USDA COMPUTER INCIDENT RESPONSE PROCEDURES MANUAL

CHAPTER 1 - PART 1

INCIDENT RESPONSE PROCEDURES

1 BACKGROUND

Networks and information technology (IT) resources are continually vulnerable to illegal/malicious activity or exploitation by internal and external sources. Cyber Security(CS) incident handling is an important and required component of USDA’s CS program. CS related threats can exploit vulnerabilities in new or rapidly changing IT. The most common security threats are those that travel through and to networked systems. While it is impossible to eliminate all CS incidents, proactive incident prevention is a critical element of a mature incident management capability.

Preventative procedures such as patch management, firewalls, risk and vulnerability assessments and mitigation can reduce incidents. Not all incidents can be prevented. A flexible and adaptable incident response capability is a necessary part of managing network security threats. Damage to IT systems from a CS incident can occur in a short period. It is essential that all USDA organizations (agencies, staff offices, projects, mission areas, and contractor managed locations) have procedures in place that can be activated immediately. The inability of any USDA organization to recognize and promptly report incidents impacts and potentially compromises the information systems security program (ISSP) efforts of other USDA organizations and their customers.

The Federal Information Security Management Act (FISMA) of 2002 requires Federal agencies to establish incident response and handling capabilities. The law also requires USDA to report incidents to United States Computer Emergency Response Team (US-CERT) (formerly FedCIRC) in the Department of Homeland Security (DHS). Each Federal agency is required to designate a primary and secondary Point of Contact (POC) with US-CERT. The USDA US-CERT POC is located in OCIO CS. Each USDA agency, mission area and staff office is required to communicate with US-CERT through OCIO CS.

The need for an incident handling capability within USDA organizations that crosses agency boundaries has never been greater. This need will continue as long as those who exploit IT exist. Standard reporting and uniform operating procedures permit USDA and US-CERT to be better positioned for assessing risks, addressing vulnerabilities, reducing overall costs and meeting the security challenges of USDA’s information infrastructure.

2 POLICY

This chapter establishes the minimum policy and procedures for CS incident handling in USDA. A Department-wide incident handling and tracking capability will be supported and maintained by OCIO CS. Each agency is expected to establish, support and maintain their own internal policies, procedures or team to support prompt, effective and efficient resolution of CS incidents in accordance with the process outlined below. USDA organizations must acknowledge and respond to all CS incidents in accordance with the timeframes in the procedures below. A critical component of successful incident handling is a comprehensive knowledge and inventory of all Internet Protocol (IP) addresses that were delegated to agencies by Telecommunications Service Organization (TSO). Each USDA organization is also expected to control, allocate and maintain accurate electronic records of all assigned IP addresses as required by DR 3300 and assist with notification of emergency personnel. OCIO CS has documented its responsibilities and role to be the POC to US-CERT. OCIO CS will be responsible for notifying OIG and US-CERT of USDA incidents and their closure. US-CERT will acknowledge closure of incidents assigned their tracking number. All USDA organizations will ensure that all incident procedures are followed and that incident reporting is accomplished by the ISSPM through OCIO CS for all OCIO CS assigned incidents, even if they have their own incident response team (IRT). ISSPMs shall be responsible for certifying the accuracy of incident reports.

Policy Exception Requirements – There are no exceptions to the requirement that all agencies report incidents. However, USDA organizations that cannot comply with this policy are required to document shortcomings as formal policy exceptions. The CIO of the agency/staff office/mission area will submit all policy exception requests directly to the ACIO CS. Exceptions to policy will be considered only in terms of implementation timeframes; exceptions will not be granted to the requirement to conform to this policy. USDA organizations cannot wait until CS incidents occur or cannot be closed to request an exception to policy requirements. Exceptions that are approved will be interim in nature and will require that each agency report this Granted Policy Exception (GPE) as a Plan of Action & Milestones (POA&M) in their FISMA reporting, with a GPE notation, until full compliance is achieved. Interim exceptions expire with each fiscal year. Compliance exceptions that require longer durations must be submitted to the USDA CIO for approval and contain a convincing case for the extension with an updated timeline for completion. Any approved extensions must continue to be documented in the agency’s annual FISMA report and quarterly POA&Ms. OCIO CS will monitor all approved exceptions.

