INCIDENT RESPONSE WORKFLOW FOR HANDLING SENSITIVE INFORMATION LEAKS

(1)

INCIDENT RESPONSE WORKFLOW FOR HANDLING SENSITIVE INFORMATION LEAKS

BY

MOHD AZLAN BIN MOHD NOR

A dissertation submitted in partial fulfillment of the requirement for the degree of

Master of Protective Security Management

Kulliyyah of Information and Communication Technology International Islamic University Malaysia

JANUARY 2020

(2)

ii

ABSTRACT

The sensitive information as corporate asset is valuable to organization for detection, prevention and mitigation of breaches. Information loss continue to be one of the major threats to organizations. Failing to handle sensitive information leaks is not acceptable for an organization. Inadequate of workflow process is unable to mitigate and contain the sensitive information leaks incident. Arrangement of activities in workflow process is important to facilitate the whole incident response process. Incident handler who are working with incident handling facilitates incident response to accomplish incident workflow process objective. This study explored the perspective of incident handler about the workflow to handle sensitive information leaks incident. Data were collected through incident scenario exercise. The data were analyzed with techniques that include categories, subcategories and summary from incident scenario response. The incident handlers revealed that incident workflow being used in organization has different objective to accomplish incident response. Some of limitation identified include detection and escalation processes of incident in workflow. The result suggested that a new workflow process need to be established as a gatekeeper to coordinate the whole investigation and mitigation process. These improvements of workflow have the implication of detection and escalation process. Several recommendations are given on how to handle sensitive information leaks associated with the present incident workflows. The findings of this study are expected to strengthen the procedure in organization while handling sensitive information leaks incident.

(3)

iii

ثحبلا ةصلاخ

ABSTRACT IN ARABIC

فاشتكلإ تاسسؤملل ةميق تاذ يه تاكرشلل لصأك ةساسلحا تامولعلما نإ ةراسخ ىقبت .تاكاهتنلاا فيفتخو عنمو ،

ةبسنلبا لوبقم يرغ رمأ ةساسلحا تامولعلما عم لماعتلا في لشفلا نإ .تاسسؤملل ةيسيئرلا تاديدهتلا دحأك تامولعلما .ةساسلحا تامولعلما بيرست ثداوح ءاوتحاو فيفتخ ىلع ةرداق يرغ ةمئلالما يرغلا لمعلا يرس تايلمع نإ .تاسسؤملل بيترت نإ وه ةثدالحا عم لماعتلما نإ .ثداولحا لكل ةباجتسلإا ةيلمع ليهستل ةمهم لمعلا يرس تايلمع في ةطشنلأا

تفشكتسا .ةثدالحا لمع يرس تايلمع فده قيقحتل ةثدالحا عم لماعتلاو ةثداحلل ةباجتسلإا تايناكمإ عم لمعي يذلا لماعتلل لمعلا يرس نع ةثدالحا عم لماعتلما ةيؤر ةساردلا هذه تناايبلا عجم تم .ةساسلحا تامولعلما بيرست ثداوح عم

نم ةصلاخو ةيعرفلا فانصلأاو ،فانصلأا لمشت تاينقتب تناايبلا ليلتح تم .ثداوح ويرانيس لامعتسا للاخ نم اهيدل تاسسؤلما في ةلمعتسلما ثداولحا تايلمع يرس نأ ثداولحا عم نولماعتلما فشك .ثداوحلل ةباجتسلإا ويرانيس فده ثداوحلل ديعصتلاو فاشتكلاا تايلمع لمشت تيلاو دويقلا ضعب ديدتح تم .ةثداحلل ةباجتسلإا قيقحتل فلتمخ ثحبلا تايلمع لك قيسنتل بجاحك اهسيستأ متي نأ جاتتح ةديدلجا لمعلا يرس ةيلمع نأ جئاتنلا حترقت .لمعلا يرس في

لمع ةجيتن اله لمعلا يرس ىلع تانيسحتلا هذه نإ .فيفختلاو تايصوت ةدع ءاطعإ تم .ديعصتلاو فاشتكلاا تاي

نأ ةساردلا هذه جئاتن نم عقوتُي .ةيلالحا ثادولحا لمع يرسب ةطبترلما ةساسلحا تامولعلما تابيرست عم لماعتلا ةيفيكل

.ةساسلحا تامولعلما بيرست ثداوح عم لماعتلا دنع تاسسؤلما في تاءارجلإا يوقُت

(4)

iv

APPROVAL PAGE

I certify that I have supervised and read this research and that in my opinion it conforms to acceptable standards of scholarly presentation and is fully adequate, in scope and quality, as a dissertation for the degree of Master of Protective Security Management.

