Proactive planning is essential to ensure business continuity.
Despite the trend indicating a rapid increase in data breaches and cyberattacks paralyzing networks, some organizations fail to adequately plan and prepare for such events, leaving them blindsided and effectively sidelined as they struggle to rebuild and relaunch critical services. While no organization can predict a perfect storm heading their way, they can take measurable steps to mitigate the impact that can happen when faced with unforeseen disasters.
What every organization needs to prioritize and have in place are comprehensive and well-written incident response and disaster recovery measures that they can easily implement and execute, if necessary. Specifically, Texas CEOs should challenge their entire organizations to develop both a formalized incident response program (IRP) and a business continuity and disaster recovery plan (BCDRP).
The Importance of Incident Response
The threats of cyberattacks and data breaches are very real in the second half of 2022, and organizations need to respond swiftly and comprehensively to protect vital assets, as that response achieves the following measures:
- isolates the affected systems as quickly as possible, helping minimize the threat to other critical information systems,
- helps minimize downtime while restoring critical infrastructure to full operational capabilities as quickly as possible, and
- provides a “lessons learned” approach for every incident, regardless of size, scale, complexity, and severity.
Oftentimes the difference between a security issue being stopped and one that evolves into a catastrophic breach is minutes—sometimes seconds. This makes the case for having a well-documented, actionable, and easy-to-implement incidence response (IR) in place. Time is of the essence when it comes to protecting a network.
Comprehensive incident response measures require true participation and involvement from everyone within an organization, from senior management to end-users of systems. Specifically, all employees need to be aware of the following core components of incident response.
Preparation All employees and other applicable third-party entities should be aware of common security threats and computer incidents that may potentially compromise the organization’s network infrastructure, cause harm to other related systems, or pose a significant financial, operational, or business threat to the organization as a whole.
Detection Detecting an incident requires true commitment by all employees to be constantly aware of their surroundings for any type of social engineering, physical, or environmental threat. Additionally, detection also requires due diligence and consistency by authorized employees regarding the secure configuration and review of network and system logs, being aware of network traffic anomalies and any suspicious or disruptive network patterns or incidents.
Employees responsible for reviewing network and system logs (firewalls, routers, switches, intrusion detection system (IDS)/ intrusion prevention system (IPS), operating systems, applications, databases, etc.) are to report any malicious, suspicious, or disruptive event immediately to the incident response team (IRT).
Initial Response and Containment Any incident deemed to be a threat to the organization requires a rapid response from authorized personnel, such as the IRT personnel. This rapid response should always follow a standard course of action designed to minimize the impact of the incident to the organization’s critical network and system infrastructure. For any incident that has been detected, IRT personnel should be immediately notified and formally assume control and identify the threat and its severity to the organization’s information systems.
Security Analysis | Recovery and Repair With the affected information systems now logically and/or physically removed from an organization’s network and/or isolated, forensic analysis should be undertaken to examine all applicable data as necessary. This includes conducting the following activities:
1. Review of system settings, such as configuration files, and all changes made to such settings.
2. Review of all output data, such as logs (i.e., log files, history files, trace files, error files, etc.) and other relevant audit trails.
3. Review of all data files and all changes made to such data.
4. Utilizing any pre-installed security tools, such as file integrity monitoring, logging tools intrusion detection | prevention tools (IDS | IPS), etc.
5. Actively search for malicious code, scripts, and other files left behind, such as Trojan horses, logic bombs, sniffing tools, etc.
Communication During and after an incident, IRT personnel should keep senior management and other parties abreast of the overall status of the incident, such as response and resolution initiatives. This is especially true for incidents deemed severe. Additionally, any changes made to incident response initiatives out of the lessons learned from actual incidents should be communicated to all personnel in a timely manner. Communication and sharing of information is vital for protecting organizational assets.
Post-Incident Activities and Awareness A formal and documented incident response report (IRR) should be compiled and given to management within an acceptable timeframe following the incident. Additionally, the IRR should contain the following elements:
1. a detailed description of the incident,
2. response mechanisms undertaken,
3. reporting activities to all relevant third parties as needed,
4. recovery activities undertaken for restoring affected systems, and
5. a list of lessons learned from the incident and what initiatives can mitigate and hopefully eliminate the likelihood of future incidents.