3 PROCEDURES

An incident is the act of violating an explicit or implied security policy. The types of activity that are widely recognized as being CS incidents are violations categorized as, but are not limited to, attempts (either failed or successful) to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data, or changes to system hardware, firmware or software characteristics without the owner’s knowledge, instructions, and approval. The level of consequence of an incident refers to the relative impact it has on an organization. The types of impact include: loss of data; the loss or theft of information, IT resources, revenue or confidence in a USDA agency or mission area by the general public or customers; or a high level of damage that must be corrected prior to system restoration.

a In USDA, CS incidents shall be declared for the following reasons:

(1) Analysis of intrusion detection system (IDS) reports that are rated as High: Internal, or High: External, and show system compromises in the logs;

(2) Notification by US-CERT of a USDA IP or e-mail address being the cause or victim of malicious or questionable activity;

(3) Alert, notification, or warning from other U. S. Government agencies that USDA IP address(s) is the target or originator of malicious activity;

(4) Notification by the USDA OIG of a complaint that requires CS investigation or technical support;

(5) Complaints by an Internet Service Provider (ISP) that detail specific, prohibited activities by a USDA host, IP address or e-mail address;

(6) Complaints by organizations and companies that exist to ensure copyright protection. These include the Business Software Alliance (BSA), Software & Information Industry Association (SIIA), Recording Industry Association of America (RIAA), The Motion Picture Association of America (MPAA), and companies that monitor the Internet on behalf of movie, video, and music copyright holders;

(7) Floods of viruses, worms and Trojan Horses for which anti-malicious code/anti-virus software is not available. In attacks such as Code Red, Nimda, Slammer, and Blaster One, one USDA incident number will be assigned for the entire process;

(8) Complaints from the public, or other employees that include specific examples or references of inappropriate or illegal use by USDA employees, cooperators, partners or contractors utilizing USDA IT; and

(9) A self-discovery by a USDA organization that meets the

definition of an incident (i.e., virus discoveries, criminal actions, etc.)

Figure 1

b Cyber Security Incidents are to be declared when they are serious and considered major in nature. They are declared based on the

assessment of the gravity of the situation, sensitivity of information threatened or compromised and the potential for harm to USDA. Outlined below are criteria for the high-level incidents or medium and low events:

Figure 1

b CS incidents are to be declared when they are serious and considered major in nature. They are declared based on the

assessment of the gravity of the situation, sensitivity of information threatened or compromised and the potential for harm to USDA.

Outlined below are criteria for the CS incidents (High Level Events) or medium and low level events:

(1) Cyber Security (CS) incidents are High Level Events or US-CERT Priority Level 1 and 2 disruptions that are the most serious and considered ‘major’ in nature. Because of the gravity of the situation and the high potential for harm to USDA, these incidents should be handled immediately. USDA CS incidents include events, activities, and violations such as: possible life threatening activity, compromise of critical systems or information, root compromise, child pornography, pornographic trafficking, music/unauthorized software trafficking, any violation of law or agency specific policies or statute. Any activities that are not normally reported to US-CERT but are reported to OIG, Human Resources or law enforcement are defined as CS incidents and will be assigned an incident tracking number (ITN). These incidents will be handled using an accelerated and principals only/limited distribution CS incident response. If criminal proceedings are initiated, the USDA incident handler may not have a need-to- know further details.

Agency ISSPMs who have suspected or confirmed incidents in this category are to immediately report the severity and coordinate the incident response with the ACIO for CS or designate. If the incident remains open for more than 15 days, ACIO CS will send the agency CIO a one-time notification of open incident(s). Each USDA organization’s CIO will respond with corrective actions; a POA&M will also be initiated until incident(s) are closed.

