What I Learned From Getting Hacked

Filed in Continuity/DR, Incident Management, Security, Uncategorized on Jul.09, 2009

In CPP’s June Podcast, we discussed a security breach that occurred a few years ago and the steps my team took to detect, respond and remediate the incident. Here are the five things I learned from that breach.

1). Planning your response to a disaster or security incident is just as important as the safeguards you put in place
You cannot protect against everything. The following often delays or prohibits putting the necessary mitigation plans and preventative controls in place:
   - Residual risk that remains based upon your organization’s tolerance or risk appetite
   - The cost of mitigating risks and putting necessary controls in place to thwart threats & vulnerabilities
   - Business strategies and priorities that conflict with your security program
   - Zero day threats and vulnerabilities
If you agree with at least one of the bullets above, then it is of the upmost importance to have Incident Response Plans and Response Teams in place that you can trust.
2). Select a team or teams you can trust
Tough times don’t last, tough people do. Choosing people for your Emergency Response and Incident Response teams should be done on a selective basis. Having the right people on call at the right time may save your organization from further loss. Creative people that can think clearly in stressful situations can make all the difference between ending up in the headlines or heading the bad guys off at the pass.
3). Store your Incident Plans in plain sight (and at multiple sites)
When an incident or disaster occurs you don’t want to leave your response to chance — even if you have selected a great team. Know exactly where your Continuity, DR and Incident Response Plans are located.   This is achieved through constant awareness and possibly automation. Both electronic and paper documents should exist in multiple locations.
4). Monitor, Monitor, Monitor
Our security breach was discovered by a higher-than-normal CPU event that triggered an automated alert to our Service Desk. Good processes and disciplines (automated and otherwise) must take over from there. Monitoring for anomalies on your servers, network devices, databases and applications are an important first step in addition to the traditional security monitoring (IDS/IPS, Anti-virus, logging, etc.).
5). Embed good processes and practices such as ITIL into your organization’s daily life
I brought ITIL into my previous employer’s organization in 1999. Good Event, Incident and Problem Management disciplines were vital in detection, notification, “root cause” and escalation of the attack. Change/Configuration and Release Management disciplines were significant in quickly correcting the incident, the underlying problem and putting the necessary corrective, compensatory and deterrent controls in place.

Comments are welcome.
Jay Martin
jay.martin@cppit.com

Tags: attack, Change, configuration, continuity, corrective, CPU, cyber crime, Disaster, Emergency, IDS, Incident Management, Incident Response, IPS, ITIL, manage, mitigation, monitor, network, plan, prevent, protect, release, residual, risk, Service Desk, threat, vulnerability, zero day

What I Learned From Getting Hacked

Leave a Reply

Categories