deficient skills to perform effectively quickly. From a general viewpoint, the whole team should be assessed to determine any training that needs more attention to enlarge skill set exposure in the team. At the same time, this assessment focuses on an individuals skill set. Policies and procedures are a necessity and should be enforceable to support initial training of new team member and to guarantee ongoing training as policies and procedures get amended. Besides the interpersonal and technical skills discussed earlier, each team member should be trained in areas specific to the incident handling functions in a normal CSIRT work environment. Training should cover up the following issuesnew technical developmentsCSIRT team policies and proceduresincident analysis nutrition of incident recordsunderstanding and identifying intruder techniqueswork core distribution and organizational techniquesInitial training is conducted through on-the-job training. Since incident handling profession is different in work nature from other professions, there is no formal educational path for CSIRT staff and limited documentation in the literature. Most printed materiSecurity Incident Handling ServiceSecurity Incident Handling ServiceEXECUTIVE SUMMARY1 INTRODUCTIONExpect the unexpected. As soon as a crisis erupts, it should be immediately handled to reduce its potential impact on critical business operations. Such undesirable incidents occur unanticipated and when they do take place, damage or harm is the result. In most aspects of life, it is better to stop something disastrous happening than it is to deal with it after it h as happened and IT security is no exception. If possible, security incidents should be dealt accordingly from occurring in the first place. Yet, it is unachievable to prevent security incidents. When an incident does happen, its impact needs to be brought down to adequate recommended level. Security incident handling outlines the actions to follow in an event that an electronic information system is compromised. An event is declared an incident when the confidentiality, integrity or availability (CIA) elements of a system is compromised. Significant commodities such as information and knowledge must be safeguarded at all costs. Communications within an organization and its interactions to its customer base are regarded as the life blood in this IT intensive fast paced world. If an organization is inoperative for any period of time, it may cost millions in lost business or loss of reputation. Size of an organization does not matter. Unexpected downtime influences organizations of all sizes impacting revenue, customer satisfaction and overall production. It is vital that they quickly recover from such downtime and restore operation and re-establish their presence to ensure survival. Consequently, many firms have realized the importance of setting up incident handling procedures. One of the drawbacks is that many organizations learn how to respond to security incidents only after suffering from them. In the course of time, incidents often become much more costly. Proper incident response should be an integral part of the overall security policy and risk mitigation strategy. Incident handling procedures that are in place in an organization improves to maintain the business continuity of critical operations. In todays competitive economy, a company cant afford to cease critical business operations and remain idle for long period of time because of lack of incident handing procedures. Thus, an organization needs to be well prepared for continuity or recovery of syst ems. This typically requires a considerable investment of time and money with the aim of ensuring minimal losses in the event of a disruptive event. The goal of setting up incident handling procedures is to know exactly what to do when an incident breaks out. This means anticipating scenarios before they occur and making appropriate decisions about them in advance. Those assessments typically demand consultation and senior management support, hence these people are needed early immediately after an incident has been confirmed. For example, just deciding who to tell when an incident occurs can be hard to determine. Management needs to provide input to respond quickly and this embarks into issues like after hours support and mixed project/support roles. External support may also be sought, resulting in additional cost, time and effort to select partners.1.1 PURPOSE OF THE DOCUMENTThis document provides guidance to identify and record the nature and scope of a computer security inciden t handling service. This paper discusses the functions that support the service, how those functions interrelate and the tools, procedures and roles necessary to implement the service. It also concentrates on incident analysis. For example, we can make a comparison between a fire that broke off in an apartment and a computer security incident that happened in an organization. Similarly as a fire department will investigate a fire to know where it originated from, a Computer Security Incident Response Team (CSIRT) tries to figure out how the security incident occurred. Both the fire department and CSIRT operate in the same approach. A fire department needs to get along with other fire departments on it can depend on for additional support in peak times or to tackle a serious catastrophe. It must cooperate with other emergency units to react promptly and provide law enforcement. This document will discuss how CSIRTs interact with other organizations, such as the department that report ed the security incident to it, other CSIRTs, law enforcement and the media. Both fire department and CSIRT need to properly handle information, some of which is sensitive and relevant to the individual held responsible for the crime. Information handling is considered to be an indispensable discussion subject in this paper. CSIRTs propose client confidentiality in the