3 SCOPE
This manual applies to all USDA agencies, programs, teams,
organizations, appointees, employees, contractors and other entities
responsible for USDA systems and data.
4 ABBREVIATIONS
ACIO CS Associate CIO
for Cyber Security
CIO Chief
Information Officer
CS Cyber
Security
DNS Domain
Name Server
DoS Denial
of Service
FBI
Federal Bureau of Investigation
FTP File
Transfer Protocol
I/D
Intrusion Detection
IDS
Intrusion Detection System
IP
Internet Protocol
IRT
Incident response team
ISP
Internet Service Provider
ISSO
Information Systems Security Officer
ISSP
Information Systems Security Program
ISSPM Information
Systems Security Program Manager
IT
Information Technology
OCIO Office of
the Chief Information Officer
OIG Office of
the Inspector General
POC Point of
Contact
OMB Office of
Management & Budget
SA System
Administrator
SOC Security
Operations Center
TSO
Telecommunications Service Organization
US-CERT United States
Computer Emergency Response Team
USDA United
States Department of Agriculture
5 DEFINITIONS
Adverse event – An event that indicates or produces
an actual or potential negative consequence to USDA IT systems. Included are: attempted or actual system
crashes, network packet floods, unauthorized use or disclosure, defacement of a
webpage, and execution of malicious code.
[USDA rates LOW and MEDIUM Intrusion Detection reports as undesirable
events. HIGH Intrusion Detection
reports are considered CS incidents.]
Documented and verified adverse events are incidents.
Adware – Any software application,
which displays advertising banners while running a program. Adware includes additional code that
delivers the ads, which can be viewed through pop-up windows or through a bar
that appears on the computer screen. It
usually includes code that tracks a user’s personal information and passes it
on to third parties without the user’s authorization or knowledge.
Botnet – A network of compromised
machines that can be remotely controlled by an attacker. Due to their immense size (tens of thousands
of systems that can be linked together), they pose a severe threat to the
Government’s IT infrastructure.
Breach - Any illegal penetration or unauthorized access to a computer
system that causes damage or has the potential to cause damage.
Chain of Custody - Protection of evidence by each responsible party to ensure
against loss, breakage, alteration or unauthorized handling. Protection also includes properly securing,
identifying, and dating evidence.
Compromise –The unauthorized disclosure, modification,
substitution, or use of sensitive information or the successful action to
invade system by getting around its security. A computer has been compromised,
for example, when a Trojan Horse has been installed.
Compromise of Integrity –Any unauthorized modification of information or data.
Cyber/Computer Security Incident – A violation or imminent threat of violation of
computer security policies, acceptable uses or standard computer security
policies. It is also any adverse event
whereby some aspect of a computer system is compromised as: loss of data
confidentiality; disruption of data integrity; disruption of availability, also
known as a denial of service.
Damage –The unauthorized deliberate or accidental physical or logical
modification, destruction or removal of information or data from an IT system.
Denial of Service (DoS) – An inability to use system resources due to unavailability; for
example, when an attacker has disabled a system, a network worm has saturated
network bandwidth, an IP address has been flooded with external messages or the
system manager and all other users become locked out of a system.
Event – Any observable or measurable occurrence in a system or
network. Events may include, but are
not limited to, a user connecting to a file share, a server receiving a request
for a Web page, a user sending electronic mail, and firewall blocking a
connection attempt.
Finding – An event or occurrence that may cause a violation or imminent
threat of violation of computer security policies, acceptable use policies, or
standard computer security practices.
Findings require agencies or OCIO CS analysis prior to becoming an
incident.
Firewall – A system that controls network traffic between two networks to
minimize unauthorized traffic or access. Firewalls can protect networks and
systems from exploitation of inherent vulnerabilities. Firewalls are frequently used to prevent
unauthorized Internet users from accessing private networks connected to the Internet.
Harm – To cause damage, injure or impair IT systems using electronic
methods, which can include intangible things such as identity theft.
Incident Closure or Closeout – The last phase of incident
handling
lifecycle during which the agency ISSPM submits the incident report to ACIO CS for review and
comment. Closeout is not final until
peer review has been completed and all questions regarding the incident are
answered satisfactorily.
Incident (Cyber Security) – A violation or imminent threat of violation of computer security
policies, acceptable use or standard computer security practices. It is also any adverse event whereby some
aspect of a computer system is compromised, such as loss of data
confidentiality, disruption of data integrity, disruption or denial of service.