...

Jamaludin Ibrahim Supervisor

I certify that I have read this research and that in my opinion it conforms to acceptable standards of scholarly presentation and is fully adequate, in scope and quality, as a dissertation for the degree of Master of Protective Security Management.

...

Nurul Nuha Abdul Molok Examiner

This dissertation was submitted to Centre for IT Advancement and is accepted as a fulfilment of the requirement for the degree of Master of Protective Security Management.

...

Normi Sham Awang Abu Bakar Head

Center for IT Advancement

This dissertation was submitted to the Kulliyah of Information and Communication Technology and is accepted as a fulfilment of the requirement for the degree of Master of Protective Security Management

...

Abdul Wahab Abdul Rahman Dean

Kulliyyah of Information and Communication Technology

(5)

v

DECLARATION

I hereby declare that this dissertation is the result of my own investigations, except where otherwise stated. I also declare that it has not been previously or concurrently submitted as a whole for any other degrees at IIUM or other institutions.

Mohd Azlan bin Mohd Nor

Signature ... Date ...

(6)

vi

INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA

DECLARATION OF COPYRIGHT AND AFFIRMATION OF FAIR USE OF UNPUBLISHED RESEARCH

INCIDENT RESPONSE WORKFLOW FOR HANDLING SENSITIVE INFORMATION LEAKS

I declare that the copyright holders of this dissertation are jointly owned by the student and IIUM.

No part of this unpublished research may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without prior written permission of the copyright holder except as provided below

1. Any material contained in or derived from this unpublished research may be used by others in their writing with due acknowledgement.

2. IIUM or its library will have the right to make and transmit copies (print or electronic) for institutional and academic purposes.

3. The IIUM library will have the right to make, store in a retrieved system and supply copies of this unpublished research if requested by other universities and research libraries.

By signing this form, I acknowledged that I have read and understand the IIUM Intellectual Property Right and Commercialization policy.

Affirmed by Mohd Azlan bin Mohd Nor

……..……….. ………..

Signature Date yright Page

(7)

vii

ACKNOWLEDGEMENTS

Firstly, I wish to take this opportunity to say Syukur Alhamdullilah to Allah SWT for giving me the courage and patience in completing this research.

It is my greatest pleasure to dedicate this work to my dearest parents, family and friends, who granted me the gift of their unwavering belief in my ability to accomplish this goal, thank you for your support and patience. I owe my deepest gratitude to my wife Tengku Noor Hayati binti Abu Bakar and children for providing me inspiration and support throughout this journey and also this for my late mother Norijah binti Harun, Al Fatihah.

I wish to express my appreciation and thanks to those who provided their time, effort and support for this project especially to Jamaludin bin Ibrahim for being a very helpful and patient supervisor, for his valuable advice and guidance in helping me into finishing this research.

I would like to express my sincere gratitude to all the respondents who are staffs from all departments in CyberSecurity Malaysia who had spent their precious time and patience to join us in incident response exercise. Their cooperation has made my work easier in collecting and analyzing data. Without their honest contribution, it would be impossible for me to complete this research.

Thank you all for making it possible.

(8)

viii

LIST OF TABLES

Table No. Page No.

4.1 The perspective of workflow sufficiently in handling sensitive

information leaks incident 32

4.2 The perspective of enhancement required/recommended

to the workflow 37

(11)

xi

LIST OF FIGURES

Figure No. Page No.

