A Handy Guide to Incident Response in 2017: SOUTECH cybersecurity tips and guideEsang U. E
The theory behind data breaches is straight forward which involves sending an alert to all the affected systems, communicating on the next steps of action, and making plans to prevent it from happening again. Although it doesn’t always seem to work out like that.
I’ll use Yahoo and Target as major example because in September 2016, both organisations failed at incident response. In the case of Yahoo, it was said that two years ago, the data associated with over 500million user accounts was being stolen. Over 1 billion accounts were hacked in December, 2013.
Yahoo took too long to report a security breach and was criticized by Congress. Despite the fact that they are being widely reported, the CEO of Yahoo, Marissa Mayer is on the hot seat, the company’s chief counsel has also resigned, Verizon has been delayed of its $4.83 billion acquisition of Yahoo and the price lowered drastically by $350 million.
Target also suffered a massive data breach and when data breaches are involved, an open, honest/accurate and timely communication is important. Target did not even break the news to their customers until BRIAN krebs; a cyber journalist did.
Jake Williams, the founder and president of Rendition Infosec said that cyberattacks have come in several prominent and highly visible ways, but the threats have always existed. So the problem is not if there is going to be another attack, but the issue is when the attack will come.
I therefore offer five tips to help companies prepare for attacks whenever they come. I doing this because, the incident response process is often is difficult and most firms and companies have failed when they encounter attacks.
- Create a Playbook.
A well described, detailed and step-by-step process for everything you need to do in an incident response can be found in the incident response playbook. Specific instructions for carrying out incidence response in your environment with the tools inclusive is included in the IR playbook. We will consider two soccer coaches where one coaches a little league team and the other a professional team. The little league coach knows quite well that if a player has muscle cramps, a sports medicine specialist would be ideal to look after such cases but there will be little or less benefit including this in the playbook when the specialist is not available. Therefore, information about the skills and tools needed to help the team in all situations should be included in the playbook. What I am saying here is that an incident response team must have a detailed playbook to handle every type of computer breach that may come up.
- Employ System Baselines.
System baselines are vital in incident response because it helps the team to detect when an incidence occurs and also to focus only on the drivers, registry keys and new processes. During an incident, system baselines are worth their weight in gold. We can liken an incident to putting up lights in a basement for the first time. This may look scary and weird to a stranger who may not have known the basement well but someone who know the basement is never afraid of it. because the team has baselines and a map of what things should look like, they can only place their focus on things that are not in order or out of place.
- Involve Non-Traditional Staff.
Staffs such as network forensic experts should be included in the IR team because they are more obvious positions. Team members however such as legal counsels, business unit leaders and PRs occupy a less obvious position. If the incident comes to public light, then we can involve the legal counsels and PRs at the beginning stages. Business unit leadership is very vital because they play a supporting role. Include business unit leaders early so they can understand how the incident response activities will affect the teams’ operations.
- Make Use of Tabletop Exercises Liberally.
Simulations where an exercise leader schemes through different possible scenarios by making use of a series if injects are known as tabletop simulations. Military experts may identify this as war-games or sand table exercises. The sole essence of the tabletop exercise to make sure that members of the IR team are always ready for unplanned situations i.e. situations that were not encountered in previous times. In traditional incident response, it is expected that the staff won’t have to perform all the actions involved in an incident response but resources are rather assigned to handle issues and verbalize task. All IR teams are expected to perform at least one tabletop exercise in a quarter and most ideally once in a month. A professional IR can walk through one or two incidents in a day.
- Learn the Business Language.
Lastly, we will discuss briefly on learning business languages. Every business has a language peculiar to it, it is expected of staff to learn the language of the business. The responder of no doubt has to understand more about the incident response process than the business, but it is not the often the perception when screwed means of communication is employed. IRT (Incident response Teams) should be able to listen to how the business owners communicate with each other and employ the same language. They should try to mimic language patterns, vocabularies and euphemisms of the business leaders which is a sure path to success.
In any case where a computer related incident occurs, the following guidelines should be able to guide you through not forgetting that the IRT must always be prepared with or without an incident taking place.
To know about the incident response process and how to prepare a team from your organization subscribe to learn our incident response modules at Soutech web consultants.
Enroll for a cyber security course TODAY! Get trained, become an inevitable asset to your world. Check below link or call 08034121380 NOW. You can also take your classes – (a) Online (b) Classroom (c) Training Kit (d) Beskpoke/Custom/Group/In House class