Whilst companies often have pragmatic processes to manage wider ‘information security risks’ or ‘physical security risks’ most organisations struggle to manage issues such as hackers, crypto-malware and distributed denial of service (DDOS). Mark Osbourne, Executive Director, Digital Assurance discusses planning for the inevitable security breach and the importance of good governance.
Some people have a Sunday first name, which is reserved for special occasions - Katherine for Kate or Matthew for Matt.
I don’t have a Sunday name but my job has. I call myself Head of Information Security or Chief Information Security Officer (CISO) when I am being posh but really the job is the Manager of Computer Security. If I am working for an end-user organisation, this is how I will be measured and what the companies really want me to do.
To highlight the point - if a design engineer leaves and goes to a competitor with details of our IPR, I will be involved but the legal department will take the lead. However when a hacker breaks in and steals the same information, the buck stops with me - or another incumbent CISO at the organisation in question. Such everyday events include hackers, malware and DDOS, and often they include all three.
I have observed that most organisations are not prepared for these common events.
We will often see:
- operating systems and applications configured with no security logging;
- no surveillance of the network;
- no procedures in place to manage the incident – or if they do exist, they have never been tried.
Yet a security breach is a threat that will certainly be realised - the question is ‘when’ not ‘if’ - so isn’t this just bad governance?
One problem is that the ‘computer security’ industry’s aspiration for the ‘idealistic 100 per cent’ solution with a ‘one strike and you’re out tolerance’ to product flaws. Look at any other aspect of ICT, you’ll find customers content with a ‘good for the price solution’ or managers happy to spend money on disaster recovery, even happier in the knowledge that it has never been used.
The last conference I visited reaffirmed this position. One session suggested that event recording, monitoring and alerting systems were an expensive fad that sometimes failed to catch complex situations and stored GBs of data that nobody looked at. In another session, a security manager delegate announced that he’d taken out the IDS/IPS systems and centralised monitoring (SIEM) because it was an ‘expensive plaything for the techies’.
It had to be fate that I should arrive at that same company to help evaluate the impact of a serious security breach on behalf of one of their customers, only to discover that no network forensics was possible because of this highly impressive-sounding but ultimately misguided and costly initiative. The technology could be highly flawed but is ignoring the threat of compromise and orderly recovery really a legitimate alternative?
Even with great security, sometimes things will go wrong and a security breach can occur.
Incident readiness is about managing a crisis to reduce impact. If preparations are made and an incident is well managed, your directors, customers and suppliers will be impressed and the damage will be limited.
... but if you fail to prepare, prepare to fail!
Like most issues in IT, it will involve process, technology and people.
To understand what to prepare for, we need to understand the incident process.
The process and its associated procedures should focus on the classic phases of:
- Identification - knowing you might have a problem;
- Documentation - recording the events;
- Notification - informing the management;
- Containment - ensuring the problem does not spread, installing firebreaks and workarounds;
- Assessment - assessing the nature of the incident and its impact;
- Recovery - returning to business as usual;
- Eradication - removing all remnants of the problem.
Working through these steps from discovery of the incident to the end-game of complete eradication will significantly reduce impact, and thus the cost of most incidents.
Success depends on early identification of the breach followed by rapid containment and assessment.
However, if no mechanism is in place to facilitate this most obvious of requirements, our cost-cutting CISO described above will have to resort to beating back the hackers with his well-thumbed paper security policy. Without any monitoring tools, by the time he has detected the malevolent activity, the hackers or malware will have established a solid foothold with a significant impact and tracks well covered. It will be a case of ‘Too little, too late’.
All too often there is no way of assessing where a hacker has been because there are no logs. If the attacker doesn’t leave a footprint and covers their tracks, no amount of memory or file-system forensics will help. Security surveillance of servers and networks is a necessity and mandated by most governance / regulatory frameworks and a prerequisite of operational readiness, yet sadly it is frequently ignored.
Preparation is a must. Whenever we talk about people, we tend to mean training them and making them practice what we have just taught them. This is exactly like disaster recovery, health and safety and fire drills - practice makes perfect.
Being ready - incident readiness
Putting training together, we recommend:
- Prepare - develop policies, procedures, work instructions and a response plan. Assess your tools.
- Communicate - ensure relevant staff is aware of hacking techniques, social engineering and malware analysis so they understand the risks and how to recognise the threats. Management need to obtain a helicopter view of the situation.
- Test - test your readiness with the latest techniques so that you can tune your monitoring and detection facilities such as malware, IDS and SIEM and ensure their integration with the overall process. If you replace a particular part of architecture for operational reasons, make sure that you maintain full situational awareness. It helps to have regular penetration tests and audits so you know where your weaknesses are.
- Assess - Measure and report on a simulated attack to measure the effectiveness of the Incident process as it happens.
Following these steps will help any organisation - but as ever, be careful out there!!!