INCIDENT HANDLING PROCEDURES SUMMARY November 17, 1994 Dale Drew, Manager, InternetMCI Security MCI Telecommunications Corporation Approved By: Robert Hagens, Senior Manager MCI Telecommunications, Inc. Date:_____________________ MCI Proprietary CONTENTS 1. Log File Monitoring System (MILS System) 1 1.1 Incident Detection and Notification 1 1.1.1 Collection 1 1.1.2 Department Notification 1 1.1.3 Escalation 1 1.2 Incident Investigation 2 1.2.1 Incident Documentation 2 1.2.2 Incident Investigation 2 1.2.3 Incident Closure 2 2. Party Notification 2 2.1 NOC Notification 2 2.2. Interconnect Notification (JTC) 3 2.3 Customer Notification 3 3. Intelligence Information 3 4. Tiger Team Procedures 4 4.1 Internal Tiger Team Tests 4 4.2 External Tiger Team Tests 4 4.3 Internal System Audits 5 Revision History 6 PGP Plan and Documentation 7 This locally controlled operating procedure is associated with Major Process "InternetMCI Security" in the MCI InternetMCI Quality Manual. Distribution: Phill Gross Robert Hagens Dale Drew Monique Benoit JTC Members (names on file) Date last revised: November 1, 1994, 11:30 am INCIDENT HANDLING PROCEDURES SUMMARY Report Name: Security Policies and Procedures / Incident Handling Report Number: iMCISE:SECPOL:1101:94:DRAFT Report Date: 11/1/94 Report Format: Summary Report Classification: Distribution Unlimited Report Distribution: On File Report Refers to: MILS Incident Handling Policy, Incident Handling Procedures, TABBS manual, Checklist Guide It is the policy of the InternetMCI Security Department to investigate all internal and customer reports of security related incidents, and all detected suspicious or unusual traffic behavior on the network(s). When implementing this policy, the InternetMCI Security Department (IMSD) follows established procedures to conduct security investigations and to cooperate fully with customers and law enforcement officials to prosecute offenders. 1. LOG FILE MONITORING (MILS SYSTEM) 1.1 Incident Detection and Notification 1.1.1 Collection The MILS agents collect log and traffic data from network element and scan them for unusual, or suspicious activity. When such activity is identified, MILS attempts to gather as much information on the incident as possible, to forward such information to the on-call Security Engineer. The MILS system will also provide, when available, profile information on session anomaly. Depending on the severity of the incident and/or the escalation time passed, the MILS system may take action on the incident to protect network elements. 1.1.2 Department Notification When a Log Agent Program (LAP) identifies unusual activity, it will report that activity by sending a text message to the "security" email account, and to the department pager. 1.1.3 Escalation Should the incident not be responded to within the threshold time, an escalation page will be sent to the department manager. 1.2 Incident Investigation 1.2.1 Incident Documentation The MILS system will automatically open a Incident Case (i.e.: Trouble Ticket) for proper documentation. The IC must be closed or updated within the threshold time, or automated escalation procedures will initiate. Completed incidents are PGP signed with the Security Engineers key, and encrypted with the Department key, and stored on-line. 1.2.2 Incident Investigation Follow the Party Notification policy section, where appropriate. Follow the MILS Incident Handling Policy for specific MILS incident alerts. 1.2.3 Incident Closure At closure of the incident, the Security Engineer must sign the Incident Case document with their PGP key, and encrypt the document with the department PGP key, and saved into the review MILS folder. All incidents in the MILS folder will be review by the department manager, commented on where appropriate, and filed into the appropriate MILS category folders. 2. PARTY NOTIFICATION 2.1 NOC Notification Should the MILS Incident involve the compromise or attack of NOC monitoring systems, the NOC Manager and NOC staff will be paged immediately by the on-call Security Engineer and/or the Security Department Manager. Immediate action will take place by the security department. Should the MILS Incident involve non-critical incidents, a follow-up email will be sent to the specific NOC employee, NOC Staff and/or NOC Manager where appropriate. All FYI MILS Incidents will be recorded by MILS as profile information, and will not involve notification to the NOC. Where appropriate, PGP encrypted mail will be sent to the NOC staff members to gather or notify security incidents. Security will require from the NOCs an updated list of personnel and contact numbers at all times. As well as a shift schedule of when NOC management personnel will be available. 2.2 Interconnect Notification (JTC) Should the MILS Incident involve the attack of Network Providers that are directly (or indirectly) connected to the MCI network(s), the Network Provider (aka JTC member) will be contacted immediately, using the best method possible (pager, PGP encrypted email, etc). Full disclosure of the incident will be provided to the JTC member. Incident Case Documents and MILS raw data that detail information not pertaining to the JTC member will not be available. Should the incident involve intelligence information pertaining to a specific JTC member, that information will be provided to that JTC member via PGP encrypted email (see Section 3 of the Incident Handling Procedures, and Section 2 of the TABBS manual). Incident or intelligence information that involves a customer's CPE of another network provider , will be provided to that customer, the customers provider, and to the CERT organization. 