IT Focus Area: Security
February 19, 2016
Be the Hero: Prepare Your Organization for the Next Security Breach
You don’t need to look further than the latest news headlines to find countless stories about cyber threats. Bombarded with this information on a daily basis, companies often turn to emerging technology trends—the “shiny new thing”—for a solution. And why wouldn’t they? New technologies are not only eye-catching, they often provide companies with the opportunity for growth and maturity, while staying competitive in the world market.
But in addition to innovative technology, organizations should ensure they’re addressing the core of their security program, making sure it’s up-to-date and aligns with key business objectives. Cyber attacks often take advantage of basic security vulnerabilities, such as poor patch management, weak passwords, web-based personal email services, and a lack of end-user education and security policies.
When it comes to security, an organization must be prepared to be their own hero in times of crisis.
As companies’ IT and business strategies continue to evolve and take advantage of today’s digital disruption, the strategies of cyber attackers are evolving even faster. Lurking quietly outside the walls of an IT organization are the Darth Mauls and Count Dookus of the cyber world, ready to take advantage of an overlooked computer hazard that was left unattended.
Most organizations aren’t ready for them.
A recent report from the Ponemon Institute found that 75 percent of U.S. organizations are not prepared to respond to cyber security attacks.
On average, it takes companies a full month to resolve security incidents once they are identified. Many companies have an incident response (IR) program or plan in place, but are struggling to align it with current cyber-security concerns.
To protect the corporate brand, organizations must have an enterprise-recognized process for dealing with IT security hazards as they occur. The program for dealing with unwanted intrusions, malicious code infections, cyber theft and other security-related events should be a formal program with a rapid response capability and clear procedural execution that supports the foundational building blocks of a robust incident handling process.
Incident Handling and Response: A Blueprint for Saving the Day
At the most basic level, incident handling (IH) and incident response (IR) is a blueprint strategy for resolving the mishandling of a computer system and/or its associated networks. Mishandling may include intrusions, denial of service (DoS) attacks, cyber theft, malicious code deployment, or a host of new exposures that seem to materialize on daily basis. Consideration for incident occurrence should not be focused on a singular internet offensive as a point of entry. Instead, organizations should consider a larger scope, such as: unintentional user malware download, insider theft, breach of intellectual property or loss of corporate trade secrets, and similar instances.
Preparation is Your Super Power
Being able to identify an incident is an important piece of your IH/IR strategy, although your organization must be able to act swiftly and judiciously. A central tenet of IR and IH is preparation. It is critical to plan and implement proper policies, procedures, and protocols that support your IH and IR strategy. Take the time to clarify documented procedures to ensure that when an incident does occur, the chance of omitting something is reduced.
The National Institute of Standards and Technology (NIST) Special Publication 800-61 Revision 2 is a good place to start when developing policies, procedures and process protocol. It is common practice for federal agencies, corporate and private organizations, and government contractors and utilities to rely on the NIST SP 800-61 Rev. 2 guidelines as pillars of internal IT security policy. It is critical to recognize, however, that each organization is unique. Every organization should define for themselves what constitutes an incident and clarify the different levels of incidents, as well as the varying response protocols associated with each incident level. Every company should also bear in mind that incident handling protocols and procedures must be compliant with the laws of the country of execution.
Six Stages of Incident Handling
There are six stages in IH/IR: preparation, identification, containment, eradication, recovery and lessons, often referenced as the acronym: PICERL. These stages well known and even taught and referenced in education classes thru the SANS institute, and through the Department of Energy. The following overview is a primer including essential details, but additional specifics can be gathered through IH or IR educational classes to provide granular, actionable specifics that could apply to an organization’s incident handling program.
Stage One - Preparation: The objective of this stage is to prepare the team to handle incidents before they occur.
Stage Two - Identification: The objective of this stage is to determine whether an incident has occurred.
Stage Three - Containment: The objectives of this stage include short-term containment, system backup and long-term containment.
Stage Four - Eradication: The objective of this stage is to purge the system of the assailants’ remnants on the machine including user accounts, malware, DLLs, EXEs, or any illegal influences.
Stage Five - Recovery: The objective of this stage is to introduce compromised systems back into production in a safe and secure fashion, comprehensive of system validations usually requiring business signoff.
Stage Six – Lessons Learned: The Objective of this stage is to document what happened and improve or adjust incident handling capabilities.
For effective incident management, an organization’s first need is a system – with a series of repeatable steps and procedures. As an incident handling program matures, it is common to go through modifications, updates and procedural rewrites. Focus on consistently improving the program, building it to be learnable, teachable and duplicable (LTD). Therefore the process and the program are easy for team members to follow, being logical in nature.
As your incident handling and response program evolves, you may find the following sources helpful:
Computer Incident Response Guidebook (pub. #: 5239-19), 1996, US Navy Staff Office
Computer Security Incident Handling Guide (pub. #: 800-61), 2004, US NIST
The Incident Handlers Handbook (SANS Institute Reading Room), December 5th, 2011
Breaches Happen: Be Prepared - SANS Institute, Stephen Northcutt, October 2014
Remember, Choose Your Heroes Wisely
“Choose wisely, for while the true Grail will bring you life, the false Grail will take it from you.”
--The Grail Knight, “Indiana Jones and the Last Crusade”
This is your corporate castle you are defending after all. An enterprise-recognized process for dealing with IT security hazards as they occur is essential. The people, tools and defenses you choose to work with are up to you and your team.
Become the hero at your organization. Take the time to review your options and prepare a strategy that fits your unique circumstances—it could mean the difference between a triumphant recovery and an unmitigated disaster.