|Incident Handling at BMDO|
|Security Practices Subgroup|
|Ballistic Missile Defense Organization, US Department of Defense|
|1.7||Level of BSP|
|1.8||Security Processes or other Framework(s) Supported|
|Monitor System Activity (SPF 220.127.116.11.3) and Monitor the Performance and Functional Effectiveness of Security Safeguards (SSE CMM BP.08.04)|
|1.10||Points of Contact|
|Government BSP Owner:
Yes, post this contact information with the publicly accessible BSP.
Ballistic Missile Defense Organization
|2.0||What This BSP Does|
|The purpose of this BSP is
to address how to detect, handle, and recover from security incidents involving computer
hosts or networks.
The need for Incident Handling
It has been shown that a skilled intruder can extract specific data from an archive, manipulate it to solve a problem, and commit the changes back in to the archive, all from the local or remote terminal undetected. It is this ability to manipulate data that makes proving a computer attack so difficult.
To combat computer attacks clear and effective incident handling techniques and methods must be employed. The must critical part of this methodology is documentation of all the circumstances surrounding the incident. With the details documented if the intrusion to see the light of day in a courtroom, its reasonable that the defense will do everything in its power to cast the shadow of uncertainty and unreliability over the prosecution. This shows why a clear and effective Incident Handling methodology must be in-place when law-enforcement is going the brought in.
|2.2||Requirements for this BSP|
|Department of Defense (DoD)
Chief Information Officer (CIO) Guidance and Policy Memorandum No. 6-8510 -
Department of Defense Information Assurance
E3.6.7. Incident Reporting and Response: In addition to protective measures designed into information systems and architectures, sites should have a structured ability to audit, detect, isolate, react and recover to intrusions, service disruptions, and incidents that threaten the security of DoD operations.
E18.104.22.168. Incident Reporting: All DoD organizations shall promptly report incidents via their appropriate chain of command. Types of incidents that will be reported include:
E22.214.171.124.1. Intrusion: Unauthorized access to an information system.
E126.96.36.199.2. Denial of Service Attacks: Actions which prevent any part of an automated information system from functioning in accordance with its intended purpose, to include any action which causes the unauthorized destruction, modification, or delay of service.
E188.8.131.52.3 Malicious Logic: Hardware, software, or firmware that is intentionally included in an information system for an unauthorized purpose, such as a virus or Trojan horse.
E184.108.40.206.4 Probe: In information operations, any attempt to gather information about an automated information system or its users online.
|Having the proper incident handling procedures was instrumental in the stopping of an intruder into one of the governments major testing facilities. Additionally, this methodology was used to successfully prosecute the intruder. This was due to proper documenting of the incident, the proper handling of the computer media, and the documentation.|
|3.0||What This BSP Is|
|3.1||Description of BSP|
|There are at least six identifiable stages of response to an INFOSEC incident. They include preparation, identification, containment, eradication, recovery and follow-up. Knowing about each stage facilitates responding more methodically (and thus efficiently), and also helps users understand the process of responding better so that they can deal with unexpected aspects of incidents they face. The six identifiable stages are detailed below. Refer to Figure 1, which outlines the procedures for responding to computer incidents.|
The resources needed to successful perform our incident handling function are as follows:
One of the major issues that must be determined
by an organization before an incident handling function can be activated is the definition
of incident. For the purposes of this BSP the following definition of an incident and
event is as follows:
Although no single one of these typical symptoms of security incidents is generally by itself conclusive, observing one or more of these symptoms should prompt you to investigate events more closely. You should in this vein work with other personnel at your organization that possess the appropriate technical and computer security knowledge to determine exactly what has occurred. Collective judgment is typically better than a single person's judgment when it comes to identifying incidents.
If a computer security incident is detected (excluding incidents involving classified information), it should immediately be reported to the appropriate NSO/ISSO. Each user should know how to contact the ISSO responsible for their information systems.
If the ISSO cannot be contacted, the incident should be reported to Network Security Officer (NSO) at 604-4113. Again, all users need to know the identity of their ISSO and NSO are and how to contact them.
If users cannot contact either their ISSO or NSO, they should call C directly to report the incident. The timing of reporting incidents depends upon whether or not the user knows how to resolve the security incident, as shown in Figure 3.
The ISSO has the responsibility to report incident information upwards to the CISSM and CIO in a timely fashion. Figure 4 shows a standard reporting chain. In addition, the ISSO should be prepared to advise the ISSM on immediate response decisions in the event of a serious breach of security, as in the case of an attacker gaining access via the Internet. If there is evidence of criminal activity, it is the CISSMs responsibility, in concert with the General Councel, to notify the Office Special Investigations. It may be advisable for the CISSM or Director DSC to contact OSI directly after advising DISA.
CAUTION: Do not disseminate information about incidents to any person, agency, or organization that is not in the above reporting chain.
The process of incident handling involves six stages:
The outputs from the incident handling function are as follows:
|3.2||Relationship to Other BSPs|
|This BSP is related to the Defense Information Systems Agencys (DISA) Information Assurance Vulnerability Alert (IAVA) and as additional BSPs are developed, additional relationships will be added.|
|4.0||How To Use This BSP|
|The implement an incident
handling program the following is needed:
|4.2||Implementation Resource Estimates|
|Personnel: Operating System Administrator or knowledge equivalent. Four people working full-time monitoring the intrusion detection system.|
|4.3||Performance Goals and Indicators (Metrics)|
|General Goal: The goal of information assurance program is to prevent or reduce the likelihood of computer system intrusions. But because no prevention measures are perfect, there also needs to be a strategy for handling incidents that includes preparation, detection, and response.|
intrusion detection system. Hardware and software needed for SHADOW
installation is as follows:
|Training materials include the following:|
|A||Executive Overview and Briefing|
|[Provide materials, briefings, etc. used to gain management buy-in.]|
|[List books, articles, or URLs to enhance understanding this BSP.]|
|[Identify contract vehicles and SOWs if services or materials were procured.]|
|[Define terms helpful to understanding this BSP.]|