2.1 The Incident Workflow Architecture 10

2.2 The Incident Workflow Gatekeeper Architecture 12

2.3 Transition among ISL Stages 13

2.4 LSC Security Incident Response Workflow 14

2.5 Data Leakage Protection Workflow 17

2.6 CSIRT Workflow 20

2.7 cyber999 Workflow 21

3.1 Data Collection Process 29

(12)

xii

LIST OF ABBREVIATIONS

C-Level CEO, COO, CTO

CNII Critical National Information Infrastructure CSIRT Computer Security Incident Response Team Cyber999 Computer Security Incident Report

CyberDEF Cyber Detection, Eradication, Forensic

DDOS Distributed Denial of Service

DLP Data Leakage Protection

HoD Head of Department

IH Incident Handler

INSARAG International Search and Rescue Advisory Group

IRT Incident Response Team

ISL Infection Suspicious Level

IT Information Technology

KKMM Kementerian Komunikasi dan Multimedia Malaysia

LSC LEIBNIZ Supercomputing Center

MyCERT Computer Emergency Response Team

OCC Outreach and Corporate Communication

OSA Official Secret Act

OTP One Time Password

PKFZ Port Klang Free Zone

SPM Sijil Pelajaran Malaysia

SRA Strategic Research and Advisory

STCA Short Term Conflict Alert

STS Secure Technology Services

TDRM Total Risk in Disaster

W Workflow

(13)

1

CHAPTER ONE INTRODUCTION

1.1 BACKGROUND OF THE STUDY

Sensitive information leakage has been a major issue in social communication.

Sensitive information is defined as information that is protected against unwarranted disclosure (Ohm, 2014). Most of the time the sensitive information leaks occur in secrecy, thus it is not able to be traced closely while it is being distributed across in social communication platform. The leaks may be caused by the people who has the right to access information due to lack of control or lack of strategies in distributing and sharing sensitive information.

Incident response workflow react to information systems security process infringement. Incident response workflow analyse the incident, contain them from spreading, eradicate their technical causes, and encourage hierarchical recuperation to ordinary business operations (Ahmad, Maynard, Shanks, 2015). This study investigate how incident response workflow can be used to improve the process of handling sensitive information leaks. This is vital in light of the fact that incident response workflow gathers significant involvement of processes in order to address security failures.

In the year 2009, Malaysian Cabinet documents were leaked via Internet. The documents were exposed to website by fugitive blogger. The blogger had posted digital copies of leaked information of the Port Klang Free Zone (PKFZ) including classified Cabinet papers. The file contains sensitive information details which include project cost and political alliance involved. The case has been classified under section 8 of the Official Secret Act (OSA).

(14)

2

In the year 2015, a report has been made by a group of individuals who claimed occurrence of leak to Sijil Pelajaran Malaysia (SPM) exam question Mathematics paper 1,2 and Mathematic Tambahan. The first leak detected shortly after Mathematical paper examination. The evidence showed that the copy of the questions was exposed in additional class a day before the actual examinations.

Today sensitive information leak happens anywhere. The study shows that it happens in commercial organization and administration institution.

Present statistic shows alarming increase of information leaks. The threats such as from internal, sabotage and unintentional that are intended for information leaks.

These incidents are becoming more and detrimental and will keep on evolving (Global Data Leakage Report, 2015).

The impact from this incident give profound critical effect to the business process. The outcome demonstrates, it has less monitoring and incident response workflow. Inappropriate incident response process has become embarrassment and would give monetary impact to an organization. These are challenges that are faced by organizations, they need to establish an incident response plan and find the best workflow in incident responding to the threats.

1.2 ORGANIZATION BACKGROUND

CyberSecurity Malaysia is the national cybersecurity specialist agency under the preview of Kemeterian Komunikasi dan Multimedia Malaysia (KKMM). The establishment of CyberSecurity Malaysia is to provide technical specialised in cyber security services to protect the public, the economy and government services. For the bigger national objective, CyberSecurity Malaysia also plays an important role in

(15)

3

preventing or minimising disruptions to both Critical National Information Infrastructure (CNII) and industries.

1.3 STATEMENT OF THE PROBLEM

Leaks of sensitive information has become serious issue faced by organizations and individuals. Each year we have found news and reports on sensitive information leaks (Global Data Leakage Report, 2015). The matter is passionately concerned because it affects all parties. A few protection strategies have been applied but it needs to indicate the workflow process in protecting of sensitive information proficiently and precisely.

