There's a lot going on in the computer security incident response arena these days. Whether a hacker is gaining remote access through the use of a well-known password, or an automated script is exploiting a security vulnerability that wasn't patched, or a malicious former employee is getting back into the corporate network to do more than just say hello, the work just keeps coming in for security firms that specialize in incident response. It's a "name your own price free-for-all" for those outside experts, and a burden on the IT resources and budgets for those organizations that do not have a computer security incident response plan and are forced to pay the price.
What happened? What did we lose? Who did it? How did this happen? Why did this happen to us? These questions are heard often in today's business world. The lack of preparation for computer security breaches is truly a business nightmare and it once again proves that organizations have not yet fully embraced effective information security practices. It's only getting worse, and no one but the victim is to blame.
Imagine, or perhaps empathize with, this scenario. You come into the office one morning, and you've got several alerts on your network monitoring system. The Web server screen is blank, you're having trouble logging in to the network, and your phone is ringing off the hook with people saying that the customer database is no longer out on the shared drive. Immediately, the first question, "Have we been hacked?," pops into your head. The next thought may be, "Surely not -- we don't have anything on our systems that a hacker would want." The second question you may have depends on whether or not you have a well thought out incident response plan. If you do, your question might be, "What's the first step?" (hopefully not, "Where did I put that darn thing!?"). If you don't have an incident response plan, your question might be, "Oh no, what do I do?" or "Who do I call?" or "Where do I start?" IT and security managers in the majority of organizations will be asking the latter questions -- while in panic mode.
I'll assume that you don't like the thought of operating in panic mode and especially don't want to think about the possibility of your organization's vital network infrastructure -- maybe even your job -- being under attack. If you already have an incident response plan, then major kudos to you. Keep up the good work. If you don't have a plan in place, you've got to give it more than just thought -- you've got to make it happen. There's a myriad of books, white papers and how-to articles that have already been written on the subject of incident response, so I won't get into the details. I do encourage you to check out www.cert.org and your favorite bookstore to get started on this. Take this information and customize it for your organization.
When you decide to move forward, you've got a lot of decisions to make, a team to build, a communications plan and response procedures to write, and policies to enforce. One critical thing you will need to determine is whether or not your organization will want to pursue the intruder if there are signs of criminal activity. This can affect everything from the tools used, to the expertise required. Collecting forensic evidence is a science within itself. Get key decision makers and legal counsel involved, and think it through. Above all, make sure you proactively manage your plan and that your incident response team is prepared for battle when the time comes.
Two critical areas that are often overlooked regarding incident response are communicating the incident response analysis and findings to upper management as well as determining how to prevent other security incidents in the future. Your time and effort toward all of this shouldn't go to waste. Make sure you outline this in your plan and stay on top of it when the moment of truth arrives.
There are technologies that can be put into place to thwart attacks against your information. There are also human factors to consider like general security awareness. You may have already mastered these technical and people issues as they relate to security within your organization. Even if you do, none of it will be of any significance or value if you do not have an incident response plan in place at the time you are hacked.
Maybe you're concerned about the up-front time and effort that will be required to craft an effective incident response plan. This could equal more dollars thrown into that popular security money pit that provides no payback, right? Well, security incidents happen, and they happen to everyone -- eventually. The research is out there to prove it. It's much cheaper to develop a plan before an incident occurs. Even if you have to outsource it, just do it. With a documented plan, you can rest assured that when the time comes for your company to experience a computer security breach, you can call in the troops and hit the ground running, protect your network, maintain critical business functions, and keep your business and customer information confidential. How's that for ROI?
We are almost always behind the eight ball when it comes to managing security vulnerabilities and deterring security threats. That's probably not going to change any time soon. There are a lot of malicious users out there, perhaps even more of them than us, and they have a lot of time on their hands. You have a choice regarding incident response. Come up with a plan now when you're calm and can think straight, or come up with one later when you're running around on red-alert status with people breathing down your neck demanding answers. Which sounds better to you?
About the author
Kevin Beaver has authored many articles and taught numerous workshops on information security and HIPAA compliance. He is the founder of Principle Logic, LLC, an information security consulting firm based in Atlanta, GA. Kevin can be reached at firstname.lastname@example.org, or you can submit your questions to him via SearchSecurity's Ask the Expert feature.
This was first published in January 2003