Breaches and Incident Response

This is old, December of last year but Darknet reported about a GFI sponsored study on SMB security (this will open a pdf in a browser window). I don't want to talk about the survey results so much as about the next step. Incident response. What are these companies doing in response to their lack of security? Do they have a security incident response plan in place to give guidance or do they just play it off the cuff. I know a guy who asked his manager if the company had a IR plan and his boss said "Yes, we call you and you investigate it, fix it and keep it from happening again." Not exactly a good plan.

An incident response plan is crucial to your security plan and to the successful investigation, response and (hopefully) recovery from an incident. If a plan is not in place then anything can happen to hamper recovery or even worsen the effect of the incident. There needs to be a clear plan of action so that staff knows what to do and what not to do. The plan also needs to outline when to call in outside help. There are times when an investigation requires more skill and expertise than you have in house. If there is the possibility of legal action then a trained digital forensics expert needs to be called in. He/She will know how to best gather evidence and conduct the investigation so that the evidence will be admissible in court. They understand chain of custody and how to maintain it.

A IR plan will cover all of this and more. Each type of system may require different responses to different attacks. A one-size-fits-all approach to IR will not do it unless you are a very small company with a very limited IT infrastructure. I know that for my company I have a generic plan for non-critical systems and then it gets specific for certain systems. My ERP system requires a different plan of action than other non-mission critical systems.

The last thing I want to say about your IR plan is that they are like all policies and plans. They are living and they need to be reviewed regularly and updated. They need to be tested and re-tested. You can write it and file it.