same manner that many emergency units do, safeguarding reporters and victims from public disclosure. CSIRT survival depends on handling confidential information appropriately, because if it cant be trusted, nobody will report to it, thus making it almost useless. CSIRTs have committed permanent staff as well as part-time, volunteer staff and reliable security experts to handle an unexpected security emergency. Its staff is at the frontline in event of a crisis, CSIRT achievement depends on their interaction with the outside world and the image that they project by the way of performing their duties and the service qua lity that they provide. To attain such high level of success, recruiting suitably competent staff seems to be a complicated process. People in charge of appointing CSIRT staff mistakenly look for unsuitable set of talent and ability in prospective employees. For that reason, this paper discusses staffing and hiring concerns and actions to guarantee that CSIRT staff offer reliable, pleasant and specialized service. Other services besides the incident handling service, such as the supply of intrusion detection assistance and vulnerability handling are also provided by CSIRT. The information in this paper is understandable in such a manner that is basic to the reader to put it into operation to any type of CSIRT setting, from in-house team for a company to an international coordination center. This document is intended to present a valuable foundation to both recently created teams and existing teams where there is a lack of clearly defined or documented services, policies and procedur es. This paper is more appropriate to use during the early stages when a company has acquired management support and funding to set up a CSIRT, before the team becomes operational. Moreover, this paper can be still a valuable reference document for already operational teams.1.2 INTENDED AUDIENCEThe general CSIRT community who may require a better knowledge of the composition and objectives of their existing teams will benefit from this document. It also targets individuals and organizations who are likely to join the CSIRT community in the near future. It is precisely aimed at managers and other personnel who take part in the process of setting up and leading a CSIRT or managing incident crisis. The list may includeChief Information Officers, Chief Security Officers and Information Systems SecurityOfficersProject leaders and members in charge of creating the teamCSIRT managersCSIRT staffIT managers 1Higher management levels and all CSIRT staff can use this paper as a useful referenc e. This document can also be utilized by other individuals who work together with CSIRTs. This may include members of theCSIRT constituencylaw enforcement communitysystems and network administrator communityCSIRT parent organization or other departments within the parent organization such as legal, media or public relations, human resources, audits and risk management investigations and crisis management 22 MAIN CONTENTDefinition of Security IncidentThe Information Security Management Handbook defines an incident as any unexpected action that has an immediate or potential effect on the organization 3. Whenever the safety and stability of an information system is compromised, such instance can be referred to as a security incident. There are several different definitions of security incidents one is A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices 4, another definition describes the security i ncident as any event that may threaten or compromise the security, operation or integrity of computing resources 5. In other words, a security incident is a state of violation of security policy in an organization and the security of their information system. Security incident refers to a common term that encompasses any type of security breach regardless of location, the level of the threat or the magnitude of it. The commonly known factors of security incidents are events and actions that expose one or more basic elements of information security confidentiality, integrity and availability (CIA) of information systems. An incident can be caused by authorized or unauthorized personnel, process, hardware or software. It can be an accident as well as a plotted malicious action.Handling security incidentsIn the course of a crisis, time runs short in terms of about what to do, who will do it or how it will get done, therefore it is vital to arrange for a response in advance. The better prepared you are for an incident, the more likely you are to respond correctly. Proper set-up of an incident handling procedure can help to lessen impact of undesirable incidents. The objective of such procedure in place is to provide a framework for an orderly, coordinated response by appropriate resources within the organization. It is in a companys own benefit that it establishes a Computer Security Response Capability, a process that provides centralized response and reporting functions for security incidents. According to (Computer Security Incident Handling Guide, National Institute of Standards and Technology, March 2008), establishing an incident response capability should include the following actionsCreating an incident response policy planDeveloping procedures for performing incident handling and reporting, based on the incident response policySetting guidelines for communicating with outside parties regarding incidentsSelecting a team structure and staffing modelEstablis hing relationships between the incident response team and other groups,Determining what services the incident response team should provideStaffing and training the incident response teamThe Cyberthreat Response and Reporting Guidelines report, jointly approved by the FBI and US Secret Service recommends that the better equipped a company is in the event of a security event, the better probability it has to reduce the impact of the crisis. This recommendation is