The types of incidents are been classified into LOW, MEDIUM or HIGH levels
depending on the severity.
Incident Declaration – The phase of the incident handling lifecycle during which a
USDA incident number is assigned and the responsible USDA organization begins
its incident handling process. An
incident is declared by a USDA agency, staff office, or incident response team
(IRT) that is recognized and documented as being responsible for incident
handling.
Incident Handling - The comprehensive management process of receiving incident
indications and warnings from Intrusion Detection Systems (IDS), United States
Computer Emergency Response Team (US-CERT), law enforcement or Internet Service
Providers (ISP) that an incident has occurred.
It includes identifying the actual incident type, verifying the victim
or perpetrator’s responsible agency, alerting the agency. It also requires reporting, responding to,
mitigating and closing a USDA CS incident.
Incident Notification – This phase of the incident handling lifecycle involves the
formal transmission of declared incident information to the documented incident
handling or management personnel in the USDA organization that is experiencing
a CS incident.
Incident Oversight – The process of ongoing review and follow-up of incident status
by the USDA incident handling organizations, staff, or assignees to maintain
accurate USDA incident records on the number of incidents declared open, closed
or cancelled. USDA-wide incident
oversight is required for record keeping and review of close-out reports, as
well as compliance with FISMA.
Incident Preparation – This phase of the incident handling lifecycle involves
preparing reports and providing continuous status on the incident.
Incident Prevention – This phase of the incident handling lifecycle involves the
review of alerts, warnings and suspected events from various sources. In addition, it involves continuous system
monitoring and review of risk assessments for systems with high CS incident
rates.
Incident Reporting - This phase involves a formal acknowledgement by the USDA incident
handler that a CS incident has occurred and that notification of all personnel
responsible for responding to, acting upon, or resolving an incident have been
notified. The incident reporting
process includes notification of the ACIO CS, USDA Office of the Inspector
General (OIG) and US-CERT.
Incident Response – The process of acting upon known identified incidents.
The process includes analysis of how the incident occurred actions to
contain the incident, eradicate the cause of the incident, repair the damage,
and recover from the incident. This
phase includes collection and preparation of a lessons learned report and
assistance in the development of an incident report.
Incident Tracking – The process and requirement for USDA and its agencies to
maintain comprehensive records of all incidents from the time of declaration
through closure. USDA and its agencies
are required to track incidents and report the status of those incidents
periodically to OCIO and OIG.
Intrusion – An unauthorized, inappropriate or illegal activity by insiders
or outsiders that can be considered a penetration of a system.
Intruder - A person who is the perpetrator of a computer security
incident. Intruders are often referred
to as “hackers” or “crackers.” Hackers
are highly technical experts who penetrated computer systems; the term crackers
refers to the experts with the ability to “crack” computer systems and security
barriers. Most of the time “cracker” is
used to refer to more notorious intruders and computer criminals. An intruder is a vandal who may be operating
from within USDA or attacking from the outside of Department.
Level of Consequence - The impact an incident has on an organization. Impact includes: loss of data; the cost to a USDA agency or mission area; negative
consequences to the organization (e.g. damage to reputation); and the magnitude
of damage that must be corrected.
Malicious Code – Also known as “Malware” (malicious software), is a computer
code or program designed to deny, destroy, modify, or impede a system’s
configuration, programs, data files, or routines. Malicious code comes in several forms, including viruses and
worms.
Misuse - Unauthorized use of an
account, computer or network by an intruder or malicious user (or insider).
Need-to-Know - The necessity for access to, knowledge of, or possession of
classified or other sensitive information in order to carry out officially
sanctioned duties. Responsibility for
determining whether a person’s duties require possession or access to this
information rests upon the individual having current possession (or ownership)
of the information involved, and not upon the prospective recipient. This principle is applicable whether the
prospective recipient is an individual, a contractor, another Federal agency or
a foreign government.
Pharming – An exploit of the Domain Name Server (DNS) that tries to or
actually transforms the legitimate host name into another IP address. The “pharmer” sets up a website looking
similar to a legitimate site and harvests personal information from
unsuspecting users. Also known as “DNS
cache poisoning.”
Phishing – An exploit that imitates legitimate companies’ e-mails to
entice people to reveal sensitive or private information, or creates a replica
of an existing web page to fool a user into submitting personal, financial or
password data.
