Critical Incident Management

There are many classification and analysis practices in identifying and classifying threats. Threats may be classified in many ways. Start the risk assessment by thinking outside the organization and consider the origin threats as having either human or natural causes.

So it is with your enterprise; identify and examine the risks on the periphery and work your way inward, eventually reaching the center. When you are trying to classify threats and their probability of happening, you will need percentages to determine such things as frequency, and the degree to which they affect assets. Following is a list of a few common threats and some resources that can be contacted to collect relevant information. When contacting these resources, it is suggested that you collect information relative to the threats' frequency, location, and degree of severity measured in a relevant time period for your locale.

• Earthquake: Geology departments at local universities and the U.S. Geological Survey.

• Fire: National Fire Protection Association.

• Flood, tornado, hurricane, wind storm, snow, ice storm: National Oceanic and Atmospheric Administration and the National Weather Bureau.

• Criminal and hacker threats: Talking with the local chapter of the National Infrastructure Protection Center (NIPC), sponsored by the nearest field office of the FBI, you should be able to gain an idea of the latest criminal and system-attacker threats. Most FBI offices have a designated Special Agent as the NIPC coordinator whose job it is to see to the success of the local NIPC chapter. This is the most likely person to contact. More information can be obtained through the FBI Web site (http://www.fbi.gov).

Human threats, both internal and external to the organization, are the most unpredictable and potentially the most destructive. Human threats are more mobile, devious, and plentiful than natural threats. Imagine that one of your trusted system engineers becomes dispirited one day and resigns. If the engineer were malicious, can your imagination stretch far enough to conceive of the damage that could be done with knowledge of your operation? Another scenario of the "what-if" model is born.

The following categories are not intended to provide a comprehensive list of human-based attacks, but merely to serve as a reference. New attacks on technology emerge daily, as do their solutions. Here are a few examples of human-based threats:

• Unauthorized intrusions. These malicious acts may originate outside or inside the organization. They are characterized by gaining access to one or more systems. Often attackers install programs allowing reentry to the system. Usually the intruder has concealed his/her true identity and may be masquerading as a legitimate user by modifying data, perusing or stealing sensitive information, etc.

• Unauthorized program execution. This is not necessarily the same as the unauthorized intruder. Perpetrators compromise a host or a network service such as Domain Name System (DNS). Once compromised, intruders install and run scanning tools to locate other vulnerable systems while removing traces of their presence in the compromised system. From these compromised systems, intruders can launch intrusion attacks on remote systems, with tracing efforts stopping at the compromised systems. From a frequency perspective, it is likely that most outside network scans are launched from compromised systems with the intention of disguising the attacker's identity.

• Denial-of-service attacks and distributed denial-of-service attacks. These are attacks originating at sources inside and outside an organization with the purpose of destroying the organization's ability to conduct business. Examples of these threats are network flood attacks resulting in systems crashes.

• Privilege escalation. Privilege escalation means raising access privileges without authorization. Attackers, inside and outside, may not be able to gain privileges immediately when they enter a computer system; usually they attempt to escalate privileges by exploiting vulnerabilities either in applications or in the operating system. It is a common practice for intruders to exploit programming weaknesses in the Common Gateway Interface (CGI). CGI programs are commonly used to provide user interaction with Web pages. By manipulating the input information, it is possible in some CGI programming to gain root access to Web servers. With this privilege level, the attacker is free to deface the Web page, gain access to the host network, redirect shipments, and steal credit card or other sensitive information.

• Worm and virus attacks. Viruses are programs that are typically executed through opening e-mail attachments, sharing infected disks, or opening documents containing macros. Worms, on the other hand, are similar to viruses in that they are self-replicating, but they have the object of filling the victim-computer's hard drive.

• Back doors or remote control programs. These are methods employed by attackers to gain repeated access and control of their victim's systems. Often an e-mail attachment is sent to the intended target having the payload of a remote control program. It may be disguised as something very desirable to the victim.

  Experience Note

  Investigators have seen remote control programs disguised as antivirus program updates or photographs of famous personalities. Once installed, the program gives the attacker complete control over the victim's computer allowing the attacker to peruse files, install software, or send e-mail in the victim's name.

• Malicious programming. This is programming that has been installed with a date or event trigger. An example is the discontented programmer who had unauthorized access to the computer's payroll code. He modified the code so that if his name and Social Security number were not part of the payroll run, then the computer would delete the current payroll information. After several months, the employee was eventually dismissed for performance issues. When the payroll was run, the computer did not see his name and Social Security number, so it deleted the payroll data. This resulted in the business having to recover the payroll data from backup media, but it was still an unnecessary delay and expense.

There are also many legal threats that can have a very negative impact on a business' operation. If successful, these risks can be more devastating to the organization than the technological threats. Following are a few examples:

• Discrimination and a hostile work environment. E-mail is used everywhere in business operations. However, e-mail can also be misused, posing a very serious threat. Employees and persons outside the organization might recount offensive jokes or spread offensive stories and pornographic material. E-mail misuse can and will lead to a hostile work environment if viewed by someone that finds the e-mail offensive. Discrimination is defined as the prejudiced or prejudicial outlook, action, or treatment of an individual on the basis of age, gender, race, religion, national origin, or sexual orientation.

