Cyber Incident Response Guide - Hawaii
The “Local Government Cyber Security: Cyber IncidentResponse Guide” appendix has been developed anddistributed for educational and non-commercial purposesonly. Copies and reproductions of this content, in whole or inpart, may only be distributed, reproduced or transmitted foreducational and non-commercial purposes.Local GovernmentCyber Security:Cyber IncidentResponse GuideA Non-Technical GuideEssential forElected OfficialsAdministrative OfficialsBusiness ManagersMulti-State InformationSharing and Analysis Center(MS-ISAC)Page 20
This appendix is a supplement to the Local GovernmentInformation Security: Getting Started Guide, a non-technicalreference essential for elected officials, administrative officials andbusiness managers. This appendix is one of many which is beingproduced in conjunction with the Guide to help those in localgovernments to further their knowledge and awareness regardingcyber security. For more information, visit: http://www.msisac.orgIncident Detection US-CERT, Common Sense Guide to Prevention and Detectionof Insider Threats (http://www.us-cert.gov/reading room/prevent detect insiderthreat0504.pdf) MS-ISAC/US-CERT, Current Malware Threats and MitigationStrategies (http://www.us-cert.gov/reading room/malwarethreats-mitigation.pdf) CJCSM 6510.01 CH3: Defense-in-Depth – InformationAssurance (IA) and Computer Network Defense (CND), 14August 2006 jcs/cjcsm 6510 01 ch2 ch3.pdf) – NCSD, Cyber Security Responses to Physical Security Breaches(http://www.us-cert.gov/reading room/cssp cyberresponse0712.pdf)Incident Response Team CERT/CC, Action List for Developing a Computer SecurityIncident Response Team (http://www.cert.org/csirts/action list.html) CERT/CC, Staffing Your Computer Security Incident ResponseTeam – What Basic Skills Are Needed? (http://www.cert.org/csirts/csirt-staffing.html) CERT/CC, Creating a Computer Security Incident ResponseTeam: A Process for Getting Started (http://www.cert.org/csirts/Creating-A-CSIRT.html) Handbook for Computer Security Incident Response Teams(CSIRTs), CMU/SEI-2003-HB-002 reports/03hb002.html)User Awareness US-CERT, Protect Your Workplace Campaign (http://www.uscert.gov/reading room/distributable.html) OnGuardOnline – a consortium of the Department of Justice,Federal Trade Commission, Department of Homeland Security,US Postal Service, and Securities and Exchange Commissionwww.onguardonline.gov StaySafeOnline http://www.staysafeonline.info/Incident RecoveryPage 2 US-CERT, Recovering from a Trojan Horse or Virus (http://www.us-cert.gov/reading room/trojan-recovery.pdf) US-CERT, Computer Forensics (http://www.us-cert.gov/reading room/forensics.pdf)Page 19
Resources provided by the National Cyber SecurityDivision, U.S. Department of Homeland SecurityKey Organizations Department of Homeland Security, National Cyber SecurityDivision, U.S. Computer Emergency Readiness Team (USCERT) http://www.us-cert.govMulti-State Information and Analysis Center http://www.msisac.orgCarnegie Mellon University/CERT Coordination Center http://www.cert.org/csirts/Information Security and Privacy Advisory Board http://csrc.nist.gov/ispab/National Institute of Standards and Technology, ComputerSecurity Division http://csrc.nist.gov/Forum of International Response Security Teams http://www.first.orgIncident Response Defining Incident Management Processes: A Work inProgress (www.cert.org/archive/pdf/04tr015.pdf)CERT/CC, Avoiding the Trial-by-Fire Approach to SecurityIncidents ty matters/1999/mar/security matters.htm)NIST SP-800-86 "Guide to Integrating Forensic Techniquesinto Incident Response" /SP800-86.pdf)National Information Assurance (IA) Approach to IncidentManagement (IM) ident Reporting/Documentation NIST SP 800-61, Computer Security Incident Handling 00-61/sp80061.pdf) NIST SP-800-92 "Guide to Computer Security LogManagement" /SP800-92.pdf) Incident Management articles (in particular CNDSPaccreditation): icles/best-practices/incident/223.html)CERT/CC, Incident Reporting Guidelines (http://www.cert.org/tech tips/incident reporting.html)Page 18INTRODUCTIONHas your system been compromised? How did it happen?What do you do?Not knowing can be dangerous. This is a true story of howone local government organization learned this lesson. Atown began experiencing repeated issues with printers andcomputers dropping off the network (the computers wereused to connect to the statewide criminal justice and motorvehicle systems). A service provider was called in severaltimes to re-connect the network hardware. After discoveringillegal software on the computer, the local police werecontacted.The Federal Bureau of Investigation was also contacted andby the next week, the town’s computers were confiscated forinvestigation. The service provider was able to track theintruder’s footprint from the town to a nearby city in thatstate, to Canada to Netherlands, ending in Belgium. Theintruder was a 14-year-old boy. The town’s Internet serviceand network were being used for illegal Internet games.Local businesses’ financial information was also accessible onthe network.Investigators determined the town lacked a firewall forthe Internet and network connection. In the end, thetotal expense of repair, upgrades, and training totaled 74,000, in addition to business partners’ data beingcompromised.At some point in time, you will experience an informationsecurity incident. The incident may jeopardize your computersecurity. Someone with malicious intent may seek to gainaccess to your organization’s confidential documents, or theymay attempt to alter, delete, or prevent your organizationfrom using your data.As the elected official, administrative official or businessmanager, you must be aware of incidents that occur. It isimperative for an organization to be able to recognize asecurity incident. Fast and efficient responses can lead toquick recoveries, minimize the levels of damage, and helpprevent future incidents. All end users should be familiarPage 3
