Even the most secure systems are vulnerable to intrusion from a dedicated hacker. Companies of all types and sizes need to be focusing on the creation of effective programs for responding to attacks.
"The threat is, and has always been, there," says Jake Williams, founder and president of network security specialist Rendition Infosec. "It's not a matter of if there will be another attack, it's just a matter of when."
The time for preparation is now, Williams says. He recommends five steps that companies can take to shore up their incident-response programs:
1. Build a ‘playbook.’ Williams defines the term as a set of steps that will be executed in response to a given incident. A company should know in advance the security software upon which it will rely. And users must be trained in deployment of the application for investigating the various types of compromises that can occur in the network.
“You should be able to take your playbook and begin running those plays,” says Williams, “as opposed to asking how do I log into the system.” A typical playbook might consist of up to 200 pages of documented responses. It’s especially vital to have it on hand, he adds, to guide new personnel in adhering to company protocol.
2. Obtain a baseline. Many times a company under attack will be looking deeply at its network for the first time. Setting up a baseline of normality in advance helps to identify what various systems looked like when they were first rolled out into production. As a result, responders in a crisis can determine “what’s normal and what’s spooky, and needs to be further investigated,” Williams says. They can proceed to focus only on those elements that are different.
Rendition Infosec uses specialized software to examine between 25 to 30 different data points for a generic system, and up to 100 for more complex setups. Regardless of the level of detail, Williams urges companies to scrutinize their networks on an ongoing basis, with each new version or update of the software.
3. Incorporate non-traditional staff. Williams cites janitorial services as a particular, if overlooked, area of concern. They need to be in the loop in the event of a cyber attack, which often involves the establishment of a command room, and staffers working long hours to deal with the crisis. Areas must be kept clean in order to keep morale high. And janitors need to be instructed not to erase whiteboards or remove other materials that are in use.
Physical security is yet another aspect to consider. Individuals working through the night can be held up needlessly while waiting for a security guard to grant them access to the building. “The cost of having somebody available in the off hours is a tiny fraction of what you’re paying for the incident response,” Williams says. In addition, public relations representatives should be brought into the loop as early as possible, to prepare appropriate statements and keep customers and the public apprised of the company’s efforts.
4. Make liberal use of ‘tabletop’ exercises. Work with clients on a regular basis, at least once a quarter and possibly once a month, to create simulated breaches and mock incidents. In the process, companies can determine the validity of the playbook before it’s needed in an actual crisis. It starts with issuing an “alert” that customers’ systems have become infected by a company’s website. Response staff then begins walking through the steps that must be taken, including access to logs and identification of the affected server.
Often a mock exercise will expose serious inadequacies in the company’s response plan. “Management has planned for one person to do four things during an incident,” says Williams. “Who’s going to handle what? You can’t be in two places at once.”
Companies might also discover that designated crisis responders don’t have access to the logs they need to diagnose and cure the breach. Cloud-based systems can raise additional obstacles because they require different logging procedures and authorization challenges.
5. Learn to speak ‘business.’ The world of cybersecurity experts is chock-full of acronyms and obscure terms that aren’t understood by most business clients. Williams says those individuals need to learn how to speak to customers in terms of profit and loss. “We’re a cost center all the time,” he says of his field. “We never make money for the business.” Security consultants need to drive home, in laypersons’ terms, the high cost of failing to respond effectively to a cyber attack.
Often they’ll be required to adopt the language of specific verticals. “For healthcare, we use healthcare analogies,” says Williams. “For manufacturing, we talk about their supply chain.”
Williams stresses that these five steps won’t prevent a cyber attack from occurring. They are, however, mitigating measures that can help companies to reduce costs and downtime in the event of an incident.
“It’s hard for a lot of people to swallow, to say let’s go spend money on preparation, when others are saying they have a [good] defense in place,” he says. “Defense is also essential, but once you have it, you need to understand that even the best attempts are going to fail, and ask how you’re going to address [the breach] when it happens.”