The second part of this list of the top incident response steps looks at the importance of tracking intruders correctly, limiting reputational damage, ensuring business continuity
6. Track the intruder.
Before organisations can decide how to track intruders, it's necessary to determine through an incident response plan if policy will be to prosecute in all cases of breach, regardless of whether the actual hacker is caught. Even in cases where it's impossible to identify an attacker, the policy may be to prosecute anyone at fault, including hosts or third-party providers. This will, in turn, determine how the organisation must track the intruder or other guilty parties. If there is a policy to prosecute, then all tracking must be done forensically so as not to compromise or contaminate evidence that might be used at court.
Defense lawyers are quick to argue that evidence is inadmissible if it is not collected in accordance with accepted forensic procedure. For this reason, it is essential that an organisation make contact with a forensic investigation specialist at the outset, in order to include relevant guidance within the plan. If you propose to outsource all hacker tracking to this third party, ensure relevant contact details, including out-of-hours contacts, are included in the plan.
If the intention is to handle the investigation in-house, ensure the response team members are familiar with both the tools they must use and the correct application of those tools to stay within the boundaries of properly collected evidence.
7. Limit the brand damage to your business.
It is all too easy to assume the breach itself, or, rather, the loss of data arising from it, is the biggest problem the business faces. In truth, the reality in many cases is that it is the public perception of how the company responded to the breach that can cost the most in terms of brand positioning and loss of reputation.
Planned and measured disclosure under the full control of the incident response team is always a better option than reacting to incomplete or speculative media reports. However, it is vital that the company take legal advice when preparing its incident response plan to ensure disclosure is in accordance with the law in the organisation's part of the world, and with the compliance requirements of its industry sector.
Involve human resources and corporate communications departments in the disclosure planning process as well, as they will be on the front line when it comes to dealing with customers, staff and the media. Finally, while timely disclosure is almost always advised, 'timely' does not mean rushed. Verify the facts of the matter before telling customers or the media. If the company underplays the seriousness of a breach and then has to correct this later and admit things were actually much worse, the damage can be as great as if it had said nothing at all.
8. Don't forget about business continuity.
Business continuity and incident response plans should form part of an integrated incident management strategy. This way, the incident response team will be able to make decisions with business continuity and data recovery in mind, as well as dealing with the pure security threat response.
This means a thorough analysis of what is required to keep the business running when critical data and critical systems are temporarily unavailable is necessary. As with the incident response plan itself, a business continuity plan is only as reliable as the number of different test scenarios the organisation has put it through.
Be aware that business continuity is not the same as data backup and recovery, which is just a small part of the overall process. Also, take into account that business continuity must always be approached from the bottom line. If the cost to the business of applying a business continuity plan is more than the cost of doing nothing and losing a couple of days' worth of business, then such a plan isn't worth the effort. However, If the breach is severe enough, all businesses will reach a point where they are losing more by shutting down operations than by implementing a plan, so every organisation should have some sort of catastrophic business continuity plan in place at the very least.
As with the incident response plan, a business continuity plan should be revised annually to ensure it is dynamic enough to meet the changing demands of the enterprise.
9. Prevent future data breaches.
If an organisation is unfortunate enough to have suffered a security breach, make sure after the incident response is complete, the company looks beyond the response plan and performs a proper analysis to determine the root cause of the problem, rather than just the technical cause. For example, the technical cause of a breach might be an unpatched server or misconfigured security device, but the root cause can often be found in a poor management process or a lack of adequate IT security funding. Address any underlying management and control issues, rather than just applying a technical vulnerability patch to network security. Unless these issues are identified, understood and rectified, the chances of a repeat breach are high.
Technologies shouldn’t be overlooked either. Every layer of the security defences should be examined and, applying the “only as strong as the weakest link” theory, any chinks in the security armour reinforced. By combining both approaches -- management and process along with technical defence -- the ultimate layered approach to security can be achieved and the chances of suffering from a similar breach in the future reduced considerably.
10. Make sure everyone in the business learns from the experience.
Don't think of a security breach in purely negative terms; it can also be a positive experience if the company is willing to learn from its mistakes. Revisit the incident response plan and update it if things didn't run as smoothly as intended. This will put the organisation in a better place to deal with future attacks.
Similarly, use the incident as a cue to involve all staff in the security process. Draw on the experience to boost employee security education, showing them not only how the business responded to the attack, but advising them how they can help prevent such attacks in the future.
About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.
This was first published in June 2011