Home > Uncategorized > The Changing Nature of Incident Response: Part 5

The Changing Nature of Incident Response: Part 5

I am sure that the so-called “crises” about which I have written in my last two blog postings pale in comparison to some that have occurred since. I have, for example, learned about insider attacks that have occurred in banks and other institutions that could have potentially severely disrupted the financial and operational status of the organizations in which these attacks occurred. Serving on an incident response team charged with responding to these incidents must in many ways have been the ultimate challenge.

At the same time, however, too many of the incident response teams created during the formative years of incident response efforts did not make adaptations necessary for the changing requirements of their constituencies. The Department of Energy’s (DOE) Computer Incident Advisory Capability (CIAC) is one of the best examples. Shortly after I left this program, powers-that-be decided that researching and writing bulletins that described vulnerabilities and how they could be remediated was no longer within this team’s charter. CIAC’s Web site simply started posting CERT/CC vulnerability bulletins with the top portion overwritten by CIAC. CIAC had for the most part abandoned researching and reporting vulnerabilities, services still very much needed by organizations. The security of CIAC servers started to become neglected, and incidents involving CIAC hosts started to become commonplace, a bad omen for a team formed for the purpose of security. CIAC also increasingly lost its connection with much of its constituency, covering its lack of productivity with accounts of its involvement with organizations such as the Forum of Incident Response and Security Teams (FIRST) and bureaucratic activity. To its credit, CIAC’s Web site had up-to-date postings about Internet hoaxes, but then again, Internet hoaxes were and still are nowhere near the most critical security problem that organizations face. CIAC became almost completely non-productive, and had to resort to nasty politics to keep itself in business. In time, the DOE community quit turning to CIAC for help and advice, and powers-that-be within CIAC had to turn to dirty tricks such as fabricating “whistleblower” claims against the then DOE CIO to prevent the DOE from terminating its funding. Finally, and very much to its credit, DOE killed CIAC’s funding altogether.

The story of CIAC’s demise is not unique, either. Numerous well-intentioned teams that were formed in the late 1980s and early 1990s eventually fell by the wayside for various reasons, some but not all of which were similar to CIAC’s. The formation of the U.S. CERT is in many ways an admission of the failure of agency- and department-specific incident response teams. From what I have seen, U.S. CERT does not really provide much help when incidents occur, but at least this team produces vulnerability bulletins that help departments and agencies in their effort to eradicate vulnerabilities in their computing systems and networks.

Most of today’s highly significant incidents are data security breaches. Incident response teams must contain these as well as other incidents, but the nature of response teams’ activity in reaction to these incidents has had to change substantially to keep in pace with the dynamic legal and regulatory environment with which organizations must deal and comply. So, for example, if a data security breach occurs, containing the breach is still extremely important, but containing the legal and other liabilities is just as, if not more, important. As such, coordinating with entities within an organization charged with interfacing with the media and notifying customers that their personally identifiable and/or financial information has been compromised is highly critical.
Security-related incidents are here to stay. As such, there will always be a need for incident response efforts. But these efforts must change with the times, and to a large degree the ability of these efforts to change with the times is one of the most critical indicators of these efforts’ success.

–Gene Schultz, Ph.D., CISSP, CISM, GSLC
– – – – – – – – – – – – – – – – –
Dr. Eugene Schultz is the CTO at Emagined Security, an information security consulting practice based in San Carlos, California. He is the author/co-author of five books, and has also written over 120 published papers. Gene has been the editor-in-chief of two journals and is currently on the editorial board of three journals. He is also a SANS instructor, member of the SANS NewsBites editorial board, co-author of the 2005 and 2006 CISM preparation materials, and is on the technical advisory board of three companies. Gene has previously managed an information security practice as well as a national incident response team. He has also been professor of computer science at several universities and is retired from the University of California. He has received the NASA Technical Excellence Award, the Department of Energy Excellence Award, the ISACA John Kuyers Best Speaker/Best Conference Contributor Award, the Vanguard Conference Top Gun Award (for best presenter) twice, the Vanguard Chairman’s Award, and the National Information Systems Security Conference Best Paper Award. A Distinguished Fellow of the Information Systems Security Association (ISSA), Gene has also been named to the ISSA Hall of Fame and has received ISSA’s Professional Achievement and Honor Roll Awards. He is currently a member of the accreditation board of the Institute of Information Security Professionals (IISP). Dr. Schultz has provided expert testimony before committees within the U.S. Senate and House of Representatives on various security-related issues, and has served as an expert witness in legal cases.
Categories: Uncategorized Tags:
Comments are closed.