CS incidents include:

Suspected computer or network break-In (of a USDA computer or by USDA computer);
USDA website defacements or compromises, including failure to take the website offline or deregister the URL when the website is no longer used or supported by USDA;
Successful DoS attacks by USDA computers or against USDA computers;
Computer Virus/Worms/Trojan Horses for which anti-virus software updates are not available or their deployment will be delayed (depending on impact to Agency/Department);
Detection of malware, including viruses, worms, Trojan Horses or spyware, caused by employees who have declined to bring laptops into the office for upgrades;
Connection of non-Government computers and servers to the USDA network without authorization or in violation of security policies;
Unauthorized use of a system for processing or storing non-USDA or prohibited data or information on USDA IT resources, including the establishment and operation of a private or personal business;
Changes to system hardware, firmware or software without the system owner’s authorization;

· Property destruction related to a CS incident (exceeding $100,000);

Personal theft related to a CS incident (exceeding $100,000);
Electronic file transfer (EFT) exploitation/manipulation or engaging in Phishing or Pharming;
Installation, use or sharing of Peer-To-Peer Software;
Activity including unauthorized or illegal serving out, downloading or sale of copyright material;
Child pornography;
Pornography;
On-Line gambling;
Attempts to circumvent access to any USDA blocked Web Sites such as pornography, gambling and hate crimes;
Download, use or sharing of copyright protection music or unauthorized software;
Misuse of Government property, facilities or services including accepting payment or services to provide access to or use of USDA IT resources in excess of one’s authority, such as forwarding spam, engaging in unofficial/unauthorized chat, non-USDA e-mail and instant messaging services; and
Any violation of law.

Other types of incidents are categorized as adverse CS events and shall not be declared CS incidents unless there is a confirmed compromise of sensitive information, a threat to USDA IT resources or subsequent escalation to a CS Incident.

(2) Medium level Cyber Security (CS) events are potentially serious and should be handled the same day the event occurs or notification of the event is made to USDA organization (normally in two to four hours of the event). These events can be reported to the agency ISSPM by OCIO CS (when detected in USDA/OCIO), the helpdesk, system administrator (SA) or incident handler(s) or incident response team (CSIRT).

These include:

· Adverse action resulting in employee termination

in which the Government computer is neither the tool or target of the action;

US-CERT priority level 3 activity;
IDS reports that define activity as medium;
Unauthorized use of a system for processing or storing USDA data;

· Property destruction related to a CS incident (less than $100,000);

Personal theft related to a CS incident (less than $100,000);
Misuse of Government property, facilities and services;

· Unconfirmed computer virus/worms (depending on impact to Agency/Department and if the infection is the result of a security policy violation); and

· Undocumented or unapproved vulnerability scans.

(3) Low level Cyber Security (CS) events are the least severe and should be investigated within three working days after the event occurs. These events can be reported to the agency ISSPM by OCIO CS (when detected in USDA), the helpdesk, SA or incident handler or incident response team (IRT).

Low level CS events include:

· Loss or compromise of a personal password;

· Suspected sharing of USDA accounts;

· Minor misuse of Government property, facilities and services;

· US-CERT Priority Level 4 Incident Reporting Guideline events;

· Unsuccessful scans/probes (internal & external); and

· Computer virus/worms (depending on impact to Agency/Department).

Agencies and staff offices shall not be required to report actions taken to mitigate adverse events unless requested or instructed to by ACIO CS.

c Incident Handling Phases – The incident handling process is

comprised of seven phases that compose an effective response to the overall incident. These phases are designed to ensure that no portion of the process is overlooked and consistency in incident handling is maintained. The steps in each phase are listed below:

Figure 2

(1) Incident Prevention – NIST Special Publication 800-61 reminds Federal agencies that keeping the number of incidents low is important to protect their business processes, mission and reputation. If security controls are insufficient or security policies are not enforced large numbers of incidents can occur with overwhelming consequences for the agency and USDA as an organization. In addition, to prevent incidents each agency and staff office must conduct and keep current risk assessments of systems and applications. These assessments should determine what risks, if any, the combinations of threats and vulnerabilities pose to those systems.

