Investigators called in after organisations are hit by cyber attacks have said in many cases there is no effective incident response plan. But why are so many failing to prepare for the inevitable?
The most basic problem is people at many organisations still do not consider cyber attacks as inevitable, because they either believe their defences are good enough or they don't think they will be targeted.
European sales director for Guidance Software Ken Yearwood said European organisations think because relatively fewer data breaches are reported in the continent, it's less of an issue than it is in the US.
Firms in the US are already required by law to report breaches of personal data, creating the false impression such attacks are relatively rare in Europe.
“European firms should learn from US breaches and assume the same kind of attacks are being used elsewhere in the world and could soon be used against them,” said Yearwood.
The next problem is organisations do not understand the true value of effective incident response plans in reducing the scope of an attack by identifying its source and shutting it down quickly.
The correlation between incident response plan and recovery is clear, according to managing director of Jirasek Consulting Services Vladimir Jirasek.
More on incident response
- Heartbleed security bug offers lessons in incident response
- Bruce Schneier: Incident response management breaking new ground
- How to integrate Siem system capabilities with incident response
- Telco firm cuts incident response time by 80%
- Incident response planning for DNS attacks against enterprises
- Cloud incident response planning: Know cloud provider responsibilities
- Information security incident response teams need plans and partners
“Organisations will recover from targeted attacks proportionally to their incident response preparedness,” he said.
The lack of an incident response plan means organisations can take up to 10 weeks to understand what happened, said senior director of professional services at Guidance Software Nick Pollard.
“If they are forced to call in third-party incident responders, it can cost around £90,000 over that period of time,” he said.
The lack of an incident response plan is often compounded, said Pollard, by the fact even when they do find out what went wrong, IT managers may not tell anyone in an effort to cover their own backs.
This typically means the learning is not passed on or documented as part of an incident response plan, which means the organisation remains vulnerable to similar attacks in future.
According to security consultants, the process of setting up an incident response plan can deliver value to the organisation.
“Initial planning alone will reveal gaps in communication, policy, technical capability, roles and responsibilities that may require urgent attention, said senior research analyst at the Information Security Forum Dave Clemente.
Testing incident response plans
But even where organisations have drawn up incident response plans, investigators find they are not always effective because they have never been tested.
Director of solutions architects at Arbor Networks Darren Anstee believes this is an extension of the apathy which exists around any enhanced security that effects how easy it is to access data.
“We find among businesses that have implemented incident response plans, a much lower percentage actually exercise these plans to ensure they function optimally,” he said.
According to Clemente, simulation exercises can prevent confusion by engaging with all the key stakeholders to set clear expectations and post-breach actions and responsibilities.
We find among businesses that have implemented incident response plans, a much lower percentage actually exercise these plans to ensure they function optimally
Dave Clemente, Information Security Forum
Senior vice-president of security strategy at NTT Com Security Garry Sidaway quantified the size of the problem.
“In 80% of the callouts we do, organisations either have no incident response plan or they have not tested to make sure it works,” he told Computer Weekly.
Sidaway cites one case in which it took an organisation three months to shut down an attack because of a poor incident response plan.
“Everyone assumed someone else was taking care of it, which illustrates that communications are a vital part of any incident response plan,” he said.
According to Sidaway, this includes internal communications as well as external when considering the cause of an incident and how it is being mitigated.
“Internal communication is often missed out, but as this case shows, it is just as important as external communications.
“Internal communications should also include guidelines on what employees can tell their friends and families who may ask about an incident once it becomes public,” he said.
However, Sidaway believes failure to draw up or exercise an incident response plan is just as common as failure to ensure basic security controls are in place and testing these are working as intended.
“We still see firms spending time and money tackling headline-grabbing attacks and vulnerabilities, and focusing on the next layer of security, but failing to ensure existing controls are effective,” he said.
The result of this oversight, said Sidaway, is organisations continue to be vulnerable to long-standing, well-documented attack tools and techniques.
“Organisations also need to focus on simplifying and consolidating security systems to enable better management and testing. Complexity is the enemy of security,” he said.
According to a Ponemon Institute survey of IT security professionals, the majority consider themselves too bogged down by security events and event data.
This means they feel they do not have the time to determine which incidents warrant a thorough investigation or carry out any investigations at all.
According to 61% of those polled, endpoint security products create too many alerts, while 85% said their organisations are unable to prioritise security incidents.
Security support for SMEs
In the UK, the biggest challenge is to bring the country’s small-and-medium-sized enterprises (SMEs) up to speed, according to the director of the national computer emergency response team (Cert-UK) Chris Gibson.
“We work mainly with suppliers of critical national infrastructure that tend to have good, well-exercised incident response plans,” he said.
These suppliers of critical infrastructure and public sector organisations can also call on members of the government’s Certified Incident Response scheme announced in November 2012.
The first cyber security consultancies to be certified under the scheme were announced a year later.
Gibson said SMEs typically need to improve awareness of threats and threat actors to enable better decisions around cyber security.
“SMEs that find it difficult to justify the cost of in-house security expertise should seek services designed to provide them with the knowledge and help they need to keep themselves secure,” said Gibson.
A lack of time and resources appears to be one of the biggest reasons organisations fail to implement incident response plans.
However, it is also clear information security teams need to improve their situational awareness and their ability to prioritise security alerts to ensure all relevant incidents are investigated thoroughly.
The findings of these investigations should be fed back into the security planning process to ensure continuous improvement through learning from past mistakes.
Although they should focus on building an incident response capability, information security professionals also need to recognise their limitations and get help where necessary.
Where those responsible for information security are unable to meet the needs of their organisation, they should seek out services to provide appropriate incident response support for their size and type.