It is good to have a snare and a trigger, but without the trap it makes no sense. Incident detection is important; but incident response is more critical. You realise you are being hacked. What do you do? Press the panic button?

As per the CII-PwC Survey of 2002, 35% of the security breaches in Indian businesses were caused due to attacks that exploited known Operating Systems vulnerabilities. The other major causes of security breaches were poor access controls, abuse of valid user accounts/permissions, system misconfiguration and human errors, external and internal denial of service attacks, exploiting application vulnerabilities, and malicious code attacks.

Security breaches are detected by proactive and reactive methods. Proactive methods of discovery include technical controls like Intrusion Detection Systems, firewalls, file integrity monitors, alarms/triggers, and analysis of server logs. Reactive methods include discovery of breach due to data loss or material damage, or when alerted by colleagues, customers, or managed service providers.

Are enterprises engaged in quick fix solutions to the breach or do they diagnose the cause and possibly engage in forensics of the breach before they apply the solution?

Most enterprises engage quick-fix solutions to the breach because of two important reasons:

(a) The priorities of most enterprises when a security breach occurs are to resume normal business operations as soon as possible, and prevent similar incidents from occurring in future. Tracking down the perpetrator is on low priority. This is partly due to top-management considering security breaches as technical events — not business related.

(b) Very few enterprises have documented computer forensics guidelines that set out how to maintain evidence during an investigation from a legal perspective, and provide the technical procedures and standards that need to be adopted for diagnosing breaches.

However, as financial impacts of breaches continue to increase exponentially, enterprises will take legal action against attackers. For this, the response procedures would, in future, be expanded to include forensics and evidentiary activities.

As per the CSI-FBI Survey 2002, 38% of US respondents reported corporate competitors as a likely source of attack. In India, about 7% of the security breaches were due to competitors as reported in the CII-PwC Survey 2002. However, with more and more Indian enterprises placing their proprietary and other sensitive information in their networks, an increase in corporate espionage in Indian businesses can be foreseen on the lines of global trends.

After a breach has been detected/reported, the company should do the following:

(a) Immediately inform all parties who need to be made aware of the breach, as defined in the company's Incident Response Plan. (These would include the company's incident response team, PR staff, affected users, management, system administrators of other connected sites etc).

(b) All information about the compromised systems, including cause of intrusion, system and network logs, network connections, processes running, users logged in, open files etc. should be captured and securely stored.

(c) Contain the incident to limit its extent and prevent the intruder from doing further damage. This action would involve temporarily shutting down the system, disconnecting the compromised system from the network, disabling access to sensitive directories/files, services and accounts, and monitoring the network for further instances of attacks.

(d) Ensure that the intruder has no covert means of access into the company's system through backdoors, or Trojans that he may have installed in the compromised systems. For this, reinstall compromised systems, restore executable programs and binary files from original distribution media, carryout vulnerability analysis through tools like CyberCop, and review configurations of all protective and detection mechanisms installed in the system (IDS, firewall, tripwire, access controls etc).

(e) Return the system to normal operation after eliminating all means by which the intruder may gain access. If business requirements require the systems to be brought online quickly, the risk needs to be managed and monitored. Once system is restored, company should implement lessons learned and update its Incident Response Plan.