• Defamation. Defamation is defined as oral or written false statements that wrongfully harm a person's reputation. Oral defamation is referenced as slander and written as libel. It should be noted that defamation laws differ from state to state. If an employee posts false information to a newsgroup or circulates e-mail causing harm to an individual or organization from the employee's workstation, both the organization and the employee may be held legally liable for the action.

• Harassment. This is unwanted behavior targeting a specific person or group of persons. Consider that an employee is the victim of unwanted, sexually harassing messages posted to the company's bulletin board.

• Privacy violations. This act discloses information intended to be private by its owner. Safeguarding confidential information is currently an object of legislation, making its unauthorized disclosure a serious unlawful act.

There are threats and vulnerabilities that can occur within an organization, regardless of management's intentions. Consider an Internet hosting facility with hundreds of servers in its communications center. The building is the size of a large warehouse and, having been recently constructed, has the latest and greatest innovations. The fire extinguishing equipment consists primarily of large tanks of inert argon gas. Its purpose is to flood a fire with the inert gas, displacing the oxygen and extinguishing the fire, thereby preserving equipment and data. This is a fine idea for preserving equipment and data; however, no one considered that there are people working in the communications center who will suffocate before they can reach an exit, due to the large size of the facility. This concept was subsequently analyzed in the "what-if" scenario. The extinguishing system was replaced with another that did not threaten the communications center employees.

Think of malicious employees who have an intimate knowledge of your business operation and are predisposed to do damage. No one is in a better position to commit acts of sabotage, if they are inclined.

The threat posed by employees and former employees surpasses the other threats.

• Vulnerabilities. Vulnerabilities are weaknesses in the organization that allow a threat to possibly trigger a loss. Vulnerabilities apply to specific threats and assets. Surveying employees who use and manage the organization's systems is a critical part of identifying vulnerabilities. Mapping assets, threats, vulner-abilities, and remedies is the risk team's task. Scheduling them together allows the analysis of their interrelationships. In mapping critical assets, threats and their frequency, vulnerabilities, safeguards and cost/benefits, examine carefully the safeguards area.

• Insurance. Insurance is not a consideration at the time of risk analysis. Insurance generally is a means to obtain money after the damage has already happened. While this is an excellent idea, money in the pocket will not immediately restore lost personnel, lost data, or lost facilities in time to continue critical functions. Acquiring critical assets takes time, and regardless of the amount of money, the longer an organization is without profitable operations, the less likely it is to remain in business. Consequently, insurance is an excellent item to have as part of your risk management practices in the long term, but the focus here is the idea of risk assessment and immediate business restoration procedures.

• Safeguards. Safeguards are expensive measures; consequently cost/benefit analysis is imperative. They cost money and deplete resources, but if designed and implemented correctly, they can save your critical assets. Do not spend more to protect an asset than its value to the organization. For example, an organization has a Web page used to provide advertising of its services, but almost all of its sales are derived from a well-developed reseller network. Realistically, the Web page contributes little to overall profits. However, in his responses to the risk team's questionnaire, the company's CIO thinks the Web page is very informative and critical to the organization. The Web server has been identified by the CIO as so critical to business operations that it rests behind its own firewall. Costs of the firewall and its related maintenance exceed the Web page's value. When the risk team performs their assessment, they nix the Web page as being superfluous. Of course, there is a requisite soothing session between the risk team leader and the CIO.

• CIA. There are several overriding factors in scheduling these interrelationships; CIA (confidentiality, integrity, and availability) are the relevant qualifiers along with fault tolerance in deciding asset priority. Exhibit 5 provides a proposed risk schedule where relationships between assets, threats, vulnerabilities, and safeguards are illustrated. Of course, this exhibit is intended as a representative model and should be customized to organizational needs. Frequently, teams are challenged by difficult decisions when a potentially lost asset severely affects operations in the long run, but in the short run its loss does not affect much. The risk team should make decisions of this nature supported by its executive sponsor. The goal is the resumption of profitable operations as soon as possible after a critical incident. Once this level of operation is achieved, longer-term considerations can be addressed.

  Exhibit 5: Risk Assessment Schedule

  Business Unit	Asset	Asset Replacement Value (SLE/ARO)	Rank (High, Med., Low Routine)	Threat and Frequency (1 to 10)	Vulnerabilities	Safeguard	Safeguard Annual Costs	Info.
  Human Resources	Payroll applications	SLE = $$$ ARO = percent	High	Unauthorized system access Attempted frequency = 10	Access	Firewall	$$$	None
  	Payroll data	SLE = $$$ ARO = percent	High	Unauthorized system access Attempted frequency = 10	Access	Firewall and partitioned subnets	$$$	None
  Sales	Client list	Irreplaceable	High	Corrupt data Frequency = 7	Data input and access	Employee access requests	$$	None
  Warehouse	Inventory listings	SLE = $$$ ARO = percent	High	Unable to track	Correct input	Field checking	$$	None