THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
How will you respond? When it comes to IT Security, there is nothing that strikes fear into the hearts and minds of young analysts like having to respond to a possible security breach. What do you do? Who needs to know about this? How is this going to affect our company? These are just some of the things that go through your mind when you get that call at 3:33 am. How are you going to handle this? Planning This is one of the most stressful issues to address as an organization, and it should be thought out thoroughly. This is when experience and knowledge come in handy. Knowing what to expect and having an idea about how to handle things ahead of time will go a long way in how you will address an incident. Planning the response to an incident should be done when the management team is not under stress, and clear and concise decisions need to be made. The planning process should address the most realistic types of events or ones that the company believes that will pose the largest risk to the business. We can all think of the worst-case scenarios and the once in a lifetime types of events, but realistically those events will be less likely to happen. Planning for exfiltration of data by an employee sending files attached to their personal private email account may be more realistic. Notification Being notified is the first step in the planning process, and should be the focus of your planning procedures. While notifications take many forms, how you get the information, and when, can be crucial to your response plan. Here are some ways to be notified:
Communication of Breach
How you communicate, the breach is almost as important as being able to detect it in the first place. This is a touchy subject for many organizations, since they may not know how much to communicate and what information is important to do so. While companies and organizations will want to keep things quiet, the key here is to reassure the public and your customers that you are doing all you can in order to correct whatever vulnerability was compromised or some other action that will get your organization back up and running. People want to trust that you are doing the right thing. Trying to avoid notifying the public, or being evasive, will only harm your business reputation. Which is not what you need right now. Need to Know Who in your organization or customers/stakeholders will need to know that you have had a security incident? This critical step and should be clearly defined in your Incident Management Plan or response. Employees should hear about a security incident from there company leadership, not the local news channel. When employees or customers know that management is handling a situation, it instills a sense of confidence about the recovery efforts. Documentation Documenting a breach is an area that can be overlooked and is a subject that many IT Security Professionals have difficulty with. (This is because if you don’t go through a breach of some sort, how do you know what you will need to have documented?) This is where consulting an expert in the field or an organization that specializes in the recovery of a business after a security breach will be beneficial. If the breach was criminal in nature, you will have to provide evidence that can be used in a court of law. This will require very specific handling of the information or assets (chain of custody), and may complicate the overall recovery efforts. Understanding how to navigate this critical area will go a long way in helping to prepare a case against the attackers. Some of the documentation or resources that you might need to provide are:
At this point in the process, you should be well underway in the recovery efforts for your organization. The recovery efforts should address all of the areas that were identified in the documentation process. In addition, the management team should have all of the information they will need to make the decisions for the business. Recovery efforts may take many forms depending on the type of impact the incident may have. This may include:
Testing Incident Response One of the most important areas of incident response is making sure that your plan will even work. The Incident Response Plan should be tested on a regular basis as part of your overall yearly operational readiness. You are only as effective as your last test. When you test your plan, you will find areas that may need more focus than what you thought of initially. You will find that changes may need to be made to address potential threat area or reduce risks to your business. Taking action on these areas after a test may help reduce the potential costs due to a breach; you may have to pay in the future. Summary When it comes to security incidents and the management of them, it comes down to developing a plan, testing it regularly, and reducing potential threats. It is important to understand what you need to protect and what steps you can take to reduce your risks. The key here is to make your organization less of a potential target. If someone wants into your network and access to your information, they will find a way to get in. It may be a matter of time before they do, but a determined attacker will find your weaknesses. The question you have to ask, is have I done everything to reduce that potential threat? IT Security is as much about the technology as it is about communication of risks to those in management and helping them to make the right decisions.
0 Comments
Your comment will be posted after it is approved.
Leave a Reply. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|