Getting Cyber-Prepared

The IRT will meet and assess the situation to determine the proper response. Things it will consider include:

1. Is the incident real or perceived?
2. Is the incident still in progress?
3. Is the incident security-related, information discontinuity, or both?
4. What data or property is threatened and how critical is it?
5. What key business processes are impacted?
6. What facilities, staff, systems, IT, or other resources are impacted?
7. Is the response urgent?
8. Can the incident be quickly contained?
9. What is the impact level on the business should the attack succeed? Low Impact, Moderate Impact or High Impact?
10. What system or systems are targeted? Where are they located physically and on the network?
11. Is the incident inside or outside the physical premises?
12. What is the suspected origin of the incident, intrusion, or attack?
13. Might a crime have been committed?

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

Should the event have information security implications, care must be taken to ensure that available evidence is preserved.

This requires leaving the computing device in the same state as it was when the event was observed. In particular it means that, as a general rule:

• Leave the computing device powered on [1]
• Leave the computing device connected to the network [2]

Depending on specific circumstances, the ISM and IRT may decide that the danger from an ongoing incident is sufficient to risk the destruction of evidence. Options include, as appropriate,

• Capturing volatile memory before powering a device down
• Segmenting a device to block its access to other parts of the corporate network while leaving it connected to the Internet

[1] Modern malware often stores valuable information in volatile RAM. This information disappears when a computing device is powered down.

[2] Some malware continuously monitors for an Internet connection. If it discovers that the Internet has become unavailable, it destroys all evidence of its activity.

 

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

In the event of a security or privacy incident, the IRT’s response strategy will manage the following:

1. What needs to be done to contain the incident and prevent the attack from spreading?
2. How do we prevent the attack from re-occurring?
3. Will the response alert the attacker and do we care?
4. What needs to be documented about the incident including how it occurred, where the attack came from, what the response was, and whether the response was effective.
5. What evidence is to be preserved including hard drives, audit logs, email correspondence, witnesses spoken to, etc.
6. Who needs to be notified, including personnel, clients, law enforcement, insurance, outside information security vendors, the Organization’s attorney, external legal counsel, etc.

The response strategy for a security incident is to include the following:

1. Evidence Preservation
2. Containment and Restoration

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

 

Following restoration of services, the IRT will determine the root cause of the incident and take appropriate steps to minimize the likelihood of the incident happening again.

1. Determine how the event happened (in the case of a security incident, determine the source of the intrusion, e.g., email, inadequate training, attack through a firewall port, attack through an unneeded service, attack due to unpatched systems or applications)
2. Assess the damage to the Organization and estimate both the damage cost (direct and indirect) and the cost of the containment efforts
3. Identify, if appropriate, additional user training that might have prevented the incident
4. Identify whether changes in policies or procedures might have prevented the incident
5. Identify whether the availability of additional equipment or technologies might have prevented the incident
6. Review the response to the incident? How could it be improved?
   1. Was the initial response timely?
   2. Was containment and restoration timely?
   3. Was the right documentation identified and collected?
   4. If law enforcement was involved, did it help or hinder the response? How could our relationship with law enforcement be improved?
   5. Were appropriate parties informed in a timely manner?
   6. Were the incident response procedures detailed and adequate to the situation? How could they be improved?
7. What lessons have been learned from this experience and how do we get them into the “corporate DNA?”

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

 

The ISM will:

1. Provide training to staff on this plan at least annually and when major updates are developed
2. Engage the IRT, outside information security vendors, attorney(s) and others, as deemed appropriate, in a “table-top” simulation of the plan against a breach or information technology business continuity incident at least semi-annually
3. Test backup/recovery and other high risk procedures at least quarterly
4. Update this plan as people and circumstances require
5. Review this plan at least semi-annually and update as necessary

 

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.