actually one of the chief responsibilities of a CSIRT, to be well organized to successfully cope with an incident when they happen and to help prevent incidents from occurring in the first place. As a starting point, the team should have a strategy plan for incident handling. This plan should be supported with documented policies and procedures. According to (State of the Practice of Computer Security Incident Response Teams, October 2003), the incident response plan identifies the mission and goals of the team, the team role s and responsibilities the services provided and policies, procedures, processes, and guidelines related to incident handling. The incident response plan is not only intended for CSIRT employees, but also for community that they serve. From that viewpoint, both parties should be proficient about what to report, how to report it and to whom it should be reported. The plan should also describe the expected level of service that is reasonable. Staff who is accustomed with computer security incidents recognize the fact that these incidents vary in shape and size. Some are quite uncomplicated, easy to cope with and mitigate while other are extremely severe and very complicated or can have harsh impact on IT systems and necessitate proper authority to respond to effectively. In the event of a crisis, adhering to the plan in place will facilitate the organization to promptly isolate disruption cropping up on IT systems or networks as well as to assist to counteract to such events. It may a lleviate potential risk such as loss of company reputation, trust or financial status. For existing CSIRTs who dont have a robust plan, they can still manage with some basic guidelines. They can make use of their current incident handling procedures as a guideline, in the meantime they can revise their existing documentation. They can rely on those basic guidelines namely the plan to handle incidents, areas of responsibility, general and specific procedures. Other typical guidelines can include an incident response checklist as well as procedures for what type of activity to report and how that information should be reported. A company needs to take into consideration several factors prior to planning an incident response capability. They includeintroducing a point of contact for reporting incidentspinpointing the aims and objectives of the teamdistinguishing and selecting the staff and necessary expertiseoffering direction for reporting and handling incident reportsallocating prope r security awareness and incident response training for CSIRT stafflaunching and promoting specific incident handling and security policies and procedures for the CSIRTexposing lessons learned with other colleaguesdesigning a benchmark to monitor the effectiveness of the CSIRTdevising strategy to allow coordination between the CSIRT and internal and external partiesOrganizations or the team typically approve policies and record them. It is crucial to know what these policies consist of and to ensure that they are properly implementable, enforceable in the workplace. Like the mission statement, senior management approves and enforces policies. The policies need to be openly expressed and well understood by each team member, technical, management or administrative. It will be a difficult task for the staff to appropriately execute and carry out their duties without a clear understanding of the policy. In order to write a clear policy, it is best to avoid excessive jargon. Whenever pos sible, consult someone who is not in security or IT to examine the policies. Rephrase the policies if not understood. Use very short sentences. A good policy is a short one. A security policy should be concise, well segregated between the management aspect (the policy) and the operational aspect (the procedures). Moreover, a policy must be both implementable and enforceable, or else it doesnt have any purpose. It is easier to implement a policy if it is well designed and relevant to the needs and goals of the CSIRT. Truly effective policies address genuine needs within a business, making the staff willing and even eager to implement them because they make operations smoother and give the business added reliability. Top management should execute appropriate actions or steps to enforce a policy. Policies must be enforceable otherwise they are of little or no value. Usually when a policy ismplementable, it is normally also enforceable unless it contradicts itself. Concrete measures are needed to assess the usage of the policy. Example An example of a contradictory policy is the security policy that ranks internal information security as priority number 1 but at the same time ensures absolute privacy for its staff the latter makes it hard or even impossible to enforce security in case of an insider threat. To successfully develop and implement security policies, top management needs to be involved in and strongly support the project (Lam, 2005). A proposal with a report of external and internal requirements and a draft assessing budget can easily persuade managers to support the development and implementation of a security project. Having management support and authorization can resolve money and time issues. These managers can allocate the required budget and allow sufficient time for development and implementation. In addition, top management has power to affect processes by requiring employees to participate (Kearns Sabherwal, 2006).How to Implement Security P olicies SuccessfullyThe implementation phase probably is the hardest phase in the life cycle of developing and maintaining security policies. Many organizations fail in this phase. To effectively and efficiently implementing security policies, teams first need to resolve many issues. Lack of strong management support (Fedor et al., 2003 Lam, 2005), lack of budget (Kearns Sabherwal, 2006 Martin, Pearson, Furumo, 2007), lack of implementation time (Walker Cavanaugh, 1998), lack