To paraphrase a panelist at the Pondurance Spring Security Briefing, there are two types of businesses: those that know they’ve been hacked and those that have been hacked but don’t know it yet. Today more than ever before, having an efficient and practiced incident response plan is imperative for businesses of all sizes.
While security companies can take on a lot of the burden in setting up and maintaining this plan, preparing for and reacting well to a data breach requires the cooperation of everyone in your company or organization for training and staying attentive to new threats. To quote the cult classic from 1995, Hackers: "You wanted to know who I am, Zero Cool? Well, let me explain the New World Order. Governments and corporations need people like you and me. We are Samurai... the Keyboard Cowboys... and all those other people who have no idea what's going on are the cattle... Moooo.”
Well, break out your spurs because we have some work to do!
Creating an effective incident response plan involves organization and preparation around three key phases: prepare, execute, learn. Together these comprise what Ron Pelletier refers to as the Incident Response Life Cycle. As you prepare your security plan, Ron offered questions to ask for each phase, as well as tips on how to address concerns for each area.
As you prepare your security plan, here are some questions to explore:
- Do I know where my sensitive data lives?
- Am I prepared to defend against attacks? What about phishing attacks?
- Is my helpdesk prepared to correlate attacks and recognize attack patterns?
- Does my retention schedule work against me? For example, am I holding onto emails for longer than I need to or should?
- What is my exposure to SSO (Single Sign On), or passwords in multi-use? If someone acquired my email login information, what else would they then have access to?
What to do
If any of these questions made you freak out about your risk, the following tips can help you address security concerns:
- Discourage use of email as a personal “database.” Sharing company account credentials via email and saving those emails for later use is one example of this.
- Evaluate your old files for unintended exposure (like your email “deleted” folder).
- Ensure Incident Response Team represent all parts of the organization and are properly trained. The faster a security breach or security flaw is detected, the sooner it can be dealt with and solved.
- Train your team on retention and disposition of data.
- Develop meaningful policies and procedures around all three of these phases.
This part of the security life cycle involves Identification, Containment, Eradication and Recovery. Things to consider:
- Do I have a favorable and flexible risk assessment process? Do I have logs and can I figure out for how long a password was compromised?
- Is my incident response timely and efficient?
- Do I know how my accounts are connected and can I prevent further exposure by limiting these connections?
What to do
- Insure you have a communication plan, so that everyone who needs to know about a security breach is in the loop as soon as a threat is detected. An effective incident response requires open communication and collaboration between many different teams (including legal, IT and customer service).
- Evaluate known threat actors and attack methods to help identify and contain the attack.
- Evaluate ‘mapped’ drives as well as public and private folders for potential exposure.
- Establish a timeframe related to the incident, provide search terms to discovery analysis and know what is a true exposure.
Keeping in the know about security issues and regulations is one final part of the life cycle Pondurance presented.
- Do I know my legal and regulatory obligations for reporting?
- Am I capable of aggregating and conforming discovery results?
- Have I pre-contracted the security and legal expertise I may need to investigate and report incidents?
What to do
- Test your plans often – at least once per year.
- Involve management in response plans and exercises, or be prepared for management to deviate and execute untested procedures at time of incident.
- Develop organizational clarity by classifying data and developing new policies to limit future exposure risk.
- Pre-arrange for services and expertise to limit “unknown” or surprise costs.
Share the wealth in lessons learned. Creating an internal wiki or adding to a preexisting one will help keep everyone informed and alert to the possibility of future security breaches.
This represents some of the highlights of security things to lasso – it's a pretty complex issue with things changing all the time. A good security setup is not a one-size-fits-all sort of deal and it’s essential that members from all areas of your organization are involved in the creation of a security plan that fits your size and unique needs. This is important, not only because it will make it easier to account for all sensitive data and potential hacker access points, but also because creating awareness around the importance of digital security and common security risks can significantly decrease the chance of a data breach.