In order to provide a good incident response workflow is the incident response workflow must precisely work to restore the service to normal operation as quick as possible. This require several activities to managing and controlling a breach to prevent the actual leaks in sensitive information.

Workflow is an arrangement of procedures in incident response activities, every activity has its own functionality within given scope. The workflow should be simple an easy to use. The workflow should not be overly painful to be follow by any incident response team. The workflow should not be an absence of communication and coordinated effort between business function and resources. The workflow will address the incident occurred, form of evidence, analysis output and corrective action. The workflow is the mitigation process to mitigate the problem and eradication process to complete the destruction of incident. In addition, every incident response workflow should incorporate with sensitive information leaks type of incident. Right now, there are many types of incident response workflows available to be used in the event of a breach or degradation of service. Some people think it can be used in all type of incident.

The current practice does not address the ideally workflow incident process in handling

(16)

4

sensitive information leaks. There are no sufficient workflows and available to address in managing and handling sensitive information leaks. However, they usually are identified as preventing a breach in malicious code, pishing, cyber harassment, email spam, and ddos attacks.

The effective incident response workflow in handling sensitive information leaks is required to deal with the communication and coordinate between mitigation activities. It requires a strategy which has focus to every mitigation activity. If the incident response workflow does not address ideally workflow for sensitive information leaks, they will not only be wasting time and effort, which jeopardizes their overall efficiency in confidentiality, availability and integrity of incident response workflow.

Investigation incident response workflow is the technique to identify which workflows are work sufficiently with sensitive information leaks type of incident. This study would inform incident response team on limitations of process in workflow.

1.4 PURPOSE OF THE STUDY

This research is to recommend the workflow process used in handling sensitive information leaks incident response. The study focused to the process in developing the incident response workflow in sensitive information leaks.

1.5 RESEARCH OBJECTIVES

1. To investigate different types of incident workflow in handling sensitive information leaks.

2. To examine the effectiveness of incident workflow in handling sensitive information leaks.

(17)

5

3. To improve/enhance incident response workflow particularly in sensitive information leaks.

1.6 RESEARCH QUESTIONS

1. What are workflows being used for sensitive information leaks incident in CyberSecurity Malaysia?

2. Do the workflows work sufficiently in sensitive handling information leaks incident?

3. What enhancement required/recommended to the workflow?

1.7 RESEARCH SCOPE

The scope and limitation of this research are:

1. The set of workflows that exist and available used by incident response team.

2. Established of communication and collaborating between process function.

3. All the data and information gathered, such as process workflow diagram will be exploring within CyberSecurity Malaysia premise.

1.8 CHAPTER SUMMARY

Failing to execute procedures in incident response activities is the major risk of organization. The organization need to take satisfactory procedures to moderate the problem. By executing incident response activities in working workflow could address the incident occurred, form of evidence, analysis output and corrective action.

Therefore, incident handler is responsible to go through in every process incident workflow. Their perspective on the limitation of procedure need to be explored and analyzed.

(18)

6

CHAPTER TWO LITERATURE REVIEW

2.1 INTRODUCTION

The work described in this chapter is to review the literature of implemented processes which organizations or a group of technical teams facilitate and collaborate towards the unexpected event that provide unusual behavior to a routine process. This include the research on process of the incident of sensitive information leaks in organization. The work convers on people, communication and process to taking care the event occurring during the incident which related to sensitive information leaks. The work may discover and research the availability of workflow presently used to reinforce the process in sensitive information leaks incident. The goal of this literature review was to present and discuss the findings in the fields of information security, processes, and activities from previous studies pertinent to incident response.

2.2 SENSITIVE INFORMATION

Sensitive information is characterized as information that is secured against unwarranted disclosure. Access to sensitive information should be protected. Protection of sensitive information might be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary consideration (Ohm, 2014). Sensitive information available in form of data’s, records, reports, and writing documents which available to user to process. However sensitive information can be misused to compromise the privacy of information.

