Not too long ago, just towards the end of the last century, allocating direct budget to IT security was considered radical. Likewise, the creation of a sophisticated incident response plan was far from most CIO's minds. But this year alone, IDC notes a New Zealand budget spend of $200 million, and Gartner reports a A$440 million spend across Australia, for IT security systems. With IT spending double the levels of 2003, a security incident response policy is now standard for most organisations.
However, not all is up to scratch, with Karl Hartmore, head of operations at AusCERT saying businesses have varying levels of preparation and more firms need to develop a strategy, including who will do what should such a serious incident occur.
In New Zealand, the government's Centre for Critical Infrastructure Protection (CCIP) works with AusCERT on a variety of security issues. In its 2006 IT Security Survey, the CCIP warns two-thirds of respondents have experienced virus threats, 60 per cent reported missing laptops, and more than half, abuse from insiders. "There are a number of technologies, including firewalls, intrusion detection and prevention systems, anti-virus and anti-spyware products, which will assist in developing a 'defence in depth' architecture. Also, the need to keep both operating systems and applications at the latest patch levels, cannot be understated," the CCIP reports.
The CCIP promotes a variety of ISO industry standards on the issue and advises organisations about security response with a range of papers on its website.
Getting down to the basics
Kerry Thompson, consultant, Open System Specialists, says there is a "notable lack of planning" for incident responses in New Zealand.
"Few organisations have any security incident response plan. Many lack the basics of a security policy or even accurate documentation of the IT systems that they rely on to operate their business," says Thompson, who also spoke on the subject during the recent Brightstar's IT Security Summit in Auckland.
Thompson defines a security incident as "a violation of IT security policy, acceptable use policy or of standard procedures".
He notes the existence of malware attacks (virus, worms, Trojan horses), denial of service attacks, intruders (both internal and external), email issues such as scams, phishing and spam; plus operational incidents like systems failures and operator errors.
Naturally, prevention is best and cheapest by saving on downtime, but prevention only comes through forward planning.
He cites a report by the Employers and Manufacturers Association which claims that in 2006, New Zealand businesses will lose $140 million to $240 million due to security incidents.
"Prepare for incidents," he admonishes. "Keep back-up and recovery processes current and test them. Be prepared for bare-metal recovery."
Organsations, he continues, need to look at detecting the occurrence of incidents, through the use of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems(IPS). Log file analysers, anti-virus detectors and firewalls will also help.
"Intrusion detection tools are generally good analysis tools, sometimes useful for tactical alerting. It is always good to have such tools in your toolkit."
As soon as an incident is detected, the situation must then be assessed. IT bosses need to know the business impact of the situation, what systems are affected and can be isolated, what will it take to resolve the situation, who with the right expertise can help, and to document everything.
The SME's dilemma
For an SME, a typical incident team will be two people. One will be a technical leader to perform most remedial work; the other a back-up person reporting to management and recording the actions taken. In larger firms, others may be involved such as the IT manager/CIO, legal staff and even media relations.
"Always get help if you feel the situation is getting out of hand. For example, in one case, an incident involving malware dragged on for two weeks before someone was called in to diagnose the problem and resolve it within the hour," Thompson advises.
Teams should get equipment and software tools as required, such as new workstations and servers, IDS tools, AV tools and anti-spam tools.
"Preparation is the key to saving time here. It is always good to have an incident toolkit ready with software tools on a CD or USB stick," he continues.
A plan is needed and while it may not necessarily be written, it should at least be well communicated among staff. It should include basic steps such as prioritising the affected systems and containing the problem, potentially by isolating the affected systems. No further damage must occur and the problem should be resolved by rebuilding systems from scratch, having back-up data loaded and affected systems re-secured.
These steps may be reiterated as the resolution process continues, Thompson says. During resolution, the following must also be continually performed - recording all actions, updating estimated RTO times, reports to management and other interested parties.
"Keep other people in the organisation up-to-date with expected RTO times and any issues that are outstanding. Discretion needs to be applied here: Avoid public dissemination of sensitive information (such as what type of system failed) and be very cautious as to attributing blame," says Thompson.
Once the incident is resolved, the business can return to operation but only after systems have been tested.
"Identify and mitigate all vulnerabilities that were exploited. After return to operations, monitor the system closely to make sure all the systems are returned to normal. Report to management and other interested parties that the system has been restored," he further advises.
Preventing reoccurrence is now the most crucial area, and one that is often overlooked, particularly as many problems arise through lack of prevention measures in the first place.
Causes must be reviewed such as technical controls, environmental factors, human factors, management and budget constraints.
Reviewing the resolution, issues to consider include whether the incident could have been detected earlier, resolved quicker, are more resources needed, was reporting adequate, might rehearsals or having better response plans help.
A final report should then be made, kept short and to the point, covering one to two pages.
