Introduction and planning
Hardly a week goes by without news of some company’s infrastructure being breached and data compromised.
In late February this year, the servers belonging to Linux distro Mint were penetrated and a malware-infested ISO was inserted, leading to many users downloading more than just an operating system.
And one of the highest profile breaches of recent times in the UK was that of TalkTalk. The breach last October has cost the firm around £60 million ($85 million, or AU$115 million), almost double the initial estimate of damages.
According to a survey conducted by training company QA, nine out of ten UK organisations experienced some sort of cybersecurity breach in 2015. Of those, 66% said that the breach had led to a loss of data, 45% said that it had resulted in a loss of revenue, and 42% said that it had caused a PR nightmare for the business.
Have a plan
While no one wants to fall victim to such a breach, organisations must take steps to prepare for such an event. If it does happen, what should you do to survive such a security incident?
Although it is almost impossible to create detailed response procedures for every breach scenario that could occur, you can create and agree a framework with generic processes and clear responsibilities, according to David Calder, managing director at ECS Security.
“This is worth doing and will help ensure good governance and momentum while minimising the business impact of any attack,” he says. Calder adds that industry standards exist to support the creation of response procedures. “There are sound and proven sources such as NIST and the ISO.”
Mark Logsdon, cyber resilience expert at Axelos, the UK government and Capita joint venture, says that the first thing to do when an incident takes place is to activate the incident response plan.
“This plan should consider what’s been lost or is not available, the impact it has, how it happened, is it still going on, how do we fix it and how we prevent it happening again. In addition, there are some crucial business decisions,” he says. This means who do you talk to first? Customers, press, police, regulators, shareholders?
Also what do you say and when? “There’s also the question of what to say to staff, who then may innocently use social media to tell the world about what’s being said internally,” adds Logsdon.
Calder says that organisations should know their systems inside out. Compromises will often not leave obvious, conclusive signs – the evolution of attacks means that some will not have been seen before, he says.
“The best defence against these is investing time to know your environment better than an attacker could, making it easier to spot anomalous activity,” he notes. Firms must also consider how to do this in their infrastructure. “At the very least it will highlight points that will benefit your organisation, such as potential availability issues and potentially unauthorised actions by legitimate users.”
Response and fixing things
With a plan in place, thoughts need to turn to assembling a team to respond to the breach. This team should by headed up by someone who understands the technical aspects of security, including technical staff responsible for securing different corporate systems, according to David Emm, principal security researcher at Kaspersky Lab.
“However, given the increasing public profile of security breaches, it’s also vital the incident response team includes HR, legal and PR teams,” he adds. “I believe it’s important for this team to have ongoing responsibility for evaluating the security posture of the company – rather than just assembling in response to a breach.”
The role of the incident manager and their deputy is vital, says Emm. Sometimes, this will be the CISO, who understands both technical and business aspects of the organisation. “Although I think their formal title is less important than the fact that they have buy-in and support from the corporate executive team,” he notes.
Andy Thomas, European managing director at CSID says that as the regulatory environment within Europe is changing with the adoption of the EU General Data Protection Regulation, a breach preparedness team becomes more important to navigate the changes in regulation and the new obligations that many companies will be faced with.
Thomas advises businesses to consider the following points: “What regulatory obligations does the company have regarding the breach? What data has been lost and does this require notification to the local data protection authorities? What timeframe do we have to make such a notification? What contractual liabilities and obligations do we have with our suppliers or customers?”
Post-breach, attention should turn to fixing things. Mitigating the damage is more important than placing blame, and speedy remediation is dependent on good visibility.
“The faster you can see and determine the size of the hole in your safety net, the faster it can be repaired,” says Pedro Abreu, chief strategy officer at ForeScout Technologies.
“You’ll want ideas from all corners of the organisation, as well as buy-in across the board when a mitigation plan is put into action. Lastly, anticipate the questions that will undoubtedly come your way from the media and all concerned parties, and prepare answers in advance.”
Learning from mistakes
In the vein of “fool me once, shame on you; fool me twice, shame on me,” cyber-defences must evolve intelligently, automatically and rapidly to prevent the same tactic from working twice.
“Pragmatic, real-world defence depends not on making a network impenetrable but on making it so challenging to crack that most attackers will eventually move on to easier targets,” adds Abreu.
He says to that end, organisations should be as proactive as possible. This means taking a multi-layered approach to network defence that includes conventional components such as antivirus and firewall as well as endpoint protection that can limit the potential for malware to penetrate the network through known and unknown devices.
“Integration of your security systems is critically important. If your security systems are siloed, they’re not sharing information and automating workflows for effective defence and rapid response,” Abreu concludes.