Security Incident Investigations Within Banks - Part 2 of 2

> Read part 1 of this article

Preparing for security incident investigations

Preparation is the most important phase of security incident investigations since most of the requirements previously discussed can't be addressed at the time the investigation is being conducted.

Preparations shall therefore address these requirements (what the investigation must provide) and also the needs of the investigation process itself (i.e. all that is required by the investigation process from other sources).

To increase speed, we need to perform as many tasks as possible before any investigation starts. These tasks include:

¢ Gathering contact information
¢ Preparing and testing investigation resources
¢ Automating investigation activities (software/hardware)
¢ Preparing all administrative work (forms with some pre-filled fields, negotiate access authorizations, establishing communication channels and contact information)
¢ Ensuring that needed information is available (e.g. infrastructure maps, resource allocation/location information)

Of the above, access to resource information might be one of the most critical and difficult requirements to fulfil. During an incident investigation, security personnel will have to know things like: physical location of a computer, corresponding network information, applications used and their function, relationship between applications and other systems and contact information for personnel responsible for these resources. The application information might be particularly complex to document and analyze. Banks usually develop home-made applications to support customized services; maintaining detailed documentation of each application and their relationships with other resources is not an easy or cheap task.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

However, it is essential that this documentation be accurate and readily available for investigators. Searching the location of a PC based on its IP might take up to a few hours if there is no information or a logical allocation scheme in place; also, having investigators wasting time to figure out the relationships with other systems and applications during the investigation is not optimal, especially when the rest of the incident response teams are waiting for information from this investigation to start acting.

Regulations are also an issue for Banks since they can affect the scope and the way investigations are conducted. Some regulations require certain levels of the hierarchy to be immediately notified of certain (serious) incidents. Also, customers, third parties (e.g. PCI Data Security Standard) and the law enforcement (e.g. FTC/OCC regulations) might need to be notified, under some circumstances, within a limited time frame. Other standards and regulations require evidence preservation for security incidents and proper training for personnel conducting security incident investigations (e.g. ISO 17799, Basel II Accord). Hence, lawyers from banks have to be deeply involved at this stage.

The rest of the requirements, reliability, accurateness, non-intrusiveness and completeness can be achieved with proper system replacement procedures (e.g. connecting alternative backup systems while the affected system is brought down for investigation) and implementing proper audit trails in key locations. Intrusion detection systems can provide useful information to a certain degree, but at the application level (and we already mentioned the prevalence of custom made applications within banks) secure audit trail systems must be integrated in the right places.

Regarding the identification phase of the incident response process, we know that the investigation needs to have at least a minimum of information regarding an incident (namely, that it probably exists and a starting point for the investigation). Since other tasks within the incident response process might actually require the results from an incident investigation to proceed, we already know that traditional sources of information for these tasks (e.g. intrusion detection systems and audit trails) won't be enough.

One of the most important sources of information for investigations is feedback from human beings. Due to the targeted nature of some types of attacks aimed at banks, many of these might go unnoticed for traditional security controls (e.g. external phishing attacks against customers, social engineering attacks targeting specific employees). Incorporating these individuals into the sensor network is therefore essential to have effective detection methods for all types of security incidents.