[BreachExchange] The Best & Worst Practices of Incident Response

Audrey McNeil audrey at riskbasedsecurity.com
Fri Mar 2 10:30:33 EST 2018


http://resources.infosecinstitute.com/best-worst-practices-incident-
response/

Incident response is often an impromptu security area — organizations don’t
think about it until an incident occurs. Your response to an incident will
be the deciding factor as to whether or not your network will continue to
operate as a part of your business. As I am sure you are aware, security
breaches never occur when a company is ready for them; they happen at the
most inopportune times. To make sure that your company is prepared when a
security breach does happen, here are some dos and don’ts of incident
response.

Five Things You Need to Do When Responding to a Security Incident

1. Discreet Communication

When handling an incident, communication is important; however, it needs to
be done discreetly. It is important to remember the attacker might still
have access to your systems. Therefore, you should avoid communicating over:

Instant messenger
Email
Speaker phones

Where possible, all communication should take place face to face.

2. Reset Credentials

Make sure that all passwords that have been compromised during the incident
are reset. Remember that it is most likely that an attacker will strike
more than once.

3. Coordinate System Shutdown

If a compromised server is not shut down, it alerts the attacker that
something is taking place within the environment they are attempting to
infiltrate. This will lead them to install another set of tools and malware
which then creates additional problems.

4. Stay Calm

It is important that you remain calm during incident response so you can
follow protocol, and handle it effectively.

5. Report the Attack

This should be common sense, but many cyberattacks go unreported.
Regardless of whether your organization has their own incident response
team or not, it is essential that law enforcement is contacted so that they
can attempt to catch the perpetrator.

Five Things You Need to Avoid When Responding to a Security Incident

1. Communicating Too Quickly or Too Slowly

If the security incident has an effect on your customers or partners, it’s
essential to have a full understanding about the breach. This will help you
come up with an effective strategy. Understandably, upper management wants
to put their partners and customers at ease. However, putting out a message
and then having to retract it with conflicting information won’t look good
and will cause additional worry.

Companies are often so overwhelmed after a breach has taken place that they
fail to communicate effectively with relevant stakeholders. When
communication is too slow, you are in danger of losing stakeholder trust in
your ability to handle security incidents in a timely manner.

The same threats are also present when information is provided too quickly.
If a company communicates too early, they run the risk of providing
inaccurate, inconsistent or incomplete information, which can cause
confusion and lead people to lose trust in the company.

2. Not Apologizing

There is no such thing as a company that is completely safe from security
breaches. Although companies and customers are aware that cyber attacks are
always going to be an issue, companies are still not customer focused
enough when it comes to making a formal apology to their customers for
putting them at risk. A data breach is unexpected, worrisome and traumatic
for customers, and not acknowledging this and avoiding an apology can have
terrible consequences.

3. Failure to Have a Breach Response Plan

A breach response plan is a strategy to limit the risk of unauthorized
access to systems and data. A properly outlined breach response plan plays
a critical role in reducing the negative impact that a security breach can
have. It also enhances the organization’s ability to navigate through a
crisis with relative ease.

4. Not Getting Timely Legal Advice

There are severe legal implications associated with data breaches — you
want to avoid these as much as possible. It is critical that you get the
right legal advice early so that you can quickly recover from a security
incident. What you don’t want is to have to deal with a class action
lawsuit because of a data breach.

5. Making the Same Mistakes Twice

Even the most sophisticated companies will have to deal with a data breach.
However, one of the most important aspects of dealing with a data breach is
learning from your mistakes. The incident handling process consists of six
phases:

Preparation
Identification
Containment
Eradication
Recovery
Review (lessons learned)

It is recommended that after a major security incident has taken place, an
organization should hold a meeting to discuss the lessons learned. During
the meeting, you will need to identify your mistakes and evaluate them.
Take inventory of what exactly happened and analyze how your team has dealt
with reducing the impact of a data breach. The lessons learned phase should
be the most important part of your post-breach activities. By implementing
this strategy, not only will you improve the performance of your team and
create benchmarks for potential future breaches, but you will also provide
helpful reference and training materials.

It is important to mention that during the lessons learned phase you will
uncover a number of issues that need improving or changing. You might also
find there are some things you will need to get rid of entirely and others
that you need to implement in order to improve your level of security.

Whatever you gain from your evaluation, make sure they are taken seriously
and that you hire help from capable experts to assist in better protecting
your business against data breaches.

Conclusion

It is virtually inevitable that your organization will become a victim of
some type of security breach. As companies and businesses are enhancing
their levels of security, cybercriminals continue to find ways to
manipulate the system. The most important thing is that you take the
necessary precautions to protect yourself against a security breach and
that you are fully prepared for a breach when it happens. After the breach,
make sure that you conduct a lesson learned meeting and that you implement
any new ideas, suggestions and recommendations to protect your company
against future attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180302/0a3bef87/attachment.html>


More information about the BreachExchange mailing list