with symptoms that may indicate an incident and shouldknow what to do. PURPOSE The purpose of this guide is to help you identify informationsecurity incidents and establish best practices for handlingthese incidents. This guide will provide you with arecommended step-by-step process for responding toincidents and developing an incident response team. Theguide is intended to complement the existing incidentresponse policy of your organization or serve as a template ifyou don’t yet have one. This guide describes how to recover from an incident in atimely and secure manner, and to minimize impact on yourorganization or your business partners.It is important for an organization to establish an incidentresponse policy, specifying necessary courses of action fordealing with an incident. The policy is a tool used to provideinsight, guidance, and handling procedures. It specifies howto identify, respond to, and report an incident. A modelpolicy is attached. As previously mentioned in the LocalGovernment Cyber Security: Getting Started Guide(available at www.msisac.org/localgov/), a single contactperson should be designated as responsible for cybersecurity, ensuring proper policies and procedures are in placeand followed.Establishing a Response TeamA critical step in effective incident response is establishing anIncident Response Team. The goal of the team is to quicklyand appropriately handle an incident. The team membersshould have the authority to make decisions and execute theresponse plan. The team consists of members described inthe roles below, which may include individuals in yourorganization and contractors. Smaller teams may consist ofonly a few people assuming multiple roles. Similar to firedistricts employing mutual aid, this may be an opportunity forsmaller organizations to enter into trusted partnerships withneighboringorganizationstosharetheroles andPage 4 advising elected officials regarding notification of lawenforcement and the [government name] attorney ifappropriateproviding information to elected official[s] responsiblefor notifying the press and publiccoordinating the logging and documentation of theincident and response to itmaking recommendations to reduce exposure to thesame or similar incidentsTechnical Support StaffThe [normal business providing Information Technologyservices]/County/City/Town/Village Information TechnologyDepartment] shall provide technical support to the IncidentResponse Manager.Responsibilities include, but are notlimited to: assessing the situation and providing correctiverecommendations to the Incident Response Managerhelping the Incident Response Manager make initialresponse to incidentsresponding to the incident to contain and correctproblemsreporting to the Incident Response Manager onactions taken and progressparticipating in review of the incident anddevelopment of recommendations to reduce futureexposureconsulting with other elected officials on publicnotification, involvement of the municipal attorney,and notification of law enforcementassisting with preparation of press releasesconsulting with other elected officials and appropriatestaff on priorities for response and recoveryadvising the Incident Response Manager on prioritiesLegal CounselThe [County/City/Town]/[Village]advice as called upon.attorneyshallprovidePage 17
Model Cyber Incident Response Policy[Organization Name]PurposeThis policy is established to clarify roles and responsibilities inthe event of a cyber incident. The availability of cyberresources is critical to the operation of government and aswift and complete response to any incidents is necessary inorder to maintain that availability and protect public andprivate information.Responsible Elected OfficialIf the incident affects multiple departments, the [TownSupervisor]/[Mayor]/[Equivalent] shall be the ResponsibleElected Official. If only one department is impacted, theelected official responsible for that department shall fill thisrole. The responsibilities of the elected official include, butare not limited to: receiving initial notification and status reports fromthe Incident Response Managerconsulting with other elected officials on publicnotification, involvement of the municipal attorneyand notification of law enforcementpreparing and delivering press releasesconsulting with other elected officials and appropriatestaff on priorities for response and recoveryadvising the Incident Response Manager on prioritiesIncident Response ManagerThe [organization name] designates that [The person fillingthe role of Incident Response Manager]/[actual name] hasresponsibility for preparing for and coordinating the responseto a cyber incident. Responsibilities include, but are notlimited to: training users to recognize and report suspectedincidentsdeveloping and testing response plansbeing the point of contact should any employee orofficial believe an incident has occurredinvolving the identified technical support to addressthe incidentnotifying the appropriate elected officials that anincident has occurred if significantPage 16responsibilities. Each team member’s role and responsibilityfor responding to incidents should be specifically