Rootkit – A set of tools used by an attacker after gaining root-level
access to a host to conceal the attacker’s activities on the host and permit
the attacker to maintain root-level access to the host through covert means.
Spyware - Any technology that aids in gathering information about a person
or organization without their knowledge.
Sometimes this software is called a “spybot” or “tracking
software.” Spyware is put in someone’s
computer to secretly gather information about the user, agency or company and
relay it to advertisers, foreign governments, and other interested
parties. Spyware can be installed as
part of a virus, worm, or result from installation of a program. Spyware is often installed without the
user’s consent as a drive-by download, by clicking on some option of a
deceptive pop-up or webpage, adware or e-mail attachment.
Threat –A circumstance, condition, or event with the potential to cause
harm to personnel and/or network resources in the form of destruction,
disclosure, modification of data, DoS, and/or fraud, waste and abuse. The most common security threats are to
network systems. Network security
threats include impersonation, eavesdropping, DoS, packet replay/modification.
Trojan Horse – A
non-self-replicating program that seems to have a useful purpose, but in
reality has a different malicious purpose.
USDA Organization –
Any USDA agency, staff office, state and county offices, mission area, project
or working group responsible for purchasing, installing and managing IT
resources.
Virus – A small piece of
malicious code that attaches itself to another program. It does not run on its own, but executes
when the host program is run.
Worm – A type of malicious
code that acts as an independent program, and can usually replicate itself
without human interaction from one system to another.
CHAPTER 1 - PART 1
INCIDENT RESPONSE PROCEDURES
1 BACKGROUND
Networks and information technology (IT) resources are continually
vulnerable to illegal/malicious activity or exploitation by internal and
external sources. Cyber Security(CS)
incident handling is an important and required component of USDA’s CS
program. CS related threats can exploit
vulnerabilities in new or rapidly changing IT.
The most common security threats are those that travel through and to
networked systems. While it is
impossible to eliminate all CS incidents, proactive incident prevention is a
critical element of a mature incident management capability.
Preventative procedures such as patch management, firewalls, risk
and vulnerability assessments and mitigation can reduce incidents. Not all incidents can be prevented. A flexible and adaptable incident response
capability is a necessary part of managing network security threats. Damage to IT systems from a CS incident can
occur in a short period. It is
essential that all USDA organizations (agencies, staff offices, projects,
mission areas, and contractor managed locations) have procedures in place that
can be activated immediately. The
inability of any USDA organization to recognize and promptly report incidents
impacts and potentially compromises the information systems security program
(ISSP) efforts of other USDA organizations and their customers.
The
Federal Information Security Management Act (FISMA) of 2002 requires Federal
agencies to establish incident response and handling capabilities. The law also requires USDA to report
incidents to United
States Computer Emergency Response Team (US-CERT) (formerly FedCIRC)
in the Department of Homeland Security (DHS).
Each Federal agency is required to designate a primary and secondary
Point of Contact (POC) with US-CERT.
The USDA US-CERT POC is located in OCIO CS. Each USDA agency, mission area and staff office is required to
communicate with US-CERT through OCIO CS.
The
need for an incident handling capability within USDA organizations that crosses
agency boundaries has never been greater.
This need will continue as long as those who exploit IT exist. Standard reporting and uniform operating
procedures permit USDA and US-CERT to be better positioned for assessing risks,
addressing vulnerabilities, reducing overall costs and meeting the security
challenges of USDA’s information infrastructure.
2 POLICY
This chapter establishes the minimum policy and procedures for CS
incident handling in USDA. A
Department-wide incident handling and tracking capability will be supported and
maintained by OCIO CS. Each agency is
expected to establish, support and maintain their own internal policies,
procedures or team to support prompt, effective and efficient resolution of CS
incidents in accordance with the process outlined below. USDA organizations must acknowledge and
respond to all CS incidents in accordance with the timeframes in the procedures
below. A critical component of successful
incident handling is a comprehensive knowledge and inventory of all Internet
Protocol (IP) addresses that were delegated to agencies by Telecommunications
Service Organization (TSO). Each USDA
organization is also expected to control, allocate and maintain accurate
electronic records of all assigned IP addresses as required by DR 3300 and
assist with notification of emergency personnel. OCIO CS has documented its responsibilities and role to be the
POC to US-CERT. OCIO CS will be
responsible for notifying OIG and US-CERT of USDA incidents and their
closure. US-CERT will acknowledge
closure of incidents assigned their tracking number. All USDA organizations will ensure that all incident procedures
are followed and that incident reporting is accomplished by the ISSPM through
OCIO CS for all OCIO CS assigned incidents, even if they have their own
incident response team (IRT). ISSPMs
shall be responsible for certifying the accuracy of incident reports.
