Is Incident Response Part of Your IT Security Plan?By: Andrew Milne
It's not a question of if - but when - an organisation will encounter some form of serious IT security breach, according to analyst firm Forrester*.
And with cybercriminals employing more sophisticated attack vectors to try to and reap financial gain by stealing personal information or intellectual property from companies, it is becoming more and more difficult to stay on top of the ever growing security threat landscape. Organisations are becoming increasingly susceptible to IT security breaches with cybercriminals constantly evolving their methods and tactics while resources to fight off the bad guys are not growing at the same rate.
Any robust security plan should include standard prevention and detection methods like IDS/IPS to combat these threats. However, organisations must begin to operate under the auspice that they are already under attack and will inevitably be compromised. Therefore, being agile and responsive in the wake of an IT security breach to minimise the damage is of paramount importance.
For example, a piece of malware called 'zeroaccess', uses a number of sophisticated compromise and distribution methods including the 'blackhole exploit kit' and peer-to-peer networks for control, making it difficult to detect and block. This means standard measures like IDS/IPS is less effective and firms should focus more on building an incident response capability to ensure that in the wake of any malicious cyber-attack, the duration, disruption and cost of any potential security breach is minimised.
Incident Response Plan, Respond, Recover, Research & Report
Remarkably though, planning incident response roles and responsibilities remains low on the agenda for many organisations and is still one of the most overlooked areas in the information security space. With cyber-attacks on the increase and a conveyor belt of high-profile IT security breaches hitting the headlines, organisations need to prioritise their incident response plan and build a proactive, ongoing incident management programme to counter any future security breach. If you buy into the premise that you are already compromised, doesn't it make sense to focus on limiting damage and disruption to business operations?
And in a climate where the majority of organisations will be a genuine target of cyber-attack, it's worth evaluating your current incident response plan to ensure you are prepared, not if, but more likely when, you are at the centre of a security incident.
* Forrester Report, Planning for Failure (November 9, 2011)