[BreachExchange] How to develop a mobile incident response plan

Destry Winant destry at riskbasedsecurity.com
Thu Oct 4 19:59:36 EDT 2018


Mobile devices are often overlooked when it comes to an incident
response plan, but they shouldn't be. Here's how to integrate mobile
devices into an essential security system.

Mobile devices contain sensitive information and are susceptible to
viruses and breaches, but organizations don't often develop mobile
incident response plans.

Incident response -- the art and science of addressing computer and
network-related security incidents -- is a function that many
organizations neglect. Some organizations address incident response
from a logging, monitoring and alerting perspective by focusing on
external-facing firewalls and servers. Other organizations address
incident response more broadly, incorporating critical internal
servers and workstations. Other organizations bring critical
applications and databases into scope.

No matter which approach organizations take, they should ensure that
mobile is a key component of their incident response plan.

Basics of a strong incident response plan

An effective incident response plan doesn't have to be complicated.
It's just a document that outlines the who, what, when, where and how
of governing security events.

At a high level, incident response plans should contain the following sections:

Incident preparation: This section specifies what constitutes an
incident or breach, along with the existing security controls and team
member roles and responsibilities.
Incident detection and containment: This section outlines what IT
monitors or reviews to detect and adequately address security
Incident eradication and recovery: This section outlines steps to
clean network systems, restore order and monitor for repeat
Breach reporting: Many laws, business partners or customer contracts
require that organizations notify customers and other parties if they
have experienced a data breach.
Incident follow-up: This section addresses root causes, lessons
learned and related steps in the aftermath of an event.

An incident response plan should include the contact information of
everyone involved, including outside vendors. It should also include
which incident response tests IT needs to perform and should reference
related documents such as security policies, network diagrams and
cyberinsurance policies.

Why a mobile incident response plan is important

Organizations often leave mobile devices, tablets and even laptops out
of incident response documentation. Mobile devices, however, can
create tangible risks because they enable end users to access
sensitive systems and information.

Security incidents often begin with mobile devices, including social
engineering via phishing or phone calls. Malware-related incidents are
rare, but they are still possible on mobile devices.

Mobile devices can also enable improper or unauthorized user access
and data exfiltration. End users can easily lose mobile devices, which
can put devices and the assets stored on them at risk.

What to include in a mobile incident response plan

At a minimum, IT should include the following sections in a mobile
incident response plan:

Logging, monitoring and alerting. IT should include logging,
monitoring and alerting whether they perform these functions using
standard mobile controls or via a mobile device management, enterprise
mobility management or unified endpoint management tool. IT should
also address logging, monitoring and alerts associated with
technologies that the mobile devices run, including mobile apps;
network connections; and security technologies such as data loss
prevention, multifactor authentication and web content filtering.

Data backups. In the event of theft, loss or another type of exposure,
IT might have to rely on a cloud or local backup to restore
operations. Most mobile devices have many business assets on them that
are exposed to the world, and many devices store the only copies of
these assets.

Passwords. IT should list the procedures involved to reset a password
once a suspicious or confirmed security event has occurred. If there
is a chance that an unauthorized user has accessed a device, IT should
look beyond the device accounts and consider what to do with the
accounts that end users save in mobile apps and web browsers.

Remote wipe. IT should perform a remote wipe to ensure that network
connections and information assets are not exposed after a loss or

As IT builds out mobile incident response capabilities, they should
incorporate any vendor, customer or contractor devices that might
somehow access, store or otherwise process information on any of the
business systems.

In addition to including mobile in an incident response plan, IT
should also take an inventory of the organization's systems and
perform vulnerability and penetration testing on mobile devices
whenever possible.

More information about the BreachExchange mailing list