Skip to Main Content
Menu
Contact Us Search
The California Highway Patrol

Computer Crime Reporting - Summary of Incident Response Do's and Don'ts

DOs:

  1. Immediately isolate the affected system to prevent further intrusion, release of data, damage, etc.
  2. Use the telephone to communicate. Attackers may be capable of monitoring email traffic.
  3. Immediately notify the California State Warning Center at 916-657-8287 and provide the information that is specified in the Computer Security Incident Notification card (CHP 1041). This information is also provided in the last section of this document titled, "Computer Security Incident Notification."
  4. Activate all auditing software, if not already activated.
  5. Preserve all pertinent system logs, e.g., firewall, router, and intrusion detection system.
  6. Make backup copies of damaged or altered files, and keep these backups in a secure location.
  7. Identify where the affected system resides within the network topology.
  8. Identify all systems and agencies that connect to the affected system.
  9. Identify the programs and processes that operate on the affected system(s), the impact of the disruption, and the maximum allowable outage time.
  10. In the event the affected system is collected as evidence, make arrangements to provide for the continuity of services, i.e., prepare redundant system and obtain data back-ups. To assist with your operational recovery of the affected system(s), pre-identify the associated IP address, MAC address, Switch Port location, ports and services required, physical location of system(s), the OS, OS version, patch history, safe shut down process, and system administrator or backup.

DON'Ts

  1. Delete, move, or alter files on the affected systems.
  2. Contact the suspected perpetrator.
  3. Conduct a forensic analysis.

Other Considerations

  1. Collect information for each server, router, switch, and Data Service Unit (DSU) including:
    • IP address
    • Media Access Control (MAC) address
    • Switch Port location (switch name and port number)
    • Port assignment
    • Ports and services are required
    • Statement that all other unneeded ports and services are closed and/or removed
    • Responsible system administrator and backup
    • Physical location of server
    • Physical security implemented
    • Emergency contact information (both technical and user management)
    • OS/Version/Patch history
    • Systems supported, impact of outage, and maximum allowable outage (MAO)
    • Shutdown script (if applicable)
    • Recovery process
  2. Identify all external connections, assess the need for the connections, the security risk to each connection, and any recommended safeguards or strategies.
  3. Provided an adequate security message and warning banner on your system.
  4. Implement a keystroke monitoring program.
  5. Does personal information (as enumerated in SB 1386 / Civil Code Section 1798.29) reside on, or is it transmitted through the affected system?

Steps to Minimize Potential Liability

  1. Review physical and electronic access by employees and investigate abnormal activity in ALL computing environments.
  2. Review system administrators, field accounts, and special access rights for appropriate access levels.
  3. Ensure that systems are always backed up and the data is securely placed in an offsite location. Periodically conduct data restore tests.
  4. Ensure that current anti-virus protection software and upgrades are installed, operational, and monitored. In addition, schedule routine virus scans on servers and desktops.
  5. Remove sensitive information from websites.
  6. Limit the size and manage the type of email attachments that can be received (certain systems allow you to disable executable files).
  7. Keep the IT Operational Recovery Plan (ORP) and Business Continuity Plan (BCP) up-to-date, tested, and ready for implementation.
  8. Establish security accountability for any and all users at appropriate levels.
  9. Improve security on access to critical assets and facilities with technology environments.
  10. Remove unnecessary services on routers, ports, servers, and network devices.
  11. Trace or monitor the necessary services.
  12. Designate an Information Security Officer (ISO) who shall report to the Director of the department or designee. The ISO shall not report to the Chief Information Officer (CIO).
  13. Continuously educate management on the priority of security and the security risks associated with Information Technology.
  14. Install warning banners at the login process for access to all state systems and applications.
  15. Increase user awareness in security by continuously enhancing technology use policy such as "non-personal use of email."
  16. Verify that software updates and patches are continuously installed on a timely basis to operating systems and applications. Be wary of standard software installations. These installations often include services or features which you do not use and do not update.
  17. Ensure that current anti-virus protection software and upgrades are installed, operational, and monitored.
  18. Improve or remove user accounts with weak passwords, default or built-in passwords, old passwords, or no passwords. All accounts must have passwords and passwords should be complex and difficult to guess.
  19. Require use of passwords containing alpha-numeric-special character combinations. Passwords should expire after a set period of time and employ a password history to prevent repeated passwords.
  20. Ask if you have a policy which cancels log-ins/passwords when employees leave your organization. If so, verify that the policy is enforced.
  21. Implement intrusion detection, provide monitoring on critical information systems, such as maintaining system logs on write only CDs.
  22. Restrict non-business use of e-mail.
  23. Review your remote access procedures and policies. Who is granted access? How is it monitored? If virtual private network (VPN) access is provided, have minimum security standards been established for the remote computer? How is this verified?
  24. Enforce state policy regarding Internet use (viruses such as Trojan Horses can be introduced by visiting websites).
  25. Restrict use of chat room software, AOL Instant Messenger, IRC Chat, ICQ Chat, (viruses can be introduced by visiting chat rooms).
  26. Maintain a firewall between your system and any untrusted system (Internet connection).

Computer Crime Reporting for State Agencies