2.3 Customer Notification Should the MILS Incident (or Intelligence information) involve an attack of an MCI network customer host or network, the customer will be notified immediately, via the fastest method possible (i.e.: pager, email, etc). The MCI Account Rep will also be contacted and briefed on all stages of the Incident. The MCI PSO organization will be contacted as well. Incident checklists will be provided to the customer, to assist them on the installation of programs (commercial and public domain), policies, and general security handling procedures in an attempt to identify and counter-measure the attack. (Refer to the Checklist Guide for additional details). Should the MILS Incident (or Intelligence information) involve possible information on the security of an MCI network customer host, or network, the customer will notified via a non-priority email message, or telephone call. 3. INTELLIGENCE INFORMATION The InternetMCI Security Department will exercise a free exchange of information of any intelligence information it gathers that may affect its customers, employees, NOCs, networks, or interconnects. This information will be provided either to specific parties, encrypted, or to the group list (jtc) as a whole. Information gathered from the TABBS program, law enforcement, "hacker" programs, other security contacts, etc. will be included in this information exchange program. 4. TIGER TEAM PROCEDURES 4.1 Internal Tiger Team Tests A security incident will be scheduled once a month to test the Policies and Procedures that pertain to the Incident Handling Policy. This Tiger Team test will concentrate on the ability of the MILS program to identify a possible security breach on the network element(s) from an internal user (i.e.: a valid internal user, or if an internal user account had been compromised), and the ability of the Security Department to react to that Incident. Testing schedules will only be known to the Department manager, and when appropriate, third parties (i.e.: NOCs, IPDEV Team, etc), when such assistance is needed. A summary of the Incident will be provided to the JTC that will contain the following information: Incident Type: Start time of Incident: Time detected by MILS: Time MILS notified MILS: Time MILS Escalated: Time Oncall Responded to MILS: Time Incident was cleared by Oncall to MILS: Time Incident Case was closed: (Stop time) Recommendations for improvement of the MILS agent, or Incident Handling Policy. 4.2 External Tiger Team Tests A security incident will be scheduled once a month to test the Policies and Procedures that pertain to the Incident Handling Policy. This Tiger Team test will concentrate on the ability of the MILS program to identify a possible security breach on the network element(s) from an external source (i.e.: a network intruder attempting to scan or hack into internal systems, network elements of network customers), and the ability of the Security Department to react to that Incident. Testing schedules will only be known to the Department manager, and when appropriate, third parties (i.e.: NOCs, IPDEV Team, etc), when such assistance is needed. A summary of the Incident will be provided to the JTC that will contain the following information: Incident Type: Start time of Incident: Time detected by MILS: Time MILS notified MILS: Time MILS Escalated: Time Oncall Responded to MILS: Time Incident was cleared by Oncall to MILS: Time Incident Case was closed: (Stop time) Recommendations for improvement of the MILS agent, or Incident Handling Policy. 4.3 Internal System Audits Twice a month, all internal systems will be automatically be subject to an exposure analysis. The exposure analysis will test the internal systems for bugs, patch installations, sensitive file modification, backdoors, etc. Reports of the exposure analysis will be sent to the Security Department for analysis and corrective action. REVISION HISTORY This locally controlled operating procedure is associated with the Departmental Procedures in the ISO9000 InternetMCI Security Handbook. Issue Number Document Item Added Date 1.1 First Draft Entire Document 11/1/94 PGP PLAN AND DOCUMENTATION In order to exchange confidential information in a secure manner via email, we will be making use of PGP encryption (v2.6 or above). PGP makes use of public/private key exchanges, giving you the ability of exchanging confidential information, without the use of a common password, or common secret. PGP is being installed on all of the SUN systems, with a GUI interface to make the encryption and decryption process much more user friendly than it already is. An IBM version of PGP is also available, but the enhanced GUI is not ready as of yet. Shortly, I will send information on how to make use of the PGP package, including how to generate public/private keys. and I would ask that as soon as you receive this information, to follow the instructions, so that we can start protecting confidential information. In addition, a PGP key server is being set up to help everyone obtain public keys for other people (you need to know what someone's public key is before you can send them encrypted mail - along the lines of needing someone's telephone number before you can call them). The key server will hold keys for: InternetMCI employees, NOC employees (including the HNMC and SURAnet), JTC members, and Cisco. Please let me know if you intend on using the Sun UNIX version, or the IBM version. Should you have any questions, please let me know. Regards, Dale Drew Manager, InternetMCI Security 703/715-7058 SECURITY CONTACTS MCI 2100 Reston Parkway Reston, VA 22091 Fax 703.715.7066 Phone Pager PIN Dale Drew 703.715.7058 1800SKYpage 5705844 Security Email Dale Drew ddrew@mci.net General Info security@mci.net Email Page beep-security@mci.net ?? MCI Proprietary 2 MCI Proprietary i MCI Proprietary 8