[BreachExchange] 6 Steps To Survive a Cyber Attack

Audrey McNeil audrey at riskbasedsecurity.com
Thu Apr 28 19:44:43 EDT 2016


https://campustechnology.com/articles/2016/04/28/6-steps-to-survive-a-cyber-attack.aspx

Like corporations, universities and colleges have copious amounts of data
to protect. But campuses are not corporations. They're more like little
cities, providing an array of services and functions. "We have an enormous
range and variety of confidential information and that makes it very
challenging to secure," said Michael Corn, deputy CIO for Library and
Technology Services and CISO at Brandeis University.

IT must protect not just the identity of students, faculty and staff but
also the intellectual property and sensitive data generated by hours of
research. When a cyber-attack does occur, the incident response team needs
a plan that guides it through the crisis.

In 1998, the SANS Institute designed a high-level response plan comprising
six phases: preparation, identification, containment, eradication, recovery
and follow up. Nearly 20 years later, these six phases are still the basis
for most incident response plans at campuses across the nation.

1) Preparation

During this phase, IT staff members are trained on how to secure a single
computer or an entire network that has been breached. In addition, all
users are given general awareness training, such as learning the difference
between a strong and weak password, knowing not to click on links in
e-mails from individuals they don't know and how to identify phishing
e-mails. To stay prepared, IT staff members examine computer logs and
follow the critical controls put in place to avoid an attack.

The preparation phase also considers those in the upper echelons of the
institution. "Is your management aware of the consequences, both financial
and legal, of data exposure?" said Randy Marchany, university IT security
officer at Virginia Tech and a SANS instructor who helped develop the SANS
response plan in 1998.

2) Identification

In the identification phase, IT personnel deploy systems that can detect a
breach rather than learning about it from outside the perimeter, often
after damage has been done. IT determines the type of intrusion detection
system it will run on the network and the network architecture it will
employ to detect an intruder trying to "brute force" into the network, said
Marchany. "What do you have to detect an attack?" he said.

At Brandeis, Corn employs a next-generation firewall protection system that
detects the work-a-day incoming scans common on a college campus. But its
real value, he noted, is in its ability to detect malicious outgoing
traffic that usually indicates a compromised machine.

As in the preparation phase, user training plays a significant role in
identifying attacks. "A user may say, 'I usually go to this website but
today it doesn't look right — and I remember when I watched that awareness
video it said if you think something is not right to let the IT people
know,'" said Marchany.

3) Containment

If IT personnel detect a successful attack, the incident response team must
determine the extent of the damage and answer some important questions,
like what percentage of the network is under attack and how many systems
have been compromised. "Is it an attack aimed specifically at the HR
database engine or is it an attack aimed at gaining password access to as
many machines as possible to use them to send spam?" said Marchany. Once
the team determines the extent of the attack, it can work to contain it.

The procedures a response team uses to work through the containment,
eradication and recovery phases depends on where the attack occurred and
the complexity of the school's network. Corn, for example, can quarantine
users on some parts of his network. If a computer is compromised, the user
is directed to a website telling him to call IT for further instructions.
"At the very large schools it's challenging to do that everywhere," said
Corn.

4) Eradication

Once the incident response team contains the attack, team members assess
the situation and determine the measures they will take to eradicate it.
The eradication phase ensures that the response team is aware of those
measures and acts upon them. But before team members can act, they must
determine if they have adequate backups, if they need to reinstall software
from scratch and if they can determine whether or not sensitive data was
modified.

5) Recovery

When someone from the response team gives the all clear, the recovery phase
kicks in. In this phase, IT personnel begin the task of restoring the
systems along with the data that have been compromised in the attack. The
goal is to get users back to normal operations, said Marchany.

6) Follow-up

Often overlooked by IT personnel, the follow-up phase is just as important
as the previous five phases. A member of the response team writes the
after-action report after looking at the previous five phases with a
critical eye and providing harsh criticism of both the plan and the team's
performance. The purpose is to determine which, if any, of the phases
failed and which ones succeeded. "Then you address the areas that were weak
and that failed and hopefully you've built a slightly stronger response
model for when the next incident happens," said Marchany.

Drilling Down

Corn considers the previous six phases a 30,000-foot view. The response
plan document determines what is considered an incident and, if one occurs,
dictates incident command and governance. No response plan is complete,
however, without a robust set of documents that provide granular detail — a
set of standard operating procedures (SOPs) — at a lower level. "We have a
process about what we do when we find a compromised computer and it's very
detailed. Our security engineers are going to look at X and they're going
to look at Y and document this and document that. But I'm not going to put
that in the high-level incident response plan," said Corn.

Detailed procedures such as these are part of his operation manual. He
encourages IT personnel to be judicious and cautious about how much detail
they write into their response plan. Response plans must be flexible enough
to withstand changes in both technology and staff. "Our operations manual
changes week-to-week, month-to-month and year-to-year as technology, people
and tools change," said Corn.
Between the high-level response plan and the lower-level SOPs, Corn
maintains a spreadsheet that he calls a "toolkit." This spreadsheet
contains contact information and templates. "(I use this) as a cheat sheet,
a checklist if we're dealing with something so I know I haven't forgotten
something," said Corn.

Look to the Experts

Many universities, especially large ones with mature security functions,
post their high-level response plans on their websites. A simple Google
search for "incident response plan site:.edu" will return countless plans.
IT professionals charged with creating a response plan don't need to start
from scratch. "Browse these plans, pick the parts that you like, the
structure that you like, the format that you like and that work at your
institution," said Corn.

Most response plans will include the six basic phases found in the SANS
outline. The difference is going to be that every institution has different
technologies in place and a different set of tools to accomplish each task
in the plan. "How you operationalize that plan has to be strongly informed
by what you know about your environment, what you know about your endpoint
and some of the intelligence you have about what's going on on your
network," said Corn.

Privacy vs. Security

When a security incident occurs, a chief privacy officer works from a
different response plan than a CISO, according to Sarah Morrow, chief
privacy officer at the University of New Mexico. "Privacy is not a subset
of security — they have two different missions and two different tracts
when it comes to breach response," she said.

When a breach occurs, IT wants to know who, what, when, where and how — and
the CISO wants to immediately start mitigation. Privacy, on the other hand,
has a mission and timeline established by regulation and prudence.
"Inevitably there is more than one plan in more than one place. For
privacy, it is more than electronic information systems," said Morrow.

Morrow is not only responsible for protecting the privacy of UNM's
students, faculty and staff, she must also protect the health records of
the patients at UNM's hospital.

The first step in Morrow's response plan is preparation. She ensures that
her contracts for third-party forensics, credit monitoring, letter printing
and the call center are in order. When a security incident does occur, she
must first determine if it's actually a breach. "'Breach' is used too
liberally," she said. "A machine can be compromised and there was nothing
on the machine except public information. You run into the possibility of
being responsible to respond to public or regulatory inquiry because you
used the term 'breach' when it in fact it was only a security incident."

If the incident is a breach, Morrow pulls together her response committee,
which includes the CISO or security personnel, risk management people, the
CFO, a member of senior leadership, a member of general counsel and the
head of the unit with the compromised computer.

To get out ahead of the situation in the public's eye, she'll contact
public relations if the breach is significant enough. "You may want to put
it on your website or you may have public relations send it out to the
local radio and TV stations," said Morrow. "You want to get out in front of
these things. You don't want to look like you're trying to hide anything.
You want to be transparent."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160428/c5af99ee/attachment.html>


More information about the BreachExchange mailing list