Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
SEC440: Incident Response Plan
1. DeVry University
College of Engineering and Information Sciences
Alhambra, California
Proposal: Standard Operating Procedures for Security Breach
By
Thomas Christopher Go Ty
Submitted in Partial Fulfillment of the Course
Requirements for
Information Systems Security Planning and Audit
SEC440
Professor John Freund
August 10, 2014
2. Standard Operating Procedure for Security Breach
Experienced attackers will exploit even the simplest and neglected practice to get
its hands on the target.
Due to the potential risk of exploitation and prevent spamming that may lead to
the possibility of Denial of Service (DoS) or Distributed Denial of Service (DDos) attacks
on the email server. It is encouraged to part ways from the previous practice of having a
company’s general email address in the organization’s official Web site for inbound
communications. The general email address may be in the Contact Us or About Us
Web pages.
Email Proper Usage
The practice of having the email address laid out on the Web page can be risky
to spider harvesting or email address harvesting. An alternative of using a “Contact Us”
button that will open a window with a list of email clients and providers can reduce email
spams received by the email server. Not all threats can be detected even with an email
filtering program implemented and a real-time email scanning to detect threats. The
danger of setting the email filtering program to high can result in missing valid emails
messages from being received by the recipient. Setting the security low can result in
receiving high quantities of spam emails. It is recommended to set any security settings
to its optimum level. Implementing optimum level security may have some exceptions
especially when it comes on physical locations.
3. Physical Security
Some locations within the company’s premises stores confidential data and
information that may include storage rooms for anything related to money and other
financial information of the clients, employees, shareholders, other stakeholders, and
the organization itself. Theft can lead to fraudulent activities that may cause the
company to suffer from legal consequences like law suites, fines from the United States
government, and the most serious is the company closing its doors.
Not well-known to the general public is the method of gathering information
called social engineering. Social engineering is mostly done using observation of
physical factors such as employees who wears their I.D. cards while out of the company
and leaving documents in plain sight on public places and in vehicles. While many will
argue worrying leaving things and documents in plain sight inside a vehicle is
unjustified; the law enforcement of the State of Colorado in the City of Boulder strongly
advises everyone to “Never leave valuables in plain view, even if your car is locked. Put
them in the trunk or otherwise out of sight.” (Colorado Police Department) It is estimated
the value of stolen vehicles exceeds $8,000,000,000.00.
Sample Policy Document
The following is a prototype of security policies concerning proper email usage
and physical security.
---------------------------------- Sample Policy Document (beginning) --------------------------------
Securing communications and physical security
Objective
4. This text will give a set the policies on acceptable email, secure physical
locations, and respond to incidents of security breach.
Purpose
The policies mentioned in this text shall provide guidance to avoid and reduce
security breaches perpetrated by attackers that takes advantage on lax email use and
employees’ situational awareness. In addition, to protect the Organization’s assets and
reduce liabilities, an incident response policy is also in this text.
Audience
The policies outlined here in the document are for all entities working for the
Organization.
Policy
1. Communications Use of E-Mail
a. Client or End-Users
The use of the organization’s email will only be for business related
communications.
Chain emails and other similar forms of spamming are
prohibited.
The email address field ‘BCC’ or blind carbon copy will only be
used as needed or necessary.
5. Properly logout of the Organization’s Web mail when using a
public computer; delete cookies and close the Web browser as
a precaution.
Always use a proper email signature for responses and
forwarding of emails.
Avoid a “rainbow” email where there are excessive multiple font
color are in the contents of the email itself.
b. Server End
Non-active, dummy, and default email accounts will be disabled
Email filtering and real-time email scanning will be implemented
Software updates will be initiated to the Web and email servers as
soon as the updates become available from the software vendor.
c. Public Communications
Public communications include receiving emails from external
entities inquiring regarding any service, products, and concerns regarding
the Organization.
2. Physical Security
Physical security policies are to be followed by all employees including mobile
workers.
For all employees: Do not leave any documents laid around in plain sight at
public places such as restaurants, airports, cafes, and hotels and even in
vehicles.
6. The use of notebook privacy screens or privacy filter is a must if need to open
any electronic documents while in public places.
Do not leave unattended under any circumstances any bags (backpacks,
suitcases, messenger bags, etc.) containing documents relating to the
Organization and or notebooks containing the Organization’s data.
Do not post the Organization’s building layout on public forums.
Employees must wear their identification cards (I.D. cards) issued by the
Organization while at work.
Employees are prohibited from wearing I.D. cards issued by the Organization
outside of the workplace.
All rooms that stores sensitive and confidential information will be locked.
Only authorized personnel are allowed to enter the server room and other
locations within the Organization’s geographic location.
All guests and visitors are required to be escorted by authorized personnel
and have a guest/visitor I.D. card visibly worn while in the premises.
Exception
No one is exempted from the policies outlined herein.
Enforcement
The mentioned policies in this text shall be strictly enforced. Failure to follow the
policies outlined in the text will be subject to disciplinary actions that may not be limited
to the following.
Employment suspension without pay
7. Employment termination or separation
Legal actions and suits
Definition of Terms
Organization – a business entity where the employee works and is different from
business owners and shareholders
End-user – referring to the stakeholders of the Organization
External entities – individuals or groups not directly related to the company
Public forums – any place or location, physically or on the Web, that the public can
freely access
Business owners, shareholders, stakeholders, employees – referring all entities working
for the Organization
Revision History
References
Frei, Stephan, Silvestri, Ivo, Ollman, Gunter. Mail Non-Delivery Notice Attacks.
Retrieved from http://www.techzoom.net/publications/mail-non-delivery-
attack/index.en
National Institute of Standards and Technology (September 2012). Guide for
Conducting Risk Assessments. Retrieved from http://csrc.nist.gov/publications/
nistpubs/800-30-rev1/sp800_30_r1.pdf
---------------------------------- Sample Policy Document (end) --------------------------------
8. Incident Response
When a disaster or an incident strikes, having an incident response plan reduces
downtime in operations compared to having none at all. Can you imagine what the
world will be if there are no firefighters to combat fire and emergency medical
technicians (EMTs) for ambulatory services?
While each field has its own set of policies and response guidelines, the same
goal can be reflected. That is, to respond to each succeeding incidents better than the
last one. In the field of information security, it is the same goal but the specifics are
different. The general idea is to have initial assessment, isolate, communicate, recover,
re-assessment, and review.
Initial assessment will show the initial damage and overview of the incident. This
will help in executing an appropriate response instead of second guessing avoiding loss
of precious time and decreasing costs for the organization. The longer the downtime the
higher the cost it can create for the company. That is especially true for an environment
like call centers that contracts service providers for its business. Long downtimes will
create a friction between the two businesses and possibly a breach of contract and a
lawsuit by service provider to the call center management for not delivering as stated in
the contract.
Isolating the problem can prevent further damage in addition to the damage
already done in the company. The incident response team can then focus on the
problem and not “run around”. In addition to isolation, it is important to communicate
with each member of the team and with other stakeholders within the company avoiding
9. miscommunication and unnecessary actions. The recovery phase reinstates the
information systems to its working and stable operating conditions. The system can be
restored from a backup (tape backups) or redirect the operations to an existing system
that is on standby. The latter is more costly to implement than tape backups. After the
operation is back to stable condition, a reassessment of the damage and a review of the
existing security policies and documents are done. That is, to revise the pre-existing
policies and documents as needed.
Conclusion
Although there is no one-hundred percent secure systems in existent. The risk
and damage from security breaches can be reduced or avoided if proper actions are
taken. Even the simplest and neglected practices by the general public can be used by
an experienced attacker against any company, group, or individual to obtain the
attacker’s goal. Proper behavior and use of company resources are the beginning to a
more secure information system.
10. Works Cited
Safety for your Vehicle. Retrieved from https://bouldercolorado.gov/police/
safety-for-your-vehicle
Frei, Stephan, Silvestri, Ivo, Ollman, Gunter. Mail Non-Delivery Notice Attacks.
Retrieved from http://www.techzoom.net/publications/mail-non-delivery-
attack/index.en
National Institute of Standards and Technology (September 2012). Guide for
Conducting Risk Assessments. Retrieved from http://csrc.nist.gov/publications/
nistpubs/800-30-rev1/sp800_30_r1.pdf
TechNet. Responding to IT Security Incidents. Retrieved from http://technet.
microsoft.com/en-us/library/cc700825.aspx#XSLTsection125121120120