defined.Roles and ResponsibilitiesAn incident response team usually consists of at least anelected official (or designee), an incident response manager,technical support staff, and a legal contact. These positionsmay be supplemented by other staff and contractors aswarranted.Responsible Elected Official (or designee): The person who isaccountable for the organization’s operations, and has thefollowing responsibilities: overseeing the entire response process managing the overall response activitiesfor all securityincidents decision-makingregarding which courses of action willbe taken Determining when it is appropriate to share informationoutside the organizationIncident Response Manager (IRM): The person who has theoverall responsibility to ensure the implementation,enhancement, monitoring and enforcement of securitypolicies and procedures. This person may be theorganization’s designated Information Security Officer. Thisperson should understand incident handling, be familiar withthe organization’s network and systems, and is responsiblefor the following: serving as the initial point of contact notifying and briefing management and the ResponsibleElected Official as appropriate accessing the situation and assisting in fixing theproblem providing options and recommendations tomanagement on how to respond coordinating activities and communicating withintheincident response teamPage 5
developing and maintaining all documentation relatingto the incidentTechnical Support Staff: usually consists of IT staff and othermembers of the organization with the followingresponsibilities: assessing the situation and providing recommendationsto the IRM assisting the IRM in gathering information helping the IRM in response and remediation providing any other support to the IRM as neededLegal Contact: The municipal attorney/general counsel/equivalent, whose responsibilities are focused on thefollowing:Appendix provides advice as appropriateTraining and ExerciseModel Cyber Incident Response PolicyThe IRM is responsible for implementing the incidentresponse policy and procedures. This individual should workwith management to ensure all users are trained in theirresponse role. Continuous awareness training and monitoringare important for strong computer security. Response drillsare good tools to test the plan.Overview: Incident HandlingBelow are five elements for successful incident handling andthe individuals responsible for taking the action. Dependingon the structure of your organization, multiple individualsmay be involved in performing the following: Identify the problem (All end users)Assess if this a security incident (IRM)Respond to the incident (Technical Support Staff)Report in accordance with the incident responseplan (Technical Support Staff and IRM)Review the overall effectiveness of the responseprocedures (Responsible Elected Official, IRM, andTechnical Support Staff)Page 6Page 15
INCIDENT LOGIDENTIFYThe first step is to identify whether or not you have aproblem. Any user who notices signs of anomalous activityshould contact the IRM who will work with the organization’stechnical support staff.A cyber security incident isconsidered to be any adverse event that threatens theconfidentiality, integrity or availability of your organization’sinformation resources.Possible causes of cyber incidents include the following: attempts to gain unauthorized access to a system orits dataunwanted disruption or denial of service (DoS)unauthorized access to critical computers, servers,routers, firewalls, etc.changes to system hardware or software withoutapprovalvirus or worm infection, spyware, malwareloss or inconsistent electrical powerSymptomsSigns a computer has been compromised may include thefollowing: Page 14abnormal response time or non-responsivenessunexplained account lockoutspasswords not workingwebsite homepage won’t open or has unexplainedchanges/contentprograms not running properlyrunning unexpected programslack of disk space or memorybounced-back emailsinability to connect to the networkconstant or increasing crashesabnormal hard drive activityconnecting to unfamiliar sitesbrowser settings changedextra toolbars that cannot be deletedPage 7
This list is not comprehensive, but is intended to raise yourawareness level of potential signs. If you are unsure about apossible incident, treat signs as a security incident and notifythe IRM who will work with the organization’s technicalsupport staff.DEFINITIONSThe following defined terms are used in this guide:AvailabilityThis is the ‘property’ of being operational, accessible, functional and usable upon demand by an authorized entity, e.g. a system or user.CompromisedThe disclosure of sensitive information to personsnot authorized access or having a need-to-know.ConfidentialityThe property that information is not made availableor disclosed to unauthorized individuals, entities, orprocesses.Denial of Service(DoS)An attack that successfully prevents or impairs thenormal authorized functionality of networks, systems or applications by exhausting resources. Thisactivity includes being the victim or participating inthe DoS.FirewallsA security system that uses hardware and/or software mechanisms to prevent unauthorized usersfrom accessing an organization’s internal computernetwork.IntegrityThe property that data has not been altered or destroyed from its intended form or content in an unintentional or an unauthorized manner.ISPInternet Service Provider (ISP) is an organizationthat provides Internet access.RoutersA device that forwards data packets along