Policy Exception Requirements – There are no exceptions to the requirement
that all agencies report incidents.
However, USDA organizations that
cannot comply with this policy are required to document shortcomings as formal
policy exceptions. The CIO of the
agency/staff office/mission area will submit all policy exception requests
directly to the ACIO CS.
Exceptions to policy will be considered only in terms of implementation
timeframes; exceptions will not be granted to the requirement to conform to
this policy. USDA organizations cannot
wait until CS incidents occur or cannot be closed to request an exception to
policy requirements. Exceptions that
are approved will be interim in nature and will require that each agency report
this Granted Policy Exception (GPE) as a Plan of Action & Milestones (POA&M)
in their FISMA reporting, with a GPE notation, until full compliance is
achieved. Interim exceptions expire
with each fiscal year. Compliance
exceptions that require longer durations must be submitted to the USDA CIO for
approval and contain a convincing case for the extension with an updated
timeline for completion. Any
approved extensions must continue to be documented in the agency’s annual FISMA
report and quarterly POA&Ms. OCIO
CS will monitor all approved exceptions.
3 PROCEDURES
An incident is the act of violating an explicit or implied
security policy. The types of activity
that are widely recognized as being CS incidents are violations categorized as,
but are not limited to, attempts (either failed or successful) to gain
unauthorized access to a system or its data, unwanted disruption or denial of
service, the unauthorized use of a system for the processing or storage of
data, or changes to system hardware, firmware or software characteristics
without the owner’s knowledge, instructions, and approval. The level of consequence of an incident
refers to the relative impact it has on an organization. The types of impact include: loss of data; the loss or theft of
information, IT resources, revenue or confidence in a USDA agency or mission
area by the general public or customers; or a high level of damage that must be
corrected prior to system restoration.
a In USDA, CS incidents shall be declared for the following
reasons:
(1) Analysis of intrusion detection system (IDS) reports that are
rated as High: Internal, or High: External, and show system compromises in the
logs;
(2) Notification by US-CERT of a USDA IP or e-mail address being
the cause or victim of malicious or questionable activity;
(3) Alert, notification, or warning from other U. S. Government
agencies that USDA IP address(s) is the target or originator of malicious
activity;
(4) Notification by the USDA OIG of a complaint that requires CS
investigation or technical support;
(5) Complaints by an Internet Service Provider (ISP) that detail
specific, prohibited activities by a USDA host, IP address or e-mail address;
(6) Complaints by organizations and companies that exist to ensure
copyright protection. These include the
Business Software Alliance (BSA), Software & Information Industry
Association (SIIA), Recording Industry Association of America (RIAA), The
Motion Picture Association of America (MPAA), and companies that monitor the
Internet on behalf of movie, video, and music copyright holders;
(7) Floods of viruses, worms and Trojan Horses for which
anti-malicious code/anti-virus software is not available. In attacks such as Code Red, Nimda, Slammer,
and Blaster One, one USDA incident number will be assigned for the entire
process;
(8)
Complaints
from the public, or other employees that include specific examples or
references of inappropriate or illegal use by USDA employees, cooperators, partners or contractors
utilizing USDA IT; and
(9) A self-discovery by a USDA organization that meets the
definition of an incident (i.e., virus discoveries, criminal
actions, etc.)
Figure 1
b Cyber
Security Incidents are to be declared when they are serious and considered
major in nature. They are declared
based on the
assessment
of the gravity of the situation, sensitivity of information threatened or
compromised and the potential for harm to USDA. Outlined below are criteria for the high-level incidents or
medium and low events:
Figure 1
b CS incidents are to be declared when
they are serious and considered major in nature. They are declared based on the
assessment of the gravity of the situation,
sensitivity of information threatened or compromised and the potential for harm
to USDA.
Outlined below are criteria for the CS
incidents (High Level Events) or medium and low level events:
(1) Cyber Security (CS) incidents are High Level Events or
US-CERT Priority Level 1 and 2 disruptions that are the most serious and
considered ‘major’ in nature. Because
of the gravity of the situation and the high potential for harm to USDA, these
incidents should be handled immediately.
