Be prepared!

Being horribly sick at home with a nasty chest infection has some small benefits - such as being able to catch up on some TV. I just finished watching 'The Egyptian Job'  which is a speculative recreation of the robbing of the tomb of pharaoh Amenemhat III.

Amenemhat III was one of the richest rulers of the Middle Kingdom and had a state-of-the-art pyramid protected by the best security of the time - blind passageways, dead-ends, massive immovable stone doors and a 45 ton slab of quartzite sealing the burial chamber.

But it was all for nought! Using stone tools, ingenuity and elbowgrease, a determined group of thieves managed to dig a 100 metre tunnel, move several 15+ ton doors and crack through the 45 ton quartzite slab to pull off one of the richest heists in history.

So what's the lesson? The usual one that no matter how good your defences may seem, a truly determined attacker with time on his/her side will find a way through. Amenemhat III's pyramid used static defences, giant blocks that were 'set and forget'. If the graverobbers hadn't made off with his loot 3700 years ago, Egyptologist Flinders Petrie, with 'modern' tools and techniques would have taken the lot in 1888.

So bearing in mind that one day your defences will fail, the next important step is to be properly prepared for that eventuality. In the aftermath of September 11, and more recently the Christchurch earthquake and Queensland cyclone Yasi, many businesses created or updated their Disaster Recovery and Business Continuity Plans.

While DR/BCP plans are important, such large scale disasters (or even smaller ones, such as your building catching fire) are relatively rare. A statistically more likely occurrence would be for a business to lose critical data - through either malicious or accidental means, or to suffer some other type of network breach such as a large scale virus outbreak or website defacement. But how many businesses have response plans in place to deal with these types of incidents?

Regardless of the business size, having some type of incident response plan to deal with these types of occurrences is a good idea. The very basics of clearly defining who needs to be notified internally (and has the authority to make decisions such as if a compromised critical system can be/should be shut down or if law enforcement needs to be informed) or under what circumstances external bodies must be informed (regulatory bodies or reporting the loss of PII data) is a solid starting point. Predefined statements for the media (or at least determining who is allowed to talk to the media) are also a good idea in case the breach is made public.

Identifying who has the skills to perform an investigation (internally or externally) and has budget authority to engage investigators (nothing is ever free!) is the next steps as it is far better to have this sort of thing defined well in advance in calm circumstances that making high-pressure decisions on the fly at 3am when a major data breach may or may not have occurred (or indeed still be in progress!).

Where investigations are handled internally, having adequately trained and resourced staff is essential - you can't just rely on your 'regular' I.T. staff or Information Security staff to be able to collect evidence and perform forensics without specialized training - and these skills need to be kept up to date through regular incident response drills that expose a sufficient number of staff to the response process (primary responders and backup team members so that a missing key team member doesn't derail the response process).

If a third-party is to be used, ensure they have the employees with sufficient skills to investigate and collect evidence - this is especially important if the incident ends up going to court - and preferably has a proven track record of performing such investigations. Understand how long different types of investigations take and how much they're likely to cost - the cost of the investigation always has to be balanced against the damage of the incident.

Finally of course is being able to tell if an incident has occurred. Sometimes it is easy, but sometimes an organization may not know for months that its network and information systems have been compromised. Sometimes it may be a false positive and no incident may have occurred at all. Understanding what is 'normal' in your environment is critical - as is being able to quickly detect when something is not normal.

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme