The aim of this paper is to suggest various policies and procedures that organizations can formulate and implement in responding to information and computer security incidents. The paper will focus on the areas of dynamic vulnerability analysis, intrusion detection, and incidence response. It will take into consideration a scenario of a $5 billion financial services firm named Greiblock Credit Union, GCU. The company is headquartered in Chicago but is widely represented throughout the Midwest by approximately 100 branch offices. The Chicago-based office has a centralized architecture, which facilitates the provision of fundamental technical services to all branch offices and corporate locations. The firm has become a major victim of the increased security incidents such as identity theft, hacking, and online fraud. The paper will accomplish the task in various sections covering the mentioned areas. The subtopics of each area will include the purpose, scope, policy, enforcement, and metrics.
Incidence Response and Investigation Consideration
Today, the use of the Internet has become a part of everyday life. Numerous organizations use the Internet and allied computer systems and networks to conduct a range of activities such as communication, online banking transactions, and information sharing, among others. Similarly, various activities, such as trade and communication, have been eased as the Internet has transformed the world into a global village. In spite of these benefits, the Internet and advanced computer technologies are accompanied with numerous risks, which affect computer networks and infrastructures in organizations connected to the Internet. The risks occur in the forms of computer-related crimes and terrorist threats such as hacking, spoofing, identity theft, online scams and fraud, and cyber-stalking, among others (Gerber & Von Solms, 2005; Peltier, 2013). With these incidents, organizations have become victims because they fail to plan counteraction strategies until they have suffered from an attack. Subsequently, response to information security incidents is delayed. The common outcomes of such delay may be overly high costs (Carroll, 2014). The aim of this paper is to discuss the various policies and procedures that organizations can formulate to address the vulnerability, intrusion, and incidence response regarding Greiblock Credit Union, GCU.
Addressing Information Technology Security Incidents
Various direct benefits can be accrued from responding to security incidents. For example, in this context, Greiblock Credit Union, GCU, may enormously succeed in its business operations when it can handle attacks quickly and cost-effectively. Similarly, it is likely to win the loyalty of its customers as responding proactively to attacks shows that it takes the process of information security seriously. The organization may need to minimize the number and severity of incidents so as to respond quickly to security incidents. Alternatively, the business may be prompted to define an incidence response plan to aid in containing all damages while reducing risks (Pieprzyk, Hardjono, & Seberry, 2013). Subsequently, these are facilitated by various policies and procedures to address the relevant areas.
Policies and Procedures to Address Dynamic Vulnerability Analysis
The number of information technology and computer infrastructure vulnerabilities in organizations is increasing dramatically from day to day (Richardson, 2011). However, there are various models in use today, which can allow an inter-module vulnerability detection and analysis. This section will present the approaches to vulnerability analysis, which integrates the advantages of penetration testing and dynamic analysis.
Today, the business network infrastructure is rapidly changing, with newer and updated services, servers, connections, and ports. Consequently, there is a continuous inflow of vulnerabilities and exploits that are associated with the endless evolution of the information technology infrastructure. Thus, organizations are required to conduct dynamic vulnerability assessments more frequently. These processes assist a vulnerable organization to define, identify, and classify vulnerabilities that are likely to affect computer systems, networks, and infrastructure (Hsiao, Kerr, & Madnick, 2014). Dynamic vulnerability analysis is the most appropriate way, through which an organization can detect ambiguities in its information system and computer facilities. Subsequently, the process assists in formulating the relevant countermeasures to address the identified vulnerabilities. In this context, Greiblock Credit Union, GCU is a victim of the ever-increasing number of information security incidents. Therefore, dynamic vulnerability analysis is the initial step, through which the organization can detect threats, their sources, and their likely impacts.
In trying to discover flaws in its systems, Greiblock Credit Union, GCU will conduct a range of procedures to determine the extent of an exploit while deciding how to meet the desired outcomes. Policies and procedures around vulnerability analysis will vary from defining and classifying the vulnerabilities and exploits based on their significance. Additionally, there will be a need to identify the resources available to sustain countermeasures, and the threats linked to such resources. Eventually, the policies and procedures will lead to the formulation of an appropriate strategy to guide the neutralization and minimization of threats.
To make sound decisions on the security of its information and computer systems, Greiblock Credit Union, GCU will take certain steps. The first is self-assessment. Here, the organization will seek to identify all unnoticed security vulnerabilities such as weak passwords, web-based personal email services, lack of end-user education, lack of sound security policies, and poor patch management, among others. The process is imperative as it will enhance the protection networks, information, and computer infrastructure. In addition to this, the business will try to identify and understand its processes better in an attempt to pinpoint susceptible applications. Further, the organization will seek to identify hidden data sources and determine the hardware help in the execution of vulnerabilities. Other procedures include mapping of all network infrastructure and all controls in place. These will be coupled with vulnerability scans and application of business and technology context to scanner results.
After a successful dynamic vulnerability assessment, the organization will eventually adopt a systematic approach to policy implementation and compliance through various ways. First, there is the enactment of a security awareness program. Fundamentally, the key to compliance with a security policy is education. The organization will educate the end users and other stakeholders on the essence of security. The process will help the users understand the importance of security and its benefits in daily activities (Gerber & Von Solms, 2005; Von Solms & Von Solms, 2006). Second, there is an effective communication of the policy. Once a security policy has been completed, Greiblock Credit Union, GCU will communicate it formally to all the stakeholders and clients to enhance compliance and enforcement. The final step is continuous monitoring. The process is important as it helps in the identification of new threats, technologies, and changes in the operations of the organization. An ongoing monitoring coupled with a constant review will promote relevancy of the policy.
