Life’s a Breach: 6 Steps of Incident Response

Cyberattacks and data breaches are things all business owners have learned to accept as a possibility. Breaches and hacks penetrate the headlines almost daily, and as technology continues to evolve, so do the ever-present threats associated with these types of risks. There are two sides to every breach, however. Prevention and recovery. You’re most likely already taking steps towards protecting your organization from the possibility of a breach, but have you planned what you will do to remain operable and minimize damages in the event that your environment is compromised? Experiencing a breach is disruptive, but fumbling the response is disastrous. Incident response plans are invaluable measures that should be taken by every organization, because let’s face it – controls can fail, implementation can fail, and consequently, incidents are bound to happen.

What is an Incident?

According to The SANS Institute, an incident is defined as an “assessed occurrence having actual or potentially adverse effects on an information system”.  Incident Handling is “an action plan for dealing with intrusions, cyber-theft, denial of service, fire, floods, and other security-related events.” Your Incident Response Plan should include appropriate policies and procedures that dictate to your organization what the immediate steps are following the detection of an incident. These steps may include containment, notification of appropriate personnel, reporting, eradication, and lessons learned.

There are six common stages of incident response that are important when developing your own Incident Response Plan. Take a look at the break down of the Six Steps of Incident Response, and ask yourself, “Are we ready?”

Six Steps of Incident Response

  1. Preparation: Advanced preparation is important when planning for a potential incident. Policies and procedures should be known and tested by management and all personnel to ensure that the recovery and remediation process will quickly address any and all incidents in a timely manner, resulting in the least amount of damage. Do you have the necessary tools and training to handle incidents before they actually occur?
  2. Detection and Identification: After the incident occurs, it’s important to ask yourself a number of questions. What kind of incident has occurred? Data theft? Insider threat? Network attacks? Once you’ve identified the type of incident that has occurred, it’s important to determine the severity of the incident in order to choose the best course of action according to your predetermined Incident Response Policy and Procedures. Are there any safety concerns for personnel that need to be considered? Has there been loss or exposure of data? Were any laws or contracts violated? What is the size of the impact area?
  3. Containment: In order to limit the impact of an incident, the containment phase of incident response is critical. Have the right people in your organization been notified? The faster the response time, the more likely it will be that you can reduce the damage of the particular incident. This may mean isolating the infected or compromised area to determine the best way to handle recovery. Do you have the right tools and personnel needed to handle the task?
  4. Remediation: At this stage, it’s time to resolve the issue and remove any malicious code, threat, personnel responsible for the incident, etc. Forensic analysis should be completed and logs kept throughout the remediation process. Will backups need to be implemented? What information security weaknesses need to be addressed at this time?
  5. Recovery: At this point, it’s time to get things back up and running and be sure that all company policies and procedures are effectively being implemented. Continuous, ongoing monitoring is important following remediation of an incident to be certain that it has been fully resolved and nothing threatening is lingering in your network. Continuous monitoring will also detect any suspicious behavior going forward.
  6. Lessons Learned: Compiling a detailed report of what happened and what was done as corrective measures is a good step towards ensuring the same incident will not occur again. Why did it happen? What could have prevented it? Does your security posture need to be updated to ensure similar incidents won’t happen in the future? Who does this information need to be shared with in order to make any necessary change to your security posture?

Preparation is just as important as prevention when it comes to securing and protecting your business. Don’t be surprised by an unexpected security incident. Develop and implement an Incident Response Plan, train your employees on what needs to be done to protect your business in the aftermath of an incident, and you will be able to reduce, minimize, and address damage caused by an unfortunate event.

5 Steps to Mastering a Risk Assessment

Performing a Risk Assessment is a critical component of any Information Security Program. It’s mandated by several frameworks (SSAE 16, SOC 2, PCI DSS, ISO 27001, HIPAA, FISMA). In order to comply with those frameworks, your organization has to complete a risk assessment, and then assess and address the risks by implementing security controls. The Risk Assessment process is a constantly moving and evolving process for an organization. So, where do you begin?

1. Conduct a Risk Assessment Survey

A Risk Assessment is a systematic process of evaluating the potential operational, reputational, and compliance risks that pertain to your organization. So why should you care about performing a Risk Assessment? As a business owner or stakeholder, it is your priority to protect the assets that are required to deliver your service or product. It can protect your revenue and business operations, insure future growth and responsibilities, and help you avoid costly lawsuits and fines.

2. Identify Risks

Risk = Vulnerability X Threat In order to identify your risks, you must first identify your assets, and the threats and vulnerabilities that can affect these assets. What wakes you up in the middle of the night? Are you worrying about the security of your Hardware, Software, Human Resources, Data, or Processes? After you have identified your assets, you have to identify the threats to those assets. Threats can be man-made or natural events that take advantage of an asset’s flaws, and that can result in a loss of integrity, availability, or confidentiality such as floods, earthquakes, accidental or intentional acts. What are your assets’ vulnerabilities? A vulnerability is a known or unknown flaw or weakness in the asset that would result in loss of integrity, availability, or confidentiality, such as a lack of security awareness training or software support for a critical application.

3. Assess Risk Importance & Risk Likelihood

Now that you are aware of what your risks are, you can begin to assess the importance and likelihood that this even is going to happen. What is the likelihood of this specific event having a negative effect on the asset? If it’s not likely, should we even worry about it? The likelihood of a risk can be expressed subjectively or quantitatively (High, Medium, Low, or 1, 2, 3, 4, 5). Determining the Risk Importance is determining what the impact on business is if an event has a negative effect on the asset.

4. Create a Risk Management Action Plan

Based on your complete analysis of which assets are important to your business and the threats and vulnerabilities that are likely to negatively affect those assets, you must develop control recommendations to either mitigate, transfer, accept, or avoid the risk. Creating your Risk Management Action Plan can look like a number of things. Your control recommendations could be to get a spare part, cross train employees, or create new policies and procedures.

5. Implement a Risk Management Plan

After you’ve developed a plan to manage your risks and determine what you’re going to do and how you’re going to do it, it’s time to implement these controls. This won’t necessarily be an overnight process, but you should now have successfully developed an effective way to identify and manage your risks. The final step of mastering a Risk Assessment is knowing that in order to constantly monitor and manage your risks, you must return back to Step 1.

For help with conducting your Risk Assessment, contact us today or get started by filling out the form below to download our free Risk Assessment Spreadsheet.