Information to Help Investigators

A firm foundation is required to develop satisfactory security protection, and that foundation is an organizational security policy that covers all the necessary contingencies.

Among those contingencies are procedures for installing applications, e-mail and Internet practices, IT user policies, password protection, downloading data considerations, and network monitoring. The policy must provide a plan for responding to security attacks, and that plan must be rehearsed through dry runs and other simulated methods.

The security policy must be accepted and acknowledged by each employee. This goal can be accomplished through a combination of briefings at the time of hiring; notices in the employee handbook; and frequent reminders through posters, e-mail, and Web sites.

Fighting back against security violators requires that an organizational policy be developed and implemented. The first step in any security plan is to instill an awareness of the vulnerability in all users of computer systems. Physical security is particularly important. Implementing technical security measures is wasted effort if anyone can walk into your facility or log onto your network. Equally vital is not throwing sensitive IT system data into the dumpster. 

If the organization does not employ security experts, bring in an outside consultant. Be prepared to respond to the consultant's recommendations. Even with the best of consultants, however, a security breach is inevitable. Accepting this reality, be prepared with a response to a security attack. Be sure to report the attack to the appropriate law enforcement agency.

When employees leave the organization, cancel their user IDs and passwords immediately. Passwords should be randomized to avoid the possibility of having a hacker guess them. All default passwords must be changed before applications are brought online.

Keep in mind that your system will eventually experience a security attack. Preparing ahead of time is the only way to minimize the damage that attack may cause to your IT systems and to your company's future. It is important that an overall risk assessment been performed on critical information assets. As a starting point you should answer the following questions and take steps necessary to eliminate weaknesses:

• Does your organization have a written security policy?
• Does the policy identify all individuals responsible for implementing that policy and what their duties are?
• Does the policy identify the steps to be taken if there is a security breach?
• Does the policy identify what information it is most important to protect?
• Does the policy identify enforcement procedures that identify the penalties associated with a security breach?
• Is the policy known by all individuals who have the responsibility for implementing that policy?
• Has a security plan been developed based on the security policy?
• Are only authorized individuals allowed to move and install computer equipment?
• What password rules are enforced (e.g., length, alphanumeric combinations)?
• Has your organization developed a computer security incident response capability (CSIRC)?
• Have users and system administrators received training on how to carry out their respective responsibilities when an incident occurs?
• Does your organization maintain a knowledge base of past incidents and “lessons learned” for future use?
• Does your organization have written system maintenance policies and procedures?
• Are maintenance records kept to indicate what was done, when, and by whom? Is sensitive and/or critical information clearly defined and labeled?
• Are employees trained on proper labeling procedures for hard copies, electronic files, e-mail attachments, diskettes, backup tapes and disks, etc.?
• Does your organization have a policy and procedures for sanitizing and disposing of sensitive material on floppy disks, CDs, etc.?
• Is there an orientation course on good security practices for new employees?
• Is there a formal information security training program within your organization?
• Are new employees required to receive security awareness training within a specified number of days after hiring?
• Are employees required to get updated security training at regular intervals?

Reporting A Computer Crime

If your systems are hacked or intruded upon by an unauthorized party, you should call your local FBI office or contact the National Infrastructure Protection Center (NIPC) Watch Operations Center 1-888-585-9078. In the event that you experience a crime against your computer systems the FBI and the NIPC recommends that you:

• Respond quickly. Contact Law Enforcement. Traces are often impossible if too much time is wasted before alerting law enforcement or your own incident response team.
• If unsure of what actions to take, DO NOT stop system processes or tamper with files. This may destroy traces of intrusion.
• Follow organizational policies and procedures. (Your organization should have a computer incident response capability and plan in place.)
• Use the telephone to communicate. (Attackers may be capable of monitoring e-mail traffic.)
• Contact the incident response team for your organization. (Quick technical expertise is crucial in preventing further damage and protecting potential evidence.)
• Establish points of contact with general counsel, emergency response staff, law enforcement. (Pre-established contacts will help in a quick response effort.)
• Make copies of files an intruder may have altered or left. If you have the technical expertise to copy files this action will assist investigators as to when and how the intrusion may have occurred.
• Identify a primary point of contact to handle potential evidence. Establish chain-of-custody of evidence. (Potential hardware and software evidence that is not properly controlled may loose its value.)
• DO NOT contact the suspected perpetrator.

Information to Help Investigators

Compile as much information and data possible about the incident. Information that law enforcement investigators will find helpful includes:

• Date, time, and duration of incident.
• The name, title, telephone number, fax number, and e-mail of the point of contact for law enforcement as well as the name of your organization, address, city, state, zip code, and country.
• The physical locations of computer systems and or networks that have been compromised.
• If the systems are managed in-house or by a contractor.
• If the affected systems or networks are critical to the organization's mission

If it is a part of the critical infrastructure, which sector was affected:

• Banking and finance.
• Emergency services.
• Gas or oil storage and delivery.
• Government operations.
• Power.
• Transportation.
• Telecommunications.
• Water supply systems

The nature of the problem, which could include intrusion, system impairment, denial of resources, unauthorized root access, web site defacement, compromise of system integrity, theft, or damage.

If the problem had been experienced before:

• Suspected method of intrusion or attack which could include a virus, exploited vulnerability, denial of service, distributed denial of service, trapdoor, or Trojan horse.
• The suspected perpetrators and the possible motivations of the attack  which could include an insider or disgruntled employee, former employee, or competitor.
• If the suspect is an employee or former employee you should determine and report the type of system access that the employee has or had.
• An apparent source (IP address) of the intrusion or attack if known and if there is any evidence of spoofing.
• What computer system (hardware, operating system, or applications software) was affected.
• What security infrastructure was in place which could include an incident response team, encryption, firewall, secure remote access or authorization tools, intrusion detection system, security auditing tools, access control lists, or packet filtering.
• If the intrusion or attack resulted in a loss or compromise of sensitive, classified or proprietary information.
• If the intrusion or attack resulted in damage to systems or data.
• What actions to mitigated the intrusion or attack have been taken which could include the system being disconnected from the network, system binaries checked, backup of affected systems, or log files examined.
• What agencies have been contacted which could include state or local police, CERT, or FedCIRC.
• When the last time your system was modified or updated and the name of the company or organization that did the work (address, phone number, point of contact information).

Information to Determine Damages or Loss

• It is also necessary to determine a dollar value of damage, business loss, and cost to restore systems to normal operating conditions. The following information is helpful in determining dollar amounts.
• In the event that repairs or recovery were performed by a contractor you should determine the charges incurred for services.
• If in-house staff were involved in determining extent of the damage, repairing systems or data, and restoring systems to normal operating conditions you should determine the number of hours staff expended to accomplish these tasks and the hourly wages, benefits, and overhead associated with each employee involved in the recovery.
• If business was disrupted in some way you should determine the number of transactions or sales that were actually disrupted and their dollar value.
• If systems were impaired to the point that actual disrupted transactions or sales cannot be determined then you should determine the dollar value of transactions or sales that occur on a comparable day for the duration of the system outage.
• If systems are used to produce goods, deliver services, or manage operations, then what is the value of that disruption. (You may have had similar experiences if operations were disrupted because of inclement weather, fires, earthquakes, or other disruptive incidents.)
• If systems were physically damaged you need to know what you paid to acquire and install the systems.
• If systems were stolen you need to know what you paid to acquire and install the systems and the cost of actions taken to assure that information on the stolen systems cannot be used to access systems.
• If intellectual property or trade secrets were stolen then you need to determine the value of that property.

If intellectual property or trade secrets were used by a competitor or other party then you need to determine the impact on your business.