Firms muddle security breach response, expert says

By Robert Westervelt, News Editor 18 Mar 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Most security breach responses are poorly coordinated despite advance planning, warns a security expert researching ways to improve security investigations and incident response procedures.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Stress and lack of a clear leader are among the biggest problems that plague security incident response, said security expert Lenny Zeltser, a consultant and member of the SANS Institute board of directors. Zeltser presented his research last week at the SOURCE Boston security conference.

"When people are under stress mistakes are made," Zeltser said. "Someone needs to assert authority and in most cases that should lie with the incident handler."

Security incident response: Will the CERT security incident-response project benefit infosec pros? Many security professionals lack a management-level understanding of incident response. Expert John Strand gives advice on how CERT security incident-response project can help. Experts say companies need data theft response plans: Enterprises that have solid response plans in place before a data breach are more likely to survive after being hacked. The challenges of incident response plans and procedures:  In this video, Mandiant's Kevin Mandia reviews his top five incident response challenges.

But asserting authority doesn't mean barking orders at people, Zeltser said. The handler should get to know the response team members and their roles at the company. Ask questions to get a better understanding of the system and data owners. Assign roles and assign people to communicate with different groups in the company. Those people should give updates to employees hourly at the onset of an incident, even if there is nothing to update.

"Update them because it keeps them calm and gives them a sense that you're working diligently on the incident," Zeltser said.

High profile data security breaches have prompted company officials to ensure incident response procedures are in place and an effective plan is available to use as a guide during a crisis. But Zeltser explained that some firms haven't dusted off their incident response procedures in years and others are relying on common procedures that aren't specific enough to their line of business.

Even the best procedures fail to overcome the stresses involved in the initial throes of a breach. Get a handle on how data flows through the company systems to assess the scope of the security incident. Zeltser said. The technical stage of incident response is often where incidents get muddled. Don't assume people know what to do next. Also, consider the tools and data sources available before deciding whether to conduct live analysis or formal forensics.

SearchSecurity radio:

Assign an incident response team member to consult with the legal team or the company's legal counsel, he said. Find out who has the authority to make decisions that could affect the company's overall business, such as pulling a critical system offline.

During the presentation, Zeltser also handed out a security incident questionnaire for responders and a cheat sheet for server administrators examining a suspected breached server to decide whether to initiate a formal incident response.

Six key security incident response steps:

• Preparation: Gather and learn the necessary tools and become familiar with your environment.
• Identification: Detect the incident, determine its scope and involve the appropriate parties.
• Containment: Minimize the incident's effect on neighboring IT resources.
• Eradication: Eliminate compromise artifacts, if necessary, on the path to recovery.
• Recovery: Restore the system to normal operations, possibly via reinstall or backup.
• Wrap-up: Document the incident's details, recall collected data and discuss lessons learned.

Incident response in an organization is usually coordinated by a person who is from IT or was technical at one time, Zeltser said. But in many cases, organizations treat incident response as a technical problem and fail to focus on communicating clearly or following sound processes.

"They focus their efforts on making sure the right tools are in place, the right hardware and software is procured; that the right steps are documented on how to clone a hard drive or examine memory contents," Zeltser said. "They don't pay enough attention to the human and process side of things."

Tags: Disaster Recovery and Business Continuity Planning,  Identity Theft and Data Security Breaches,  Information Security Incident Response,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Disaster Recovery and Business Continuity Planning Disaster recovery plans and DLP solutions top 2010 priorities Data breach costs continue to rise in 2009, Ponemon study finds Security risk factors: Business partner security and pandemic planning Time is now for pandemic flu planning 9 Ways to Improve Application Security After an Incident Melissa Hathaway: Government Must Keep Pace with Cybersecurity Threats Disaster recovery and business continuity planning basics The availability, business continuity and disaster recovery relationship Key elements of disaster recovery and business continuity planning Business continuity: Defining internal risk management policies Disaster Recovery and Business Continuity Planning Research Identity Theft and Data Security Breaches MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Facebook, McAfee partner to fix social network security issues Hacker pleads guilty to orchestrating Heartland credit card heist MasterCard reverses PCI compliance requirement Verizon report goes deep inside data breach investigations Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Information Security Incident Response Data breach notification legislation: What info must be released? Incident response planning Mature SIMs do more than log aggregation and correlation New partnerships, creative thinking help security bust recession Senators hear call for federal cybersecurity restructuring Tying log management and identity management shortens incident response Tabletop exercises sharpen security and business continuity Security incident response 101 Microsoft Conficker worm offers attack prevention lesson Security book chapter: Applied Security Visualization Information Security Incident Response Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary