Simply put - Things will go wrong. Information will be lost or abused. Storms will knock out the power and communications to your building. Employees, intentionally or unintentionally, will break your systems. Sensitive marketing, merger or product development information will find its way into the wrong hands. It is only a matter of time. You need to have a security incident response team (SIRT) in place to respond to these events. The challenge is creating a SIRT process that meets Rule #6 of the Seven Simple Rules -"Do we know if there is a problem and do we know about it soon enough so that we can take appropriate action to minimize and contain the problem?" We need to have systems and procedures in place to detect when a problem or incident occurs, to communicate information about the breach to the appropriate security personnel and management and to react to the event soon enough so that the business can take appropriate action to minimize and contain the losses.
Keep in mind that security incidents cover a wide range of possibilities. Consider the ramifications of the following information security incidents:
These events present very complex issues requiring support from experts in security technology, law enforcement, building security, human resources, criminal law and copyright law along with business management. This requires a "team" approach to security incidents that can quickly assemble the necessary resources and effectively focus them on limiting the damages. This SIRT process needs to address:
Detection The first line of defense is automated systems that detect and report security breaches - intrusion detection systems, anti-virus monitors, audit logs, firewalls, fire/heat detectors, network capacity monitors, etc. The second line, and the most important, is people - People who can manage the automated systems, who are trained in security technology, common attack profiles, technology security policies, etc. More importantly, you need a broad base of employees who are trained in common social engineering techniques, who can identify malicious emails and other communications, and who are committed to maintaining a secure business environment.
Communication People don't like to report problems, especially if it means additional work, if they are not sure if it really is a problem if it involves fellow workers or if they are unsure of the consequences. Automated security systems love to report problems, to the point that the activity logs and warning messages become overwhelming. You need to find processes and systems that encourage workers to report incidents. Consider deploying a simple Web based form along with a 7x24 hot line for reporting incidents. Train your BISO's to welcome any concerns from employees and to encourage employees to report incidents no matter how trivial they may appear. Also, when you deploy security systems, devote a significant amount of time to planning what events will be monitored and what specific events you will want to detect. Then build alert and monitoring routines that easily and concisely provide information on the specific events (i.e. they do not flood security administrators with useless information and "cry wolf" false alarms). Finally, designate a leadership team for security incidents. While most security incidents can be handled by a small group of experts, significant or enterprise incidents require close communication and coordination with multiple layers of management. There is nothing worse than an enterprise security incident conference call that begins with, "Who's in charge?" The next worst is a conference call lead by a manager who has no experience or training in security incidents.
Containment The best detection and communication systems in the world will be rendered useless if your security systems and SIRT team can not respond quickly enough to prevent significant damage. Your monitoring systems may alert you that a virus is spreading on your corporate network, that hundreds of computers are sending out millions of messages that are bringing your network to a standstill and that a simple virus .dat file update and a patch to the operating system on each of the computers will stop the spread of the virus and protect the computers in the future. But what if it will take days or even weeks to upgrade all of the computers, because you have no way of automatically installing the upgrades? You need to be prepared for security incidents. Make sure you have the ability to isolate portions of your network or even shut down all network communications with the outside, so that you can confine the spread of any malicious code. Deploy operating systems and anti-virus software that allow you to automatically update all devices connected to the network for security updates. Most importantly, designate a team of security experts trained in computer forensics, security incidents and criminal investigations. Create a clear, document process and make sure the team follows it.
Finally, treat all of this as a variation on business continuity planning processes. Test your plans, make sure you have contact numbers (home & cell numbers, personal email, home fax, etc.) for all critical players, and ensure everyone is familiar with the process. Once you have done all this, sit back and wait, because something will go bump in the night often when you least expect it.
As BISO you need to ensure the employees in your business understand when to report suspicious incidents and how to communicate the issue. Your training and awareness program should acquaint employees with the vulnerabilities that typically threaten your business. They should be familiar with social engineering techniques and how to identify suspicious emails and other documents. You should develop strong lines of communication with the employees in your business. Employees should feel comfortable asking you questions about suspicious activities and know that you will treat their questions knowledgeably and with discretion.
When in doubt, follow one simple rule – if you are not sure if there is a security incident, report it.
For more detailed information on establishing a SIRT process, see:
©2009 ISRMC, LLC