Being prepared for a cybercrime and having an incident response system or plan in place means that you subscribe to the notion that “Keeping the bad guys out is a losing proposition” Brian Krebs. I couldn't agree more but, what more can you do to make sure that your plans for taking action bring the best outcome given that no outcome will be optimal.
Here’s a list of items that I have picked up from listening and reading content from some of the best cyber crime response professionals in the industry.
- Fire drills: Try this with your CSOs permission. Downloaded a large file from a critical server and then uploaded it to an internet site. Then, call the help desk with the event time stamp and file size details to see how fast they can track it down? Is the event eventually escalated to the CSO? How long did it take?
- Time constraints on each step of the Incident Response Plan is crucial. 20-30 minutes to track down and IP address and the user who authenticated it onto the network is ample.
- Once the breach has been confirmed, are you ready to engage a 3rd party to investigate what may have happen to the data? For example, is it for sale out on the Internet? What is the name and telephone number of the vendor(s) you plan to call. Better be ready and understand how their fees apply to your situation.
- Do you have an Incident Response System in place that allow you to go back weeks or months to investigate the scene of the crime? What technologies are you relying on (NetFlow, Syslog, Eventlog)?
- What are your legal responsibilities? Does your business fall under regulatory compliance organizations like HIPPA, PCI or others? How much time do you have? Who do you have to contact? Should you write a press release?
- What are your contractual obligations? Have people in your company signed contracts with other vendors that clearly state that security breaches involving their information must be brought to their attention? Have you listed out the vendors?
The above is by no means a complete list for your Incident Response Plan as it is intended to include a few items that may need to be incorporated. Keep in mind that although your company could fall victim to a targeted attack, most companies in the news are compromised due to poor security measures. Consider the breach of 250 Subway sandwich shops for example, in interviewing the individuals involved with the infiltration, they determined that they didn't target Subway specifically. It fact, it was just luck that so many got hacked. There are about 25,000 Subways in the U.S. and many had poor online security. Since the event, Subway has spent 5 million upgrading its cyber security systems. The lesson: don’t let your guard down just because you have an Incident Response System and plans to take action in the event there is a compromise.