(19)

7 2.3 INCIDENT

An occurrence alludes to a specific incident or occasion that exasperates something strange that happened. If a small kid screams in a praying hall at Masjid, it’s not that unusual, but if an adult does, that is called as an incident. Incident types can be form of forces of nature, man-made, politic, economic, religious, education, intellectual property and information technology. Those occurrences need to be taken care of where they require a suitable tool to be applied in the event of incident. It needs a decent management that is efficient and effective to dealing with an occasion and resourced which participate in incident management.

2.4 INCIDENT MANAGEMENT

The Incident Management is a tool for marshalling pre-distinguished and pre-gathered assets to react to a crisis. Incident Management is especially valuable when resources from numerous organizations are required to oversee large incidents successfully (Perry, 2003). It is defined as systematic, planned, and coordinated use of human, institutional, technology and technical resources to reduce the duration and impact of incidents (Farradyne, 2000). The Incident Management forms a flexible structure for collecting assets and coordinating response effort for overseeing incidents and disasters.

Its capacity based rather than agency or business function based.

2.5 WORKFLOW

Workflow is an arrangement of activities in business process, every business process performs a bit of functionality within given scope. These activities are facilitated to on the whole accomplish a required business objective. It is about the items of common

(20)

8

sense of how to do things, including how best to utilize diverse sort of exercises for various business process.

2.6 INCIDENT RESPONSE TEAM (IRT)

Incident Response Team is a gathering of individual who get ready for and react to the negative impact of normal process, such as unexpected outage of business operations or natural disaster. IRT regularly development in private and public service organization. The team is for the most part made out particular individuals assigned before an incident happens. People in IRT preferably are trained and skillful in specific scope to satisfy the roles required. They are people from support helpdesk and other IT Services, while incidents involving external parties it may require support from HR, Legal or Corporate Services (Kulikova, Heil, Van Den Berg, 2013).

2.7 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

CSIRT is an association of dedicated and capable digital security specialists that arrangements and reacts to digital security incidents. The association is in charge of taking, considering, sorting out and reacting to digital security incidents and exercises (Wara, Singh, 2015). One objective is to establish teams within organizations to offer rapid response to computer security incidents in order to mitigate risks before substantial damage occurs. The benefit of such teams is the capability to contain and repair damage from incidents and prevent future damage. Second, the role of CSIRT is to coordinate and report computer security incident activities (including information sharing, such as alerts, advisories and warnings), to create trusted communication channels and to enhance computer security awareness and training programs within their constituency. Briefly, CSIRT is a dedicated team responsible for providing aid to

(21)

9

its constituency in determining issues of cyber security incidents and what actions are required to remedy such circumstances.

CSIRT is a critical security function in organizations intended to manage incidents in a timely and cost-effective manner. It is argued that the practice of incident response frequently results in the improvement of strategic security processes such as policy development and risk assessment (Ahmad, Hadgkiss, Ruighaver, 2012). This is important, as many organizations, especially critical infrastructure organizations need to maintain an incident response capability to address cyber security attacks (internal and external). For many organizations, the CSIRT is often seen as a "firefighting"

rescuer, since its function is to respond to computer security incidents in order to minimize the effects of cyber-attacks. It also functions as the front line of security defense and management of successful recovery.

2.8 RESPONSE TEAM FORMATION

As security incidents differ broadly in their seriousness, the structure of the incident response team should reflect the effect the incident has on the organization (Kulikova, Heil, Van Den Berg, 2013). Simple outbreaks such as network interface failure in server pc can be managed by small group of IT support without necessity in further investigation, while incident involving really serious effect to business operation require more people to assist in problem mitigation. They are composition of people with different set of skills for helpdesk, incident handler, security support and analyzer.

2.9 INCIDENT INFORMATION COLLECTION

Gathering incident information from various resources is important to form valuable information for incident handler. The discrepancies of information stored in different

(22)

10

places not able to provide actual means and use for incident response workflow.

Collaboration of information is the techniques to collect incident related information from different sources. Thus, it allows incident handler to gather the relevant evidence from incident data that are spread from a number of different sources. (Belsis, Simitsis, Gritzalis, 2005).

2.10 ARCHITECTURE FOR INCIDENT WORKFLOW

Figure 2.1 show one of the simple architectures for an incident workflow used in Short Term Conflict Alert (STCA) (Johnson, 2015). In the principal stage, an incident is recognized either automated warning alert or manual report from requester. The problem log process implemented using PC based systems, paper form or phone call.