Monitoring An organization should monitor security incidents, which means all incidents should be tracked and documented accordingly to ensure all information is captured that can help in understanding and assessing the incident itself. Such tracking and documentation should include the following measures:
1. maintaining records about each incident,
2. the status of the incident, from the opening of a ticket to final resolution, and
3. all other pertinent information necessary for forensics, evaluating incident details, trends, and handling.
Reporting of Suspected Incidents The rate at which an incident is reported often determines to what extent it can be successfully managed by authorized personnel. This requires individuals to report suspected security incidents as soon as possible, regardless of how non-essential they may seem. Only experienced IT and operational personnel can truly judge the seriousness of an incident; therefore, such reporting should be done directly to the authorized IR personnel. All employees and other in-scope personnel should report incidents as soon as they deem something being a threat.
Training A vitally important component of an organization’s incident response measures is ensuring that all employees and other in-scope personnel are aware of response mechanisms and other protocols. As such, security awareness training programs should include mandated provisions regarding the aforementioned incident response practices. Additionally, any other incident response training deemed essential for employees and other in-scope personnel should be conducted as necessary. For training measures regarding incident response, they can also be conducted as a stand-alone initiative, separate from the organization’s enterprise-wide training.
Testing To help further ensure the safety and security of an organization’s critical information systems, the incident response plan should be tested on an annual basis, with results provided to senior management for review.
Preparing for the Unthinkable
But what if an incident happens, a cyberattack proves to be so devastating that even the best incident response measures proved inadequate? If this scenario plays out, organizations need to have in place real-world business continuity and disaster recovery planning/contingency planning (BCDRP/CP) initiatives ready to enact.
Business continuity and contingency planning encompass planning and preparation to ensure that an organization can continue to operate in the event of a serious incident or disaster and is able to recover to an operational state within a reasonably short period.
Disaster recovery includes initiatives for enabling the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. Disaster recovery also focuses on the information technology systems supporting critical business functions, whereas business continuity involves keeping all essential aspects of a business functioning despite significant disruptive events.
When blended together, they form the last line of defense if initial incident response measures have failed.
Disasters do happen, thus the ability to continue to operate as an organization is essential. With a wide range of computing and operational environments in place by organizations—cloud-based, on-premise, the use of co-locations or data centers, and more—it’s critical that organizations document essential BCDRP/CP activities commensurate with their needs.
Key elements in building a results-driven BCDRP/CP program include the following:
Scope It’s important that a plan include coverage of all facilities, personnel, information systems, and other applicable assets relevant to a disaster that could occur. Such disasters include, but are not limited to:
- natural disasters, such as flooding, earthquakes, extreme heat/cold environments, etc. or
- man-made disasters, such as fires, explosions, cyberattacks, loss of human life, etc.
Objectives When developing a plan, it needs to be crystal clear to all that the core objectives are to prepare for the continued operations of the business in the event of serious incidents and disasters, recovering and enabling continued functionality of essential information technology and operational systems, along with fully recovering to the original state of the business prior to the disaster.
It’s a team effort. For a BCDRP/CP plan to really get off the ground, it’s essential to identify and delegate key roles and responsibilities to various personnel. Examples of commonly used BCDRP/CP titles and their relevant responsibilities include the following:
- BCDRP/CP Lead Authority
- BCDRP/CP Facility Personnel
- BCDRP/CP Information Security Personnel – Networks & Related Systems
- BCDRP/CP Operations Personnel
- BCDRP/CP Communications Team
- BCDRP/CP Legal & Finance Team
As a CEO, it’s important to assess current employee skill sets against the above listed roles and assign positions accordingly. The roles are self-descriptive in terms of which employees should be performing the roles.
It’s About Being Prepared
Together, an IRP and a BCDRP/CP help prepare organizations for the unexpected. When developed in accordance with industry leading standards, IRP and BCDRP/CP plans can be a lifesaver when needed most.