The following is an article I wrote for the Emergency Services Ireland Magazine;
Once the realm of IT security professionals, computer security is now an issue and concern for all business people. Recent high profile security breaches such as those at eBay which exposed over 140 million users’ details, the Target retail chain in the US which resulted in 100 million credit card details of customers being stolen by criminals, and a US bank which lost over US $45 million within 24 hours. Nearer to home we have seen the Clare based Loyaltybuild company suffer a security breach late last year which exposed credit card details of customers and earlier this month the news headlines highlighted how police disrupted a criminal gang’s virus network which they used to steal over $100 million.
In 2013 IRISSCERT, Ireland’s first Computer Emergency Response Team www.iriss.ie, dealt with 5.800 security incidents impacting Irish businesses. This figure was up from 432 incidents in 2012. Many of these incidents involved companies’ websites being hijacked by criminals to serve out phishing websites or looking to infect computers visiting those sites with computer viruses.
Cyber crime is now big business and criminals are looking to steal information such as financial details, credit card information, personal details, or any other information which they can sell or trade. These criminals are becoming more and more sophisticated and employ many different methods of attacking companies’ computer networks.
As a result it is incumbent on every company and organisation to ensure its networks, systems, and data is secure. However, there is no such thing as 100% security so you need to ensure you have proper preparation is also required in the event the preventative measures don’t work and a security breach occurs.
Information security is only as effective as the response it generates.A structured response ensures that an incident is recognised early and dealt with in the most appropriate manner and minimises damages to your organisation in terms of reputation, costs of dealing with the incident, regulatory concerns such as Data Protection, and the ability to prosecute those behind the incident.
In order to implement an appropriate incident response, you should ensure the proper people and processes are involved and the most appropriate response developed based on the type of incident. Some incidents will simply require no response, others will require only an automated response, e.g. drop a connection to a blocked port on a firewall, whereas others will require a more complicated response involving personnel from various parts of the organisation and different levels of management.
It is important that you also ensure all personnel involved in responding to an incident are properly trained and versed in their responsibilities.If the skills are not available in-house then you should be sourced elsewhere.In addition you should make sure that all related policies and procedures are regularly tested and reviewed to ensure their effectiveness and applicability.You should also put in place a review process so that lessons are learnt from any incidents that require a response.
What response is required to an incident will depend on a mixture of business and technical drivers as the type of response can impact on employee, customer, and public relations and may even have legal ramifications.It is therefore essential that clear, concise and accurate processes and procedures that have been approved by senior management are in place for all personnel to follow.
Remember you need to take into account that a large majority of incidents may happen outside office hours or when key personnel are not immediately available, so ensure your plans take this into account.
As with all emergency planning, you should also ensure that you have all the roles, responsibilities, policies, procedures, and tools in place before you suffer a security incident. Trying to develop your plans in the middle of a security breach is not the best time to be doing do. Care should be taken in your incident response processed and procedures to detail how to preserve and record all information and potential evidence relating to an incident in case a legal or civil case ensues.
Many incidents may simply require an automated response. For example a known computer virus detected in a file could be automatically deleted by the Anti-Virus software and not require a further response. However an attack against your organisation’s website will require a more measured response and may require the involvement of senior management to decide whether to shut the website down to minimise the damage or allow the attack to continue so further evidence may be gathered in the incident a legal case may be required.
To manage a security incident you need to establish your Incident Response Team. The Incident Response Team will be responsible for managing your organisation’s response to an incident and how the organisation interacts with third parties such as police, regulatory bodies, customers, employees and the media.
Your team should be made up of a number of people with knowledge and skills in different areas. It may be necessary for you to source certain skills externally to the organisation. For example, forensic gathering skills are not commonplace and are often better sourced from vendors who specialise in this area. If this is the case then you should have a formulated process in place to ensure that resource is available when required. The team should be multi-disciplined with input from various parts of the business. Naturally you will need expertise from people in IT Security and the IT teams, however you will also need to have legal advise on how to proceed with the incident, PR expertise to manage how your company should communicate with parties such as the media, staff, and the public.
Your team will need to manage security incidents which can be a major challenge. On one hand you need to ensure that while responding to the incident that you are allowing adequate time and resources for investigating the incident, while at the same time restoring the systems to operational status as soon as possible.
To this end there are a number of key phases in managing a security incident that you need to be prepared for. These are;
Containment involves limiting the scope and impact of the security incident, in particular to ensure that no other systems are compromised or sensitive data exposed to the attackers. Your Incident Response Team should decide on how best to contain an incident. This may involve shutting down a server or servers, disconnecting the compromised systems from the network, or indeed disconnecting the company from the Internet. Obviously the impact of the containment on the business needs to be balanced against the needs of the investigation team.
Eradicating an incident entails identifying and removing the root cause of the information security incident. Simply restoring a system to operational status without identifying the root cause of the compromise may result in the information security incident re-occurring again at a later stage.
To ensure the root cause has been identified and eradicated, and to also support any future criminal or civil court cases, you should ensure the following;
- All relevant evidence will be gathered in a forensically sound manner by trained personnel using approved software and equipment.
- All steps and actions taken by the team during the incident should be clearly documented
- All copies of original media and log files being investigated should be digitally signed and stored securely to prevent tampering.
- All subsequent investigations should be conducted on verified copies of the original media and log files.
The recovery stage occurs when you are confident the incident is over and has been properly dealt with. The recovery stage means restoring a system(s) back to their normal operational status. This may require restoring system(s) from backups, system images or reinstalling from known and certified original media. A key thing to remember is to make sure that your backup media is secure and that you have not previously backed up a computer virus or any tools or system vulnerabilities that allowed the attackers to break into your system in the first place.
There is an old saying that “practise makes perfect” and this is especially so when it comes to incident response. In particular, security incidents by their nature should be rare so it is important that you ensure regular training and exercises take place with your team so they are better prepared in the event of a real security incident. These exercises should be used to see where there are any weaknesses or areas for improvements in your incident response process.
You should consider running your exercise, be they desktop exercises, role playing, or full blown simulations, at various times to test the effectiveness of your incident response process at different times of the day. Remember, that attacks can happen at any time as those attacking your systems can be located anywhere in the world over the Internet. If an incident occurred at 3 a.m. on a Saturday morning, how many of your team would be available and more to the point effective? Or what would happen if the incident occurred during times that were inconvenient for key team members, such as during the morning school run or during the evening rush hour. Running these scenarios can identify where you may need to perhaps provide remote access for key personnel on the team or have alternative people available.
Subsequent to any information security incident, be that a live incident or a practise scenario, a thorough review of the incident should be conducted. The purpose of this review is to ensure that the steps taken during the incident were appropriate and to identify any areas that may need to be improved. Any recommended changes to policies and/or procedures should be documented and implemented as soon as possible.
In todays interconnected world and high dependency on computers and networks a security incident is no longer a case of “if it will happen?”, but rather “when one will happen?” Being prepared is key to ensuring you and your company can survive and respond to a security incident with confidence.