Incident Indications, Alerts & Warnings – OCIO CS will analyze suspected events, complaints and findings from a variety of sources and notify agencies of these occurrences. These sources include: the IDS, US-CERT, other Federal agencies, Federal Trade Commission, OIG, ISP, internal audit or assessment, and private copyright protection organizations. ACIO CS does not automatically declare those communications to be incidents. When OCIO CS and/ or TSO cannot adequately or promptly determine the accuracy of the indications, alerts and warnings by providing their own findings they will defer to the USDA organization to make a finding. When USDA organizations do not respond with a finding within 48 hours, ACIO CS will declare these to be a CS Incident.

(2) Incident Notification - Incident notification is a multi-stage process. Suspected events, complaints and incidents can occur anytime during a 24-hour period. For this reason, USDA has established an Incident Handling Program Manager in OCIO CS. The Incident Handling Program Manager will ensure that USDA organizational personnel are provided with notification of suspected intrusions and receive and document the suspected incident regardless of the source. Each USDA organization will ensure that OCIO CS has a current electronic list of Agency incident contacts in order to ensure that USDA organizations can be reached promptly to resolve incidents effectively. This list will include the agency ISSPM, Deputy ISSPM and the CIO. The ISSPM will be the individual who is responsible for the overall management and resolution of all suspected incidents in agencies and staff offices.

Each USDA organization will establish internal IRT to handle incident data, determine the impact of the incident and act appropriately to limit the damage to the organization and restore normal services. In OCIO, there is a coordinating team Led by OCIO CS staff who will act as the Incident Handling Program Manager. This coordinating team can elect to activate the “Ad Hoc IRT” from all areas of USDA, as required, to assist USDA organizations in responding to major incidents that threaten department resources. Outside resources often provide objectivity and can be helpful to the internal team under pressure to resolve the crisis. The primary role of the coordinating team is to provide guidance and advice to the agency internal IRT without having authority over the team. The agency ISSPM or Deputy ISSPM will notify the agency IRT when a suspected incident is reported by OCIO CS for response and action. Agencies can respond to these incidents using a team already established for this purpose or assign individuals based on the action needed in an ad hoc fashion. However, the designated team should be part of a centralized response by the agency to ensure that the process is consistent across the organization and information is shared at all layers rapidly and effectively.

(3) Incident Identification/Declaration – ACIO CS does not automatically declare findings to be incidents. However, USDA organizations must respond in 48 hours or ACIO CS will declare an incident. ACIO CS will need a finding or status report to prevent their declaration. When ACIO CS declares an incident, a USDA Incident Tracking Number (ITN) is assigned by which the department tracks and responds to requests for information concerning the incident. Agency internal IRTs may also assign their own internal number for tracking purposes. However, all reports must reference the USDA and US-CERT tracking number for reporting purposes. ACIO CS is still the departmental POC for all incidents and is responsible for providing notifications, status reports and close out recommendations to US-CERT, OIG and other oversight authorities. In addition, ACIO CS acts as the POC for notification of the CIO, responds to requests for status and to Secretarial inquires. OCIO, in coordination with the Office of Communication (OC), is responsible for all dealings with the media and public. USDA agencies are to direct inquiries from these sources to OCIO for response and resolution.

During this phase an incident or incidents may be cancelled. Cancellation occurs when investigations determine that no incident occurred, the IDS provided a “false positive”, or information related to the incident was incorrect. A cancelled incident is the same as a closed incident.

