[BreachExchange] Breaches happen - the key is being prepared

Tue Oct 25 20:32:51 EDT 2016

http://www.scmagazineuk.com/breaches-happen--the-key-is-
being-prepared/article/527218/

The fallout of a substantial breach at Yahoo!, in which the names, email
addresses, passwords, telephone numbers and more than half a billion
customers had been compromised by hackers is continuing to pile pressure on
the company. This highlights the delays in breaches being detected and the
time it can take an organisation to identify the scale and take appropriate
steps to remediate. How, when and who does the organisation notify on
discovering the breach?

With the Office for National Statistics recently reporting that almost six
million fraud and cyber-crimes were committed last year in England and
Wales alone, breach incidents have become almost inevitable. Malware and
ransomware are staples of the mainstream press. That means organisations
need to be prepared for the worst. They need to invest not only in commonly
deployed detection solutions and defensive controls, but also in the
ability to take action as and when an attack is occurring. Immediate action
can limit a hacker's ability to access data, and also helps firms avoid
large fines, negative headlines and shareholder and customer discontent.

Recent data indicates that there has been little improvement in firms'
preparedness against breach incidents. This is despite a sharp increase in
spear-phishing attacks and internal threats. These can be difficult to
defend against, as they can often comprise external and internal abuse of
access to corporate data. Sometimes this abuse is intentional, often it is
completely unintentional.

As the scope for attacks continues to expand and cyber-criminals become
more sophisticated in their techniques, organisations are faced with new
risks. It is now virtually impossible to guarantee that data is ever immune
from a breach. Never has it been more important to have a well-planned,
comprehensive incident response procedure in place to minimise damage.

Despite bearing witness to the negative impact an attack can have on an
organisation, and being exposed to an almost constant stream of negative
headlines about high profile breaches, there are still several areas where
companies consistently fall short in their capabilities to respond to an
incident effectively.

As a starting point, all organisations must ensure that there is an
incident management process in place. Often, organisations have limited
guidelines describing how to declare and classify incidents, yet this
granularity is vital, as it will dictate the speed and scope of the
response. Depending on the type of attack, potential impact, and other
factors, response activities can vary immensely.

The routine compilation of the various procedures and operations to be
carried out by system administrators should also be developed. These ‘run
books' address how common incidents should be handled in their
environments. For example, if an organisation is particularly vulnerable to
DDoS attacks, it's wise to develop a specific DDoS run book that explains
the procedures the designated response team should follow, based on the
tools and capabilities available.

It is also important that the effectiveness of the response procedure is
carefully monitored and evaluated. Regular test scenarios are a crucial
factor of these evaluative processes. By carrying out ‘post-mortem'
reviews, the response team can identify and build upon those response
activities that worked well.  It can also spot and remediate any processes
in need of improvement.

As organisations expand, and people's roles change, it's essential that
documentation related to who is involved in incident response activities is
updated to reflect these changes Time is a critical element to incident
response. If a firm isn't able to rapidly mobilise the correct people, it
can seriously hinder its effectiveness to recover from a breach. It is also
worth noting that updating contact information for third-parties such as
the ISP, external incident response support and other providers is equally
important.

To make appropriate decisions and identify impacted systems, comprehensive
and up-to-date information about the network must also be available. When
preparing technical documentation in readiness for incident response, it is
necessary to include DNS information, IP ranges and host names, as well as
the ingress and egress points between networks.  On top of this, the
software and operating system names, versions and patch levels, plus user
and computer roles should also be included. This “known good” information
will assist in the recovery from the breach.

By adhering to the above guidelines an organisation can rest assured that
it is in the position to act quickly and efficiently should a
cyber-security incident take place and reduce the potential fallout that
follows these incidents. Only when a firm is fully prepared to respond to
incidents can it hope to effectively mitigate the potential impact.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161025/35f14f82/attachment.html>