USDA CS incidents include events, activities, and violations such
as: possible life threatening activity,
compromise of critical systems or information, root compromise, child
pornography, pornographic trafficking, music/unauthorized software trafficking,
any violation of law or agency specific policies or statute. Any activities that are not normally
reported to US-CERT but are reported to OIG, Human Resources or law enforcement
are defined as CS incidents and will be assigned an incident tracking number
(ITN). These incidents will be handled
using an accelerated and principals only/limited distribution CS incident
response. If criminal proceedings are
initiated, the USDA incident handler may not have a need-to- know further
details.
Agency ISSPMs who have suspected or confirmed incidents in this
category are to immediately report the severity and coordinate the incident
response with the ACIO for CS or designate.
If the incident remains open for more than 15 days, ACIO CS will send
the agency CIO a one-time notification of open incident(s). Each USDA organization’s CIO will respond
with corrective actions; a POA&M will also be initiated until incident(s)
are closed.
CS incidents include:
- Suspected
computer or network break-In (of a USDA computer or by USDA computer);
- USDA
website defacements or compromises, including failure to take the
website offline or deregister the URL when the website is no longer
used or supported by USDA;
- Successful
DoS attacks by USDA computers or against USDA computers;
- Computer
Virus/Worms/Trojan Horses for which anti-virus software updates are not
available or their deployment will be delayed (depending on impact to
Agency/Department);
- Detection
of malware, including viruses, worms, Trojan Horses or spyware, caused
by employees who have declined to bring laptops into the office for
upgrades;
- Connection
of non-Government computers and servers to the USDA network without
authorization or in violation of security policies;
- Unauthorized
use of a system for processing or storing non-USDA or prohibited data
or information on USDA IT resources, including the establishment and
operation of a private or personal business;
- Changes
to system hardware, firmware or software without the system owner’s
authorization;
·
Property destruction related
to a CS incident (exceeding $100,000);
- Personal
theft related to a CS incident (exceeding $100,000);
- Electronic
file transfer (EFT) exploitation/manipulation or engaging in Phishing
or Pharming;
- Installation,
use or sharing of Peer-To-Peer Software;
- Activity
including unauthorized or illegal serving out, downloading or sale of
copyright material;
- Child
pornography;
- Pornography;
- On-Line
gambling;
- Attempts
to circumvent access to any USDA blocked Web Sites such as pornography,
gambling and hate crimes;
- Download,
use or sharing of copyright protection music or unauthorized software;
- Misuse
of Government property, facilities or services including accepting
payment or services to provide access to or use of USDA IT resources in
excess of one’s authority, such as forwarding spam, engaging in
unofficial/unauthorized chat, non-USDA e-mail and instant messaging
services; and
- Any
violation of law.
Other
types of incidents are categorized as adverse CS events and shall not be
declared CS incidents unless there is a confirmed compromise of sensitive
information, a threat to USDA IT resources or subsequent escalation to a CS
Incident.
(2) Medium level Cyber Security (CS) events are potentially
serious and should be handled the same day the event occurs or notification of
the event is made to USDA organization (normally in two to four hours of the
event). These events can be reported to
the agency ISSPM by OCIO CS (when detected in USDA/OCIO), the helpdesk, system
administrator (SA) or incident handler(s) or incident response team
(CSIRT).
These include:
·
Adverse action resulting in
employee termination
in which the Government computer is neither the tool or target of
the action;
- US-CERT
priority level 3 activity;
- IDS
reports that define activity as medium;
- Unauthorized
use of a system for processing or storing USDA data;
·
Property destruction related
to a CS incident (less than $100,000);
- Personal
theft related to a CS incident (less than $100,000);
- Misuse
of Government property, facilities and services;
·
Unconfirmed
computer virus/worms (depending on impact to Agency/Department and if the
infection is the result of a security policy violation); and
·
Undocumented
or unapproved vulnerability scans.
(3) Low level Cyber Security (CS) events are the least
severe and should be investigated within three working days after the event
occurs. These events can be reported to
the agency ISSPM by OCIO CS (when detected in USDA), the helpdesk, SA or
incident handler or incident response team (IRT).
Low level CS events include:
·
Loss or compromise of a personal password;