(4) Incident Preparation – Each USDA organization will develop their own incident handling procedures and notification trees. Documentation and forms should be available at the outset of each formal incident or event that shall be updated at each stage of the incident and shall be finalized at incident/event conclusion. The USDA CIO, through ACIO CS, will be kept abreast of the status of ongoing major incidents at regular intervals (as events change or progress is made) by the agency until resolution of the incident.

(5) Incident Response – This phase includes the analysis of how the incident happened, how to handle the situation so that it is resolved quickly and to ensure that it does not reoccur. Each USDA organization will develop internal response procedures that support the actions that must be taken in responding to incidents. At a minimum, the internal procedures will include a reporting chain and require the involvement of organizational personnel and OCIO CS. These procedures will also require the preservation of evidence, assessment, containment and recover actions, damage determination, report documentation, lessons learned and the identification of corrective actions required by the agency security program managers and CIO.

There are three definitive sub-phases of this process: assessment and containment, recovery operations, and damage analysis.

Assessment and containment – This process begins as soon as suspicious activity is detected and personnel are designated to take immediate action to resolve the incident. The IRT(s) must be empowered to take containment actions up to and including the immediate shut down of the system to prevent further intrusion or damage to the agency system or other department networks or resources. The Department CIO also has the authority to issue a “Cease and Desist” order to bring a system down should the circumstances dictate or the agency not respond in a expeditious manner to the incident (normally 12 hours). Additionally, the department may issue a port or IP address block internally or externally. This block will remain in place until the incident is officially closed by OCIO. Reporting through the agency ISSPM to OCIO CS will occur simultaneously when accurate information is available, particularly in cases where the preliminary assessment indicates that significant damage to USDA resources may have occurred. Unavailability of any official in the organizational reporting chain is not to delay the continuation of the incident notification or response process.

Recovery operations - Each USDA organization should prioritize those actions that support the smooth recovery of a compromised system(s). In no case should a compromised system, web page or application be returned to normal operation without the approval of ACIO CS. The ISSPM will request that OCIO CS permit the system(s), web page, or application to resume normal operation. OCIO CS reserves the right to further scan the system to ensure that appropriate security is in place to protect the Department. The agency may resume normal operation of the restored system, upon ACIO CS approval and the completion of the IT incident report. The ACIO CS will have 1 working day to respond with the approval or disapproval to return the system to normal operation. If a system is mission critical, the USDA organization can coordinate directly with the ACIO CS for a more immediate system restoration, on a case-by-case basis. If the USDA organization does not receive a response within that time, they can return the system to normal operation provided that they feel adequate security protection is in place to prevent future incidents.

Damage analysis - An analysis of all CS incidents is to be initiated immediately after assessment, containment and recovery actions are completed by each agency ISSPM. The ISSPM will determine if the incident is confined to one agency or multiple agencies and if there is impact to organizations outside USDA. The impact to each system will be analyzed to determine if the control of the system has been compromised. All compromised systems will be disconnected from external communications as soon as possible, but not later than 12 hours from discovery of the incident. Control of a system is lost when the intruder obtains control of the root or system accounts with administrative privileges. A determination is to be made if log files have been erased or compromised.

The ISSPM will initiate the process of estimating the overall economic impact of the incident to the USDA organization and Department in coordination with the system owner/business manager. At a minimum, the estimate will be quantified in terms of loss of system(s) availability, loss of response capability to customers, cost of equipment/software to repair, and hours of personnel associated with the repair or restoration of the system(s). The damage assessment report will be reviewed and concurred on by the system owner/business manager prior to inclusion in the CS Incident report. This information will then be updated in the CS Incident report.

(6) Incident Reporting – involves formal documentation that a CS Incident occurred using the departmental formal reporting process established in this policy. All USDA completed incident report documentation is to be reported to OCIO CS. OCIO CS is responsible for incident reporting to the OIG, US-CERT, and law enforcement for any violation of law. CS incidents are to be tracked and closed in accordance with the requirements of this policy. However, CS incidents that involve violations of the law or investigation will be separately tracked as resolution may not occur for a protracted period of time.