networks.UnauthorizedAccessGaining access into any computer system or networkwithout expressed permission of the owner.VirusA self-replicating program that spreads by insertingcopies of itself into other programs.VulnerabilityScanThe process where a computer or network ischecked for security issues, missing patches or misconfigurations. The scan results are typically compiled into a report, identifying the vulnerability alongwith remediation steps to correct the issue.WormA worm is a special type of virus that can spreadautomatically via e-mail, Internet relay chat or othernetwork transport mechanisms.ASSESSThe next step is to determine if the anomalous activity is anactual security incident. The IRM will assess the situation.Members of the Technical Support Staff may be called toassist in the initial assessment.Questions the response team needs to address include: Whatare the symptoms? What may be the cause? What is beingimpacted? How wide spread is it? What part of the systemor network is impacted? Could this impact your businesspartners?Gather InformationThe IRM should document all relevant information into alogbook.The following types of information should bedocumented: Organization’s namecharacteristics of incidentdate and time incident was detectedlist of symptoms noticedscope of impacto How widespreadoNumber of users impactedoNumber of machines affectednature of incidento Denial of ServiceoMalicious codeoScansoUnauthorized accessoOtherIt is recommended that forms be readily available todocument this information. The information can be used forPage 8Page 13
appropriate? Was enough information obtained? Did thesteps go well? How was the organization affected? Is theorganization still vulnerable?future references, information sharing, and incidentreporting, and should be kept in one location (such as in alogbook).The team recommends the next steps, which may includeinformation sharing or amending policies as appropriate.Management will determine what information will be sharedand with whom.RESPONDOnce it is determined that your organization has a cybersecurity incident, the process for responding has severalsteps and may involve several people, as the TechnicalSupport Staff responds under the direction of the IRM. It isimportant to be familiar with these procedures.Briefing of OfficialsManagement should be notified immediately when asignificant incident is detected. Briefing is a critical step inresponse, providing management with an assessment of thesituation to help determine the necessary courses of action.As more information becomes available throughout theresponse process, additional briefings should take place whichwill help management determine if it is necessary to takeadditional steps, su
nistpubs/800-86/SP800-86.pdf) National Information Assurance (IA) Approach to Incident Management (IM) (http://www.cnss.gov/Assets/pdf/CNSS-048-07.pdf) Incident Reporting/Documentation NIST SP 800-61, Computer Security Incident Handling Guide (http://csrc.nist.gov/pu
Hawaii Hawaii Affordable Properties, Inc. 48 (808)322-3422; hawaiiaffordable.com F Waikoloa Gardens; 68-1820 Pua Melia Street Waikoloa; Hawaii Bob Tanaka, Inc. 24 (808)949-4111; F(FPH) Ke Kumu Ekolu 68-3385 Ke Kumu Place; Waikoloa Hawaii; Hawaii Public Housing Authority 20 (808)832-5960 hpha@hawaii.gov;
significant bottlenecks and hit the ground running in response to a cyber incident. 1. Establish a Cyber Incident Response Team (CIRT) The most vital component of incident preparation is establishing a team of personnel who have the responsibility and the authority to take action during a cyber incident without delay. The
Cyber Vigilance Cyber Security Cyber Strategy Foreword Next Three fundamental drivers that drive growth and create cyber risks: Managing cyber risk to grow and protect business value The Deloitte CSF is a business-driven, threat-based approach to conducting cyber assessments based on an organization's specific business, threats, and capabilities.
Incident Management Process Map 1. Incident Management Process Map 1. Incident Management Description and Goals 9. Incident Management Description and Goals 9. Description 9. Description 9. Goals 9. Goals 9. Incident Management RACI Information 10. Incident Management RACI Information 10. Incident Management Associated Artifacts Information 24
exercises, and broader continuity testing. Incident response capabilities: Although an incident management framework not is required, incident response plans are: Supervisors in all jurisdictions expect banks to . prepare an incident response plan to deal with material cyber-incidents. Most supervisors
Cyber Security Event Identified occurrence of a system, service, or network state indicating a possible breach of information cyber security policy or failure of controls, including false alarms. Cyber Security Incident Single or series of unwanted or unexpected information cyber security events that
practice of managing cyber security incidents. Incident management involves the development, implementation and operation of capabilities that include people, processes and technology. Incident handling and incident response are operational activities. These involve tactical practices to detect, respond to, and recover from cyber incidents.
Enterprise Support results in concurrent removal from the AWS Incident Detection and Response service. All workloads on AWS Incident Detection and Response must go through the workload onboarding process. The minimum duration to subscribe an account to AWS Incident Detection and Response is ninety (90) days.
