by David J. Peck, CISSP, C|EH, EnCE
President, David J. Peck & Associates, LLC
“We have been hacked!” This is not something a chief executive officer would ever want to hear from his/her information technology staff. In addition, a consumer would not want to hear the same words coming from a company in which they entrust their sensitive information.
In recent news, there have been multiple breaches among companies that consumers do business with on a daily basis. Many questions arise as to how the company is dealing with the cleanup, and if any further data loss is occurring. But how do companies respond to a breach and how do they prevent it from re-occurring?
As a result of an incident, it’s critical to follow an established incident response procedure which follows specific steps. Each one of these steps are necessary to effectively investigate an incident and resume normal business operations.
Step 1- Preparation: You should have a well-trained team ready to respond to any type of incident at a moment’s notice. Your responders should have the ability to manage various incidents such as power outages, hardware failures, and malicious activity. Several key elements must be in place to mitigate any problems that may cause an issue while attempting to handle an incident.
- Policies must be in place which provide guidance on acceptable use, behavior, and the consequences associated with not adhering to the policy.
- A response plan and strategy should be created to prioritize incidents based on the impact to the organization.
- A communication plan is necessary to contact key individuals during an incident.
- Documentation is extremely critical so that you may answer basic questions such as who, when, where, why, and how. If the incident leads to a criminal investigation, the documentation could prove valuable as evidence in the investigation.
- The Incident Response Team should be made up of several people of different experiences, so that they may handle the various issues that may arise during an incident.
Step 2- Identification: This phase involves the detection and determination of an event, where a deviation from normal operations has occurred. Indicators may be in the form of log files, error messages, intrusion detection systems and firewall alerts, and other resources.
Step 3- Containment: The primary purpose of this phase is to limit the amount of damage and prevent any other further damage from happening. This may be as simple as removing the network connection to the compromised system.
Step 4- Eradication: This phase of the incident response process involves removing the threat from the system and returning it to a normal state. For example, removing a virus from an affected system would be considered eradication.
Step 5- Recovery: This involves bringing affected systems back into the production environment. Special care must be taken to ensure that additional damage will not occur through additional monitoring.
Step 6- Lessons Learned: This is the last and most critical phase. The purpose is to complete any documentation which focuses on the step-by-step remediation process. Lessons learned can also be used as training for any future team members.
Having handled many incidents as a response team leader, the major shortcomings are:
- A lack of personnel that are well trained to handle an incident
- A lack of evidence available to conduct those investigations
As with any preparation, training and testing for various types of incidents is most important. Tabletop exercises can assist in identifying deficiencies and readiness.
David Peck is a former Electronic Warfare Technician with the US Navy, a retired PA State Trooper and a former CIA officer. In addition to being a licensed private investigator in PA, David holds several leading certifications in the field of Cybersecurity.
Special Note: NWIRC will bring together a variety of cybersecurity experts to host Cybersecurity 101 for Manufacturing on February 16, 2016 from 8:30-10:00am in Erie, PA.