Figure 1.1 The Incident Workflow Architecture Source: (Johnson, 2015)

An incident response handler is then required to assemble evidence, including system logs, alerts and witness articulation. These are then used to outline the incident prompting an incident. The reconstruction of incident support more definite result of the cause of the problems. From that point it is conceivable to recognize those activities, which are planned to lessen the probability. The discoveries are then report to other stakeholders with the goal that restorative action can be executed.

(23)

11

Stages B to E are characterised as ‘forensic analyses within security management systems (Gaithersburg, Maryland, 2006). This process is how incident handler will perform forensic evidence, system review trails to map out the events leading to an incident (Johnson, 2014). Stage G will address the underlying causes of an incident including dissemination of corrective action to stakeholders.

2.11 ARCHITECTURE FOR GATEKEEPER INCIDENT WORKFLOW

Figure 2.2 illustrates a more elaborate architecture for reporting adverse events (Johnson, 2014). Incident detected and forwarded to a supervisor as a gatekeeper who received incident report after the security event. Supervisor or Gatekeeper is responsible to gather as much as information or evident pertaining to incident. A Supervisor or Gatekeeper will control all incident response activities in the workflow. Except for the major risk which required to be forwarded to Top Management. Also, they are responsible to monitor the implementation of corrective action.

(24)

12

Figure 2.2 The Incident Workflow Gatekeeper Architecture Source: (Johnson, 2015)

2.12 INCIDENT RESPONSE SUPPORT BASED ON SERIOUSNESS OF INFECTION

Serious of infection is defined as “Infection Suspicious Level (ISL)” that represents the critical of suspicious of malware infection in several stages in workflow. ISL is an indication to address the value of impact from infected host. Figure 2.3 show there are 4 stages in ISL workflow to inspect the incident.

1) Monitoring

In normal state, ISL monitoring communication in and out base on assigned policy.

2) Intensive Monitoring

ISL constantly monitoring for the suspected host.

3) Analysis

From stage 2, details investigation is performed. All evidence gathered will be analysis in this stage.

4) Countermeasure

Decision of countermeasure like isolating the victim host.

INCIDENT RESPONSE WORKFLOW FOR HANDLING SENSITIVE INFORMATION LEAKS

INCIDENT RESPONSE WORKFLOW FOR HANDLING SENSITIVE INFORMATION LEAKS

BY

MOHD AZLAN BIN MOHD NOR

A dissertation submitted in partial fulfillment of the requirement for the degree of

Master of Protective Security Management

Kulliyyah of Information and Communication Technology International Islamic University Malaysia

JANUARY 2020

ABSTRACT

ثحبلا ةصلاخ

ABSTRACT IN ARABIC

فاشتكلإ تاسسؤملل ةميق تاذ يه تاكرشلل لصأك ةساسلحا تامولعلما نإ ةراسخ ىقبت .تاكاهتنلاا فيفتخو عنمو ،

لمع ةجيتن اله لمعلا يرس ىلع تانيسحتلا هذه نإ .فيفختلاو تايصوت ةدع ءاطعإ تم .ديعصتلاو فاشتكلاا تاي

نأ ةساردلا هذه جئاتن نم عقوتُي .ةيلالحا ثادولحا لمع يرسب ةطبترلما ةساسلحا تامولعلما تابيرست عم لماعتلا ةيفيكل

.ةساسلحا تامولعلما بيرست ثداوح عم لماعتلا دنع تاسسؤلما في تاءارجلإا يوقُت

APPROVAL PAGE

...

...

...

...

DECLARATION

INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA

DECLARATION OF COPYRIGHT AND AFFIRMATION OF FAIR USE OF UNPUBLISHED RESEARCH

INCIDENT RESPONSE WORKFLOW FOR HANDLING SENSITIVE INFORMATION LEAKS

ACKNOWLEDGEMENTS

TABLE OF CONTENTS

LIST OF TABLES

LIST OF FIGURES

LIST OF ABBREVIATIONS

CHAPTER ONE INTRODUCTION

CHAPTER TWO LITERATURE REVIEW