of strong leadership (Fedor et al., 2003), lack of awareness of benefits of implementing security policieswhy for (Hansche, Berti, Hare, 2004), or ineffective communication with users (Jackson, Chow, Leitch, 1997 Walker Cavanaugh, 1998) may cause problems. Resolving all of the above issues can help in successfully implementing security policies.Computer Security Incident Response Team (CSIRT)A team is a focal component of incident response plan, policy and procedure creation so that incident response is d ealt effectively, efficiently and consistently. The team should cooperate with other teams within the organization towards a central goal which encompasses the plan, policies and procedures. Outside parties such as law enforcement, the media and other incident response organizations can also be contacted. Computer Security Incident Response Team is regarded as the nerve center of an incident response plan. It is normally composed of a team manager, a management advisory board and other permanent and temporary team members. The temporary staff provides advice on technical, business, legal or administrative issues, depending on the nature and scope of the incident. The team assists the organization to identify and document the nature and scope of a computer security incident handling service. The team manager supervises labour of the team members, presents ongoing status information to the Chief Information Officer (CIO) and other senior management and requests assistance on expert ad vice outside of IT department when needed. This role leader should be accustomed with computer security issues, the function of IT areas and staff, general company operations as well as the duty of other employees in the institution who may serve as resources for the CSIRT. Under challenging situations, the team manager must be able to coordinate teamwork with other staff and to deal properly with circumstances that necessitate discretion or confidentiality. The technical leaders role is to assess the characteristics and severity of an incident, propose recommendations on security control and recovery issues to the team manager and requests on additional technical resources if needed. This role should possess a broad understanding of operational and systems security. Other employees can join the team on a spontaneous basis and remain team members until closure of incident. Additional resources may be required to serve areas such as law enforcement, legal, audit, human resources, pub lic relations, facilities management or IT technical specialties. The table below shows a list of members who should be included in the CSIRT and their roles in the team.Table 1 Team members in IRTSource table from page 4-2 of Incident Response Procedure for Account Compromise Version 1.2 2004 by Visa International Besides their technical expertise, CSIRT staff distinctive quality is their motivation and talent to stick to procedures and to present a professional image to customers and other parties working together with them. In other works, it is more convenient to appoint staff with less technical expertise and excellent interpersonal and communication skills and subsequently train them in a CSIRT-specific environment than vice versa. Communication of a team member who is a technical expert but has poor communication skills may brutally ruin the teams reputation while interactions that are dealt with competently will assist to improve the teams standing as a valued service provid er. Possessing a broad range of interpersonal skills is significant since team members are frequently in contact with each other and other parties such as law enforcement, legal, human resources. Thus, these professional interactions that CSIRT employees adopt will influence the reputation of the team and special concern to an individuals interpersonal skills matters. Some interpersonal skills, required for incident handling staff, are listed belowlogical judgment to formulate effective and suitable decisions in time of crisis or under pressure or strict time constraintseffective oral and written communication skills for interaction with other partiesdiscretion when dealing with the mediaaptitude to follow policies and proceduresenthusiasm to learn new thingschallenge to work under pressureteamworkreliability to maintain teams reputation and statusreadiness to accept ones own mistakesproblem solving skills to efficiently handle incidentstime management skills for high priority tasks Apart from interpersonal skills, CSIRT staff should possess fundamental understanding of technology and issues on which they base their expertise. The following technical know-how is crucial for CSIRT staffpublic data networks (telephone, ISDN, X.25, PBX, ATM, frame relay)the Internet (aspects ranging from architecture and history to future and philosophy)network protocols (IP, ICMP, TCP, UDP)network infrastructure elements (router, DNS, mail server)network applications, services and related protocols (SMTP, HTTP, HTTPS, FTP, TELNET, SSH, IMAP, POP3)basic security principlesrisks and threats to computers and networkssecurity vulnerabilities/weakness and related attacks (IP spoofing, Internet sniffers, denial of service attacks and computer viruses)network security issues (firewalls and virtual private networks)encryption technologies (TripleDES, AES, IDEA), digital signatures (RSA, DSA, DH), cryptographic hash algorithms (MD5, SHA-1)host system security issues, from both a user and system administration perspective (backups, patches) 6It is crucial that one division of the team possess a thorough understanding of the full range of technologies and issues used by the team. This contributes to expand and intensify the technical resource and capability of the team and train other team members through education and documentation. It also makes sure that the team can provide a full range of services. Besides an in-depth understanding of the technical skills listed above, the