Incident Management and Response

By Osman Bashkel on 28 May 2019

Oscar Wilde said, “To expect the unexpected shows a thoroughly modern intellect”. That is as true today as it was in the 1880s. Occasionally the apparently impossible can happen – and when it does, it can have disastrous consequences.  

You may have read a recent news story about a sacked IT employee who annihilated twenty three of his former employer’s servers on AWS cloud. The estimated loss to his digital marketing and software employer was £500,000.

One of our clients suffered a similar loss a few years ago, where a disgruntled employee wiped out important data from production servers. EveryCity should have been notified immediately, allowing us to revoke his access, but their lack of appropriate security processes meant we were not informed until after the damage was done.

In a series of security posts we’ll give a few recommendations on how to protect your company from experiencing similar incidents. We suggest your first step should be to develop an Incident Response and Management System.

Implementing such a system requires extensive planning, preparation and response actions. However, the effort required will not add up to the potential losses you might otherwise incur if the unexpected should strike.

So let’s start by asking ourselves what is an incident?

The National Institute of Standards and Technology (NIST) defines ‘incident’ as: “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.”

Therefore to simplify it, an incident is unanticipated degradation to your services and/or a violation of your security policies.

In what follows, we’ll cover one of the main phases that are involved in an incident response and management process based on NIST-SP800-61r2 Computer Security Incident Handling Guide, which is illustrated in the diagram below:

Ref. NIST-SP800-61r2

Each of the above-mentioned phases has extensive procedures, so we will cover them one blog post at a time, focusing on this occasion on the Preparation phase.

This phase is where you define the security responsibilities, the security baseline (the minimum acceptable security levels), the security controls, the encryption requirements, the information classification requirements, and the logging and monitoring requirements.

So, what does that mean? What should you do? Where should you start? Well, it is not rocket science, but there are significant tasks to be completed in each of the steps listed below. At the end of the journey you will be well prepared to tackle any security incident you may face.

Be Proactive

Being proactive means that you need to know the risks that your company may face before any risk becomes a reality. We recommend you utilise ISO 31000 Risk Management – principles and guidelines, which give you a comprehensive risk framework to help you identify risks.

Types of risks may include a threat where your computer system could get infected with a complicated virus that may hijack your entire suite of servers. In this scenario, introducing a security tool such as an anti-malware or intrusion detection could mitigate this risk.

To identify these kinds of risks, you should implement a risk assessment process to mitigate, transfer, avoid and define the risks that your company is willing to accept. You can achieve this by creating a list of all risks that you think may affect your business, what impact it would have to your business, how to reduce or eliminate it, etc., guided by the ISO principles.

As an example, think of a scenario of having no information classification method, where everyone has access to your business information! This is a huge risk to the business. Your sensitive information such as intellectual property, personal data, etc could be in the public domain. Remember GDPR – neglecting personal data could land you a heavy fine.

This could be prevented by introducing classification levels and giving access to those personnel who need to know various types of information based on their tasks. Also, segregate duties to have more than one person complete a task so that it requires different levels of security privileges.

Log and Monitor

Also, within this first “Preparation” phase you begin monitoring and logging security events, such as who has done what and when, what action has taken place, was it a malicious or a legitimate action, etc. These logs are retained for a period of time to analyse at a later stage if you want to investigate an incident, which we will cover in a future post on detection and analysis. There are some mandatory log retention periods stipulated by some major compliance regulations such as PCI DSS, which states that logs must be stored for one year.

Encrypt Data in transit and at rest

Speaking of regulations, data encryption is our next step, and applying encryption techniques to your portable devices will not only help you to protect your data, it will also help to avoid any penalties associated with lost or stolen devices by the regulators. We recommend applying full disk encryption on laptops, which will protect data from disclosure or misuse if it falls into the wrong hands, since encryption will render data unreadable. This can help to avoid brand reputational damage as well as regulatory infringement.

Minimise the Blast Radius

In this last step, we recommend using the network segmentation principle, which is separating networks into segments, zones and/or vlans to isolate networks. In fact, this will minimise the impact a breach may cause to other networks if one network is breached.

Finally, the purpose of this phase is to employ all the available tools for managing risks, assigning security responsibilities, developing security baselines, implementing security controls, applying encryptions, classifying information, logging and monitoring.

We hope you will feel inspired to implement an Incident Response and Management System and we will follow up in the coming weeks with overviews of next phases in the process.

You can also find an outline of what’s involved in implementing ISO 27001 in our recent blog post here.