We provided incident response and incident response preparedness services to hundreds of companies in 2015. The questions we answered were as unique and varied as the incidents companies faced. Some were challenging, and occasionally they were easy to answer (e.g., Can we create a fake employee to sign the notification letter?), but often they were focused on what practical steps companies can take to be better prepared to respond, how to make certain decisions during an incident, and what is likely to happen after disclosing the incident.
(1) If incidents and attacks are inevitable, what preparedness steps should be taken? We talk to companies about being “compromise ready”—a constant state of diligence focused on prevention and improvement of response capabilities. The areas of preparedness that go into becoming compromise ready include: (1) preventative and detective security capabilities; (2) threat information gathering; (3) personnel awareness and training; (4) proactive security assessments focusing on identifying the location of critical assets and data and implementing reasonable safeguards and detection capabilities around them; (5) assessing and overseeing vendors; (6) developing, updating, and practicing incident response plans; (7) understanding current and emerging regulatory hot buttons; and (8) evaluating cyber liability insurance.
Obviously, accepting that incidents are inevitable does not mean it is not worth trying to stop them. Companies still need to use preventative technologies to build the proverbial moat around their castle to protect their systems and comply with any applicable security requirements (e.g., statutory, contractual, or formal/informal precedent from enforcement actions by their regulators). The right technological safeguards may prove sufficient to prevent many attacks. But when companies find a way to stop one attack vector, attackers do not give up and look for a new line of work. Rather, they are repeatedly observed finding ways around technological barriers. Most security firms will tell you that a capable attacker will eventually find a way in. Why? Most networks are built, maintained, and used by people, and those people are both fallible (e.g., able to be phished) and subject to a range of constraints (e.g., budgets, production priorities). Thus, companies should assume that even if they install the most advanced technology solutions and receive certain security certifications, their security measures may fail and an unauthorized person may gain access to their environment.
That reality drives the next two areas of preparedness: (1) implementing detective capabilities (e.g., logging and endpoint monitoring tools and procedures) so that unauthorized access is detected quickly, and (2) developing and practicing a flexible incident response plan. Two key parts of incident response planning are identifying the companies you will work with to respond and then building those relationships before an incident arises. In a prior blog post, I discussed “How and Why to Pick a Forensic Firm Before the Inevitable Occurs.” Companies do not always get the “luxury” of having 30 days to investigate, determine who may be affected, and then mail letters. Spending a few days just negotiating and executing a master services agreement and a statement of work with a forensic firm so that the forensic firm can begin to investigate can make the difference between meeting or missing a 30-day disclosure deadline.
Companies can use the Law & Order approach to building a tabletop exercise—read disclosures from other companies and the security firm reports that detail the incidents they investigate. It is often beneficial to have the law firm, forensic firm, and crisis communications firm that will work with you during the incident participate in developing and leading the exercises. An experienced incident responder leading the exercise will be able to provide helpful context during the exercise if the CISO states that he or she will identify, contain, and fully investigate a significant incident in a few days, or if the communications team wants to make notification no later than seven days after discovery or say that the company is implementing “state-of-the-art security measures” to make sure an incident never happens again. Continue Reading