Various basic parameters will be used to determine the effectiveness of vulnerability analysis. First, there is the access vector, which measures how vulnerability is exploited either remotely or locally. The vulnerability score is higher if the attacker is more remote to an information asset. Second, there is authentication, which measures the number of times that an attacker has to authenticate a system to exploit vulnerability. Third, there is the confidentiality impact (Richardson, 2011). It measures the effect on the privacy of a successfully exploited vulnerability. Finally, there is the integrity impact, which measures the impact on the integrity of successfully exploited vulnerabilities.
Policies and Procedures to Address Intrusion
Frequently, an organization’s computers and networks are subject to various security breaches, which include intrusions and misuses. As such, an organization such, as Greiblock Credit Union, would need to formulate various policies and procedures to address interruption.
An intrusion detection policy is implemented with the intention of to protect the integrity, privacy, and availability of data in an organization. In this context, Greiblock Credit Union, GCU has increased risks of attack because of its widespread network infrastructure. Therefore, it is vital to develop an intrusion detection system to help protect its computers, communication infrastructure, and networks. The policies and procedures involve preemptive approaches to network security. They are used to identify all potential threats and assist in responding to them appropriately. These policies reflect the effectiveness of various components of the security system and determining the appropriate time to activate a planned response to an intrusion incident.
Greiblock Credit Union’s policies and procedures to address intrusion will include its computers, networks, and other computer infrastructure. Additionally, the plans will encompass all relevant stakeholders such as contractors, employees, temporary personnel, and other agencies of the firm. All other users and administrators of the computer systems will be useful in the intrusion detection plans.
Greiblock Credit Union, GCU seeks to detect all vulnerabilities and prevent them. It will accomplish this by monitoring, preventing, and identifying all forms of intrusion or misuse. The firm will develop a strategy for intrusion detection and prevention within the limits of the available resources. The key objective will be to provide robust intrusion detection and raise awareness of actions capable of causing intrusions. In addition, the plan will prepare the organization for the effective response when interference occurs.
The intrusion detection and prevention systems shall have appropriate controls set to respond to a perceived attack. The controls will be set from a perspective of continuing service to meet all business needs and objectives (Richardson, 2011). The intrusion detection and prevention capabilities shall include guidelines for monitoring and analyzing system logs, warnings, alerts, and audit logs. The firm will maintain a review of its security audit logs and intrusion detection on a daily basis.
Measuring the effectiveness of policies and procedures against intrusion would not necessarily be tangible. Rather, the metrics would involve the frequency of awareness training and the extent of implementation of best practices. The degree, to which customers trust the organization, would be an imperative indicator of effectiveness.
Policies and Procedures to Address Incidence Response
Incidence response plans are organized approaches to addressing and managing the aftermaths of a security breach or attack.
An incidence response plan is meant to define what constitutes a security incident and outlines the incidence response phases. It describes the assessment of the event, response strategies, and documentation and preservation of evidence. In addition, an incidence response plan outlines the areas of responsibilities and establishes the procedures for handling various security incidents. It aims at handling the situations in a way that minimizes damage and reduces the recovery costs and time.
Policies and procedures around an incidence response plan will involve a series of activities to a defined level. These include verification of the incidents, maintenance and restoration of business continuity, reduction of the incident impact, and prevention of future attacks (Von Solms & Von Solms, 2006). Additionally, incidence response plans will entail improvement of the security and incidence responses, prosecution of all illegal activities, and keeping the management informed of the situations and response.
In developing the incidence response plan, Greiblock Credit Union, GCU will define all relevant roles and responsibilities. It will establish procedures to indicate all the actions to be taken during an incident, which are based on the type of event. The procedures will consider the extent of threats and then determine whether it is ongoing or not.
The formulated incidence response plan will be enforced through various means. First, there is containment. Here, the organization and its members will be required to take actions intended to prevent further intrusions or damage. The organization will disconnect all the affected or else vulnerable systems, change passwords to reduce unauthorized access, and block some ports to bar some IP addresses.
Second, the organization will implement strategies to prevent re-infection. Thus, the organization will first determine the cause of intrusion. Common causes may be emails, inadequate training, or attack through ports. Once the cause has been accurately determined, reinfection can be prevented through firewalls, patching the affected system, and shutting down the infected system (Sherwood, 2005). Third, there is documentation. The organization should keep a detailed documentation to show how an incident was discovered and how it occurred. Other useful pieces information include the source of the attack and the response and its validity. Finally, enforcement can also be executed through evidence preservation. The organization should make and retain copies of logs, emails, and any other documentable communication. Along with that, all lists of witnesses should be maintained so as to assist in further investigations.
The efficiency of the policies and procedures addressing incidence response can be measured through various parameters. Often, this is done through a review of the responses and updating policies. The organization would consider whether additional policy was capable of preventing an intrusion. Where an intrusion has been avoided, the responses and policies can be said to be effective. It would be appropriate to consider if ignored policies allowed an intrusion.
This paper has discussed various policies and procedures that organizations can use to address vulnerabilities and exploit in the areas of dynamic vulnerability analysis, intrusion detection, and incidence response. The paper has noted that many organizations are falling prey to disruptive network intrusions and costly computer-related attacks as a result of being connected to the risky Internet. Many are no longer confident that their facilities are well protected with a static security system. The paper suggests that a quick and active reaction to the diverse forms of cyber security incidents can be a critical and imperative strategy to minimizing the outcomes of such incidents. The effectiveness of the response to cyber computer incidents depends on how well an organization’s information technology department is prepared to respond to security incidents. In formulating the policies and procedures to address the incidents, organizations should have a clear purpose, scope, policy, enforcements, and metrics. These would allow the organization to establish whether it is making a progress in improving its information and computer security.