[BreachExchange] Corporate Incident Response Planning

[Audrey McNeil]

http://www.herald.co.zw/corporate-incident-response-planning/

In the area of Information Security, an incident is an undesired occurrence
in an information system and/or a network that manifests as a threat to
computer or network security, as it threatens availability, integrity and
confidentiality. Such adverse events include among others, theft or loss of
equipment that contains private or potentially sensitive information,
burglary, unauthorized disclosure of sensitive information, extensive virus
or malware outbreak, attempts (failed or successful) to gain unauthorized
access to a system or it’s data, compromised user account and response to
phishing email.

In today’s scenario, information systems within organisations need to be
wary of threats and eventualities that lie dormant and one day manifest. In
the event that an incident was to occur in an organisation, what steps are
to be taken to detect and correct the anomaly?

Incident response plans (IRP), defined as an organised approach to
addressing and managing the aftermath of a security breach or attack
(incident) then come in.

The objective of IRP is to contain the effect and extent of damage caused
by the incident at minimum cost and the least possible time for business
continuity. It is important that as organisations, you create an IRP. This
is a risk management plan that defines controls that reduce breaches to
information systems and help mitigate the effects of those breaches should
they occur. There is need to ensure that there is the ability in your
organisation to respond accordingly to such breach hence the need to set up
an incidence response team. Incidents will occur regularly in any
enterprise environment. So decisions have to be made as to how responses
will be conducted, be it internally or outsourced.

The team will need to determine what needs to be responded to immediately
and what could be delayed. Management will define the scope and goals of
the incidence response teamin the incidence response policy. Agency
structured roles for all members of the team need to be well laid out as to
who does what in an incident. Computer Emergency Response Teams (CERT) may
help systems administrators as necessary if need be. The plan comes in
seven simple steps. These are detection, response, mitigation, reporting,
remediation and reporting as well as lessons learned.

The detection phase is the most important phase in the cycle because if you
cannot detect that something is going wrong, then you cannot tell what is
required to fix it if something does indeed go wrong. Resultantly you will
fail to respond to it. The detection phase determines that an attack is or
has just taken place and the type of action to be taken if any. In the
response phase, you will learn more about what is happening and respond to
the incident accordingly. In the mitigation phase you will need to stop the
incident.

For example, if a hacker has gained unauthorised access to your system and
is exfiltrating data from your system. You will need to disconnect the
hacker and prevent him from removing your critical information from your
system. The reporting phase entails feedback to relevant stakeholders
within the organisation as to what just happened and what action was taken
to remedy the situation. During the recovery phase you will attempt to
bring the systems back online to their pre-incident status where everything
is working properly and secure again.

Remediation and reporting aims to protect data that may have been leaked
and the individuals involved and/or affected. There may also be need to
report to the relevant regulatory authorities should the need exist or as
may be demanded by legislation. After the incident is over there is need to
look back and reflect on the incidence. What are the lessons learned from
the incidence? Take a look at how you responded to the incident and also
take a look at how the incident occurred and see what could be improved for
the future, for example installing a burglar alarm if an individual gained
access by breaking into your facility or installing an intrusion detection
system if an individual gained remote access to your system.

Proper incident handling demands that strict adherence to IRP be followed.
Plans and procedures for responding to particular situations need to be
observed. Focus should mainly be placed on typical attack vectors and
vulnerabilities if these are known and have a history in the organisation.
Many incidents are mainly caused by insiders due to errors of omission or
commission. There is need for continuous training and monitoring of staff
to ensure that breaches in their areas of responsility are minimised.

When managing an incident there is need to determine whether
confidentiality, integrity and availability of information were
compromised. In some cases, all three could have been affected. There is
therefore need to prepare in advance to detect, triage, respond and recover
from incidents.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171010/b25c46e1/attachment.html>