following specialist skills are requiredtechnical skills such as programming, administration of networking components (e.g. routers, switches) and computer systems (UNIX, Linux, Windows, etc)interpersonal skills such as human communication, experience in presenting at conferences or managing a groupwork organization skillsObviously, a team will be unable to employ individuals who possess all the necessary interpersonal and technical skills. But there are opportunities to address such deficiency in those skills, such as training of staff to develop and retain such skills and support continuous progress.Hiring CSIRT StaffFor any staff vacancy, the hiring process to select the most talented applicant is a complicated task. Even a candidate who appears on the surface to possess the right skill set might not be able to work within CSIRT setting. It is true when a crisis has been declared where the candidate may not be able to cope with the situation and inefficiently carry out their duties. Therefore, it is recommended to present the applicant to a hiring process, specifically designed to reveal the applicant strengths and weaknesses. Based upon the findings of the hiring process, the team will make up their mind to train the applicant in the specific skills that the candidate may require or decide not to employ the candidate. Compared to a regular hiring process, additional steps should be included in any CSIRT hiring process and they arepre-interview document checkpre-interv iew telephone screeninginterviews that cover topics from technical abilities to interpersonal skillscandidate technical presentationreference checks, including criminal recordsThe complete hiring process should be devised to detect potential employees who possess appropriate interpersonal skills and technical skills. Such candidates can undergo further training to acquire more competence. Before calling the applicant for a personal interview, the pre-interview document check and telephone screening determines in the first instance whether the candidate is an ideal match for the selection process. At this stage, more information is gathered about the applicants broad level of interest in computer security and other more specific details on items covered in his or her resume. The telephone screening will give a good impression of the candidates oral communication skills. Before CSIRT staff begin to interview potential candidates, its better to decide in advance what particular issues ranging from technical issues and ethical issues to social skills are most likely to be discussed during the interview process and select which existing staff are most suitable to talk about those issues with the candidate. Thus separate topic areas are covered by each of the various interviewers, saving any duplication of effort. Each interviewer will be in a position to review and consolidate feedback on the issues covered. Another strategy may be carried out where similar topics may be discussed by other team members involved in the interview process to agree on the candidates faculty about a particular topic and identify any weaknesses. To ensure proper recruitment, the applicant should have the opportunity to meet up with CSIRT team members through a lunch meeting or at the candidates technical presentation. A candidate, required to give a technical presentation, offers CSIRT an opportunity to measure other technical and interpersonal skills of the candidate. It also gives an i dea how much common sense the candidate has and whether the applicant will be able to cope under stressful situations. Other qualities such as overall presentation skills, an eye for detail, technical accuracy and ability to answer questions on the fly are also taken into account. After an individual has been appointed, there is also an enormous task to make them adapt to CSIRT. The new staff will need to undergo training for some period of time to get used to the CSIRT working environment as well as specific policies and procedures for the team. Some new recruits may be given access to limited information until relevant certificates or clearances such as government or military clearances are obtained. Staff training is compulsory in order to make the new recruits acquire the necessary skill level to take on their new responsibilities. Secondly, training is necessary to expand existing staff skills for personal career growth and overall team progress. Staff training also helps overa ll CSIRT skill set updated with emerging technologies and intruder trends. When considering the overall training needs of the team, it is necessary to spot out the overall skills needed for each individual, as well as the common skill set required for the whole team. Obviously, new staff member should acquire immediate training in any deficient skills to perform effectively quickly. From a general viewpoint, the whole team should be assessed to determine any training that needs more attention to enlarge skill set exposure in the team. At the same time, this assessment focuses on an individuals skill set. Policies and procedures are a necessity and should be enforceable to support initial training of new team member and to guarantee ongoing training as policies and procedures get amended. Besides the interpersonal and technical skills discussed earlier, each team member should be trained in areas specific to the incident handling functions in a normal CSIRT work environment. Training should cover up the following issuesnew technical developmentsCSIRT team policies and proceduresincident analysismaintenance of incident recordsunderstanding and identifying intruder techniqueswork load distribution and organizational techniquesInitial training is conducted through on-the-job training. Since incident handling profession is different in work nature from other professions, there is no formal educational path for CSIRT staff and limited documentation in the literature. Most printed materi