Brevard County (Florida)
Administrative Procedures
 

7540.09 - DISTRICT IT INCIDENT RESPONSE PROCEDURE

The purpose of this procedure is to assign responsibility and provide procedures related to the handling of computer security incidents. This procedure contains the process steps for identifying, responding, reporting, and resolving computer security incidents. An incident is defined as "the act of violating an explicit or implied security policy". SANS definition is "an adverse event in an information system, and/or network, or the threat of the occurrence of such an event".

The Superintendent or designee is responsible for providing policy and procedural guidance for establishing, operating, and maintaining the Board's incident response procedure.

Identification and Reporting of Information Security Incidents

 A.ESF users and schools should inform the helpdesk if they are receiving complaints about virusís, worms, SPAM, phishing emails, etc.

 B.The Helpdesk will then make Network Ops and Systems and Security aware. (What is the normal amount of reported SPAM daily? Is it up significantly today? Is the malware type a High threat worm?) An SI type Heat Ticket for a "Security Incident" should be opened.

 C.Based on the number of complaints and the severity of threats, Network Ops and Systems and Security will determine if a District-wide notification needs to be placed.

 D.Depending on the type of malware the District is being targeted with, Network Ops and Systems and Security will coordinate a response to users and sites on how to manage the incident.
  IE: The District may choose a notification only for low threats, for higher level threats the District may need to do notifications as well as updating District protection measures, AV signatures, firewall rules, websense, or immediate email blocking of the offending sites.

 E.Per instructions from Network Ops and Systems and Security the Helpdesk will send out the notifications to schools, ESF, department secretaries, etc., as necessary to inform District users on how to respond.

Responding to Information Security Incidents

 A.Preparation
  The goals of initial response are to:

  1.verify an incident has truly occurred;

  2.was a policy violated (http://www.neola.com/brevardco-fl/);

  3.determine what attacks were used to gain access and identify which systems and data were accessed by the intruder;

  4.determine what an intruder did after obtaining access.

 B.Identification

  1.Receive Alert and Review Finding
   Technology specialists are notified of a suspected security event. Begin by reviewing the details of the event. What type of alarm is it? Is only one system affected or are multiple systems?

  2.Start Logbook
   The next step is to start a logbook. The logbook is used to document everything; all people interviewed, what happened, which systems were involved, what action was taken, what tools and commands were used, and what the results were.
   The first entry in your logbook should include an incident notification checklist:

   a.who is calling/paging;

   b.date/time;

   c.phone;

   d.nature of incident (virus, DOS, defacement, theft, unusual activity);

   e.when did the incident occur;

   f.how was the incident detected;

   g.who discovered the incident;

   h.when was the incident detected;

   i.what is the immediate and future impact to client;

   j.is it a business critical machine;

   k.targeted computer(s):

    1)hostname;

    2)OS;

    3)IP address(es);

    4)location;

    5)attacking computer(s);

    6)IP address(es).

  3.Review Results of Existing Security Tools Output
   See details in technician handbook.

  4.Request Logs
   See details in technician handbook.

 C.Containment
  Once the issue is reported and identified, then the technician specialist must isolate the threat (i.e., unplug the network cable, block host from the router, filters, etc., VLAN segmentation on a network switch, or change administrative passwords). It may be that technician specialists just need to alert users to take a specific action or just to be aware of a specific threat.

 D.Eradication
  If a worm is detected and identified, then technician specialists may apply the proper eradication methods (i.e., if worm x is in fact identified, then there is likely a vendor removal solution). See http://www.mcafee.com/us/threat_center/default.asp and http://vil.nai.com/vil/default.aspx.
  Remove malicious software by implementing actions on McAfee's site for suspected or identified malware then verify applicable released patches from McAfee, operating security patches, etc., are applied.

 E.Recovery
  Continue to monitor the situation, keeping in mind the actual identified threat. Symantec and McAfee sites provide complete information on just what a given piece of malware does and how to remove them. Make sure all affected users are aware of what happened and what to look for. (see http://www.mcafee.com/us/threat_center/default.asp and http://vil.nai.com/vil/default.aspx)

 F.Lessons Learned
  After things calm down and all systems appear to be stable, technician specialists need to try and understand how the District got infected with this piece of malware* in the first place. Was it a user's lack of awareness (i.e., someone brought in an infected USB drive or laptop and connected it to the LAN)? Did someone open an unsolicited e-mail? Did someone browse to a risky web site? Was the District attacked from the outside? Was the attack or incident an internal event only? How could it have been prevented? Complete an Information Security Incident Response Form 7540.09 F1. The District information security analyst will perform periodic information security reviews and report issues to senior management.
  *Malware or malicious software is software designed to infiltrate or damage a computer system without the owner's informed consent.

Approved 4/10/07
Revised 10/08