How to respond to the inevitable security breach
Breaches have become an inevitable part of IT security, making incident response an important element in security programs.
“Cybersecurity-related attacks have become not only more numerous and diverse but also more damaging and disruptive,” the National Institute of Standards and Technology writes in its new guidelines for incident response. “Not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited and restoring IT services.”
Could you continue to operate under cyberattack?
Special Publication 800-61 Rev. 2, "Computer Security Incident Handling Guide," has been updated from the previous version released in 2008 and includes hardware- and software-independent guidelines on establishing an effective incident response program, as well as on detecting, analyzing, prioritizing and handling incidents.
Recommended steps include:
- Create, provision, and operate a formal incident response program. This is a requirement of the Federal Information Security Management Act, which also requires agencies to designate primary and secondary points of contact with the Homeland Security Department’s US-CERT. Agencies should have a formal plan in place with dedicated staff and procedures for incident handling and reporting.
- Have security controls in place to reduce the frequency of security incidents. Prevention usually is cheaper and more effective than responding to them, and effective security controls can make response easier when it is required.
- Document guidelines for cooperating with other organizations. During incident handling, agencies will need to communicate with outside parties, including other incident response teams, law enforcement, the media, vendors and other victim organizations.
- Focus on the most likely threats. It is not feasible to develop step-by-step instructions for handling every incident. The guidelines offer response strategies for some of the most common vectors for breaches, including removable media, brute force, the Web, e-mail, improper use of systems and loss or theft of equipment.
- Emphasize the importance of incident detection and analysis throughout the organization. The effectiveness of automated analysis depends on the quality of the data that goes into it. Standards and procedures for logging can help ensure that needed information is collected and reviewed.
- Create written guidelines for prioritizing incidents. Prioritize incidents based on factors such as the functional impact; the impact on the confidentiality, integrity, and availability of information; and the time and resources required to recover from the incident.
- Learn from incidents. After a major incident has been handled, review the effectiveness of the incident handling process and identify necessary improvements to existing security controls and practices.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.