TechGuard Blog

Practice What you Breach - Incident Response Plan Basics

Plan to fail instead of failing to plan

According to a November 2018 Gallup poll, 71% say they frequently or occasionally fear that computer hackers will access their personal, credit card or financial information. The best way to control fear, is to have a plan before you need one, an incident response plan, that is. These “Security Incidents,” are often directly correlated with downturns for a company stock, identity theft and compliance violation fines. We live in an era where information is posted online and just never seems to die. It’s not a stretch to understand that the dark corners of the web store information about you in the same way. Data breaches and security incidents increase the risk to anyone that had their sensitive data exposed. This risk lasts well into the future for both the individual and business entities.

Having a detailed IR plan reduces risk

Cybersecurity for most businesses is a cost center. If you’re a bank, you’re concerned with loaning money and collecting fees. A university is concerned with tuition and book sales. A services organization is concerned about billable hours. These are things that make the business money. Cybersecurity doesn’t make the business money. So, how do you get buy-in from the decision makers? Communicate using the language of risk. Risk is a shared language between cybersecurity and the business. Businesses understand risk and if you can present this as a way to reduce risk to the organization then you’ll have a much greater chance of success.

Know your role

It’s important to understand that an IR plan doesn’t just include IT or IT Security folks. There’s a lot of groups inside the business that should be involved. If they’re not included in the development or exercises, then during an actual incident they are not going to know what is expected of them. The is going to result in things being missed or at the very least, lost time. Wasting time during an incident is not a good place to be since time is so critical in the effectiveness of the response. You don’t want a new employee, critical to incident response, not knowing what to do in an actual event.

Update your Plan

Plans need to be updated as the attack surface to the organization changes through the years. As a startup or small company, your biggest worries might be checking a box for a compliance form. As you grow, you might want to want to guard against strategic information espionage. At that point securing your environment with the mentality that you’re not the lowest hanging security risk for attackers might not be enough. During the growth phase of your business, positions and job roles might change as well. This directly affects an employee’s ability to know their role during an actual incident.

Have it, Know it, Update it

We use an approach that is derived from Center for Internet Security (CIS) Control 19; an eight-step framework that addresses every aspect of an IR Plan. Cybersecurity incidents can be categorized in many ways, ranging from theft of a laptop to a server infected with a virus or even a data breach. Each type of incident will have a different approach and varying levels of communication required. In all cases the primary source of guidance will be your Information Security IR Plan. This will allow all parties to think through their actions to ensure they are aligned with their responsibilities as defined in the IR Plan. The important thing to remember is to have something to reference in an emergency. Then, make sure your employees know their role or know where to reference the plan. Finally, make sure it’s updated regularly so it makes sense to your businesses.

Written by Grant Codak

Grant has nine years of IT experience spanning a variety of domains with a focus in defensive security. Grant is currently a Cybersecurity Consultant at TechGuard Security where he performs a wide variety of proactive security services, including penetration testing. He also holds the following certifications: CISSP, CEH, Security+, Network+, A+, and Metasploit Pro Certified Specialist. Recent responsibilities include, a Senior Web Security Engineer at a Fortune 50 organization along with a variety of application administration roles in security operations. His past project work includes, web tool development as well as firewall and web proxy migrations. Currently at TechGuard Security, Grant conducts audit control assessments, penetration tests, vulnerability assessments and social engineering exercises. Grant ties his knowledge together with his deep understanding of network operations and security architecture to deliver approachable report analysis to clients. Grant is also a nature enthusiast and enjoys mountain biking, hiking and kayaking with his wife.