Security 500 conference     

 Don’t miss the networking event of the year for security executives!
Register today for the Security 500 Conference.

Cyber Tactics / Cyber Security News / Columns

5 Common Mistakes in Cyber Incident Response

Network intrusions have become a fact of corporate life, and increasingly are viewed as among the many costs of doing business.

Network intrusions have become a fact of corporate life, and increasingly are viewed as among the many costs of doing business. How damaging a breach is depends upon a number of factors including what assets are at stake and how quickly the breach is detected, contained, and remediated. Here are some common mistakes that companies make when learning of and responding to computer intrusions, all of which you can prevent.

Avoidable Delays.  With the average cost of a data breach placed at $3.5 million, you would expect companies to focus on continuous threat detection and rapid response.  Unfortunately, there still are long and costly delays in detecting intrusions, assessing the extent of the compromise and engaging the right level of assistance to remediate the problem. In particular, there is a tendency to rely upon outdated technologies to detect a breach, followed by a tendency to rely upon insufficient internal personnel resources to simultaneously run a business while eradicating malware, expelling hackers and fulfilling legal obligations. Whether it’s a call to outside legal counsel, a computer incident response firm, a public relations/crisis management company, or all three, potential engagements should be pre-arranged with contracts signed and ready to go, costing your company nothing unless and until you use them, but allowing for quick deployment.

Communicating With the Bad Guys.Many companies that have been breached still use their internal systems to communicate about the incident. Whether it’s documenting a company’s incident response efforts and findings, or emailing others to enlist their help, using compromised systems typically is a bad idea. After all, unless and until the hackers are removed, they very well could be reading those communications.  Consider instead using your mobile phone to make calls and to get and receive emails using accounts not associated with your corporation. To the extent all-employee emails relating to an incident are required, such as to change passwords, consider phrasing them as routine IT requests until you are confident the hackers are out.

Pulling the Plug.The instinct of many people upon seeing a hacker on their system is, quite literally, to pull the computer plug straight out of the wall. Removing the power from a computer not only results in lost volatile memory, much of which can be critical to a forensic investigation (and should be imaged), but also may lead the intruder to establish other points of entry. To the extent action must be taken immediately to isolate key assets, it is better to consider limiting remote connectivity or perhaps taking some systems offline. For those systems that continue to allow external network access, it is important to closely monitor Internet egress points to identify hacker activity in outbound network traffic. 

Lost Logs.When it comes to effective incident detection, containment and remediation, the value of log files (of which there are many types) cannot be overstated. For companies that are vigilant enough to have had essential logging enabled across the enterprise, it is still necessary to have a valid way to retain and preserve that information. Hackers attempt to cover their tracks by deleting or modifying evidence of their crimes, making it important to employ techniques such as duplicating logs, limiting access to logs, having log files append rather than overwrite, establishing separate logging servers and using write-once media.

Moving On Like Nothing Happened.Whether hackers are stopped at the perimeter or removed after a successful intrusion, it is important to re-examine significant events, capture lessons learned, and revise incident response processes as appropriate. It also is helpful to gather real-world examples experienced by your company when conducting workforce training. Surprisingly, few companies include actual events when conducting information security training, deferring instead entirely to sterile off-the-shelf materials. That’s a lost opportunity.  

Be Prepared.When it comes to the seeming inevitability of a network security incident, the Boy Scout’s motto – be prepared – is particularly appropriate. Get your resources in place in advance of an incident, and enlist expert assistance quickly when needed. 

 

About the Columnist: Steven Chabinsky is General Counsel and Chief Risk Officer for CrowdStrike, a cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, network security penetration testing, assessments and incident response. He previously served as Deputy Assistant Director of the FBI’s Cyber Division. He can be reached at steve.chabinsky@crowdstrike.com. You can follow him on Twitter @StevenChabinsky.  

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Steven Chabinsky

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security Magazine 2014 September cover

2014 October

Security takes a look at safety and preparedness for the harshest of weather phenomena in this October 2014 edition of the magazine. Also, we investigate supply chain security and the many benefits of PSIM. 

Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.