"Detail the incident causes, how it was detected, the handling process, and provide an executive summary. The key is to prevent reoccurrence," adds Thompson.
The state of play
Tony Lester, CIO of Land Information New Zealand, says incident response is a "critical component" of its IS framework, with well established response procedures and a Cyber Incident Response Team (CIRT).
"It directs our security personnel to verify an incident has occurred, protect and store the evidence, categorise the severity of the incident, repair damage or implement a contingency plan, and then report or document the incident, so we can learn from the experience," says Lester.
LINZ uses many tools such as digital certificates for authenticating users, Citrix Secure Gateway for Landonline, firewalls, host and network based IDS for Landonline, internet traffic filtering, virtual private networks, patch and vulnerability management, back-up systems, with regular audits, both internally and externally to test security response.
The government agency is currently rolling out Telecom/Gen-i Safecom managed security services for perimeter security, including for file transfer protocol (ftp), internet proxy access, email and remote access. LINZ operates a security committee of senior managers, responsible for security strategy and implementation. The CIRT handles incidents, monitors its effectiveness and reports back to the committee.
Lester says good practices include having clear and simple preparations, incident response procedures, incident quantification procedures, staff training and continuous learning. "Don't reinvent the wheel - base your security procedures on internationally accepted standards and best practices."
At the Inland Revenue Department, CIO Ross Hughson says policies are in place for department staff and included in service level agreements with outsourcing partners.
Additionally, the department actively manages its technology environment, ensuring up-to-date security patches for desktop machines and network/internal security infrastructure.
Furthermore, all security advisories from the Government Communications Security Bureau (GCSB) are acted upon; regular security audits are undertaken by IRD's Risk and Assurance group and independent external organisations, says Hughson.
Hughson has overall accountability responsibility for incident response strategy but has delegated responsibility to his IT technical and operations manager.
The IRD claims it has never been targeted for a malicious attack, but says it has kept numerous intrusion attacks at bay. It uses intrusion detection tools (Snort), corporate firewalls (Cyberguard and Checkpoint Firewall) and virus and email scanning software (Gwava). The department is currently investigating the deployment of enhanced virus, email and internet content scanning software.
"A good IR strategy is risk-based and aligned with business security requirements. Consultation with business representatives when designing security solutions is essential to get the right balance against security and ease of doing business. It must also comply with government and industry-wide security standards," Hughson advises.
"Think security as part of the design, establish centralised security responsibility, build security awareness, adopt security standards, and establish capability and process for regular security audits."
Mark Ratcliffe, Telecom NZ chief operating officer technology and enterprises, confirms incident response is an integral part of the telco's IS security strategy, and is the responsibility of the GM of IS operations.
Ratcliffe declines to provide extensive detail of Telecom's security set-up but says it includes AV software, mail sweeps, firewalls and intrusion detection systems. Various policies exist to handle incidents and they are being redesigned as part of a Technology Support Operating Model.
"A good IR strategy is one that can respond to known attack types but is also flexible enough to allow us to manage new incident types. Whilst technology plays a part, committed people and good processes will ultimately deliver a good incident response," says Ratcliffe.
Otago University considers itself as vulnerable as any other organisation, with its use of open systems increasing its risk. Internet-based risks are the greatest, fuelled by a growing number of criminal elements using the net for fraud and the growing impact this has on viruses, spam and the growth of botnets, says information securities manager Mark Borrie.
"Our information security strategies are more often in response to emerging trends rather than specific incidents. For instance, the growing incidence of identity theft is leading us to review issues such as password management, patching and virus and spyware detection," says Borrie.
At healthAlliance, CIO Phil Brimacombe says his organisation is developing incident response plans and reviewing how these procedures rate against ISO17799 and health sector standards.
Brimacombe, who has responsibility for security, backed by support from his IS operations team, says viruses, worms and patient privacy are his greatest concerns.
healthAlliance relies on Trend Micro antivirus, Checkpoint products, patches and best practice. "Like many others, we caught the Blaster worm, but with measures we had in place it was thankfully well contained. It was, however, a lesson in the need for proper IR procedures."
For those who feel security might be too much, outsourcing management and bringing in the experts may pay off.
IBM security practice leader John Martin says IBM notes growing threats from criminal elements using phishing and other attempts to make money.
He stresses enterprises must now see security not as an expense, but as a business enabler. A robust system means the business is more resilient, while the competition may falter.
Martin says firms seek more unified approaches to security, consolidating firewalls, intrusion detection and other systems into one single appliance.
How people work internally or deal with partners is another issue. IBM, whose Kiwi clients include TVNZ, has certified teams operating globally looking for threats and warning their customers.
Last year, when the Zotob worm was predicted to cause havoc, IBM was able to warn its customers a week before Trend Micro released its patch.
He says IBM also helps firms develop their own incident response and other security policies.
"We can drill down and present customised services, post mortem analysis for incidents, prevent another murder and ensure it is not repeated."
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.