“It won’t happen to us,” is a common myth that organizations tell themselves when it comes to cybersecurity. Although attacks happen daily nowadays, everyone is fooled into believing that their agency is exempt from this phenomenon. Nothing could be further from the truth.
Investigators that respond after these attacks testify that in many cases, there is no solid incident response plan to begin with. Even worse, there are some groups that have plans, but they are not adequate to prevent compromise or mitigate damages afterwards.
In a recent CSO Online article, Dr. Claudia Johnson compares incident response planning to practice for fire drills. In the article, she outlines what she deems as a “non-fatalistic” approach to incident response planning, and she offers the following tips to avoid falling into the “que sera sera” [whatever will be will be] attitude:
- Practice. Think of this [incident response planning] as a fire drill. If no one knows what is to be done if, even the best conceived plan would not succeed.
- Review the plan at regular intervals. Are email addresses and telephone numbers up to date? Has the company’s data center been moved or is there a new one? Be sure to include some kind of change management procedures. If major changes are required due to a new organization or infrastructure, a clearly documented change process is necessary.
- Document and preach. Make sure all of the details (see ‘Security Incident Response Plan’ section in full article) are documented and that all relevant staff has access. Conduct regular interviews or checks to make sure staff know the document and have an understanding of its contents.
- Review each major incident afterwards. Detailed information like root cause, delayed response, unclear sets of responsibilities must be identified, and remedial actions should be included in an updated version of the Incident Response Plan.
- Any internal, Managed Security Services Provider (MSSP) or Security Operations Center (SOC) needs a reliable ticketing system. Assuming that users follow process by lodging a ticket as the first step, this will provide valuable data to track diagnosis and mitigation effectiveness, and can be leveraged to force improvement measures.
For more information regarding Dr. Johnson’s approach to incident response planning, see the full CSO Online article.