CIOREVIEW >> Security >>

The Role of Cyber Security Incident Response

By CIOReview | Monday, August 8, 2016


With cyber criminals targeting organizations across majority of sectors, organizations have to be prepared to respond to the inevitable data breaches that could potentially victimize them. The security breach response systems should be guided by a plan that intend to limit the damage from a cyber incident, increase external stakeholder confidence, and optimize recovery time and expenses. With incident response— the organized approach to addressing and managing the outcome of a security breach or attack–the ultimate goal is to handle the situation to limit damage and reduces recovery time and costs. 

Examples of a computer security incident include the violation or imminent threat of defiance of the computer security policies, acceptable user policies, or standard security practices including unauthorized data access and data removal. Here are some of the preeminent techniques that can be adopted for recovery with limited expenses from such cyber security incidents.          

Why Incident Response?

Attacks frequently compromise personal and business information and it is critical to respond quickly and effectively when security breaches occur. The concept of cyber security incident response has turned out to be widely accepted and implemented in organizations to reduce the threat impact and recovery expenses of hardware and software. Some of the benefits of an incident response system include support in responding to incidents systematically with appropriate actions taken and offer stronger protection for data and systems. Incident response not only helps minimize loss or theft of information and disruption of services caused by incidents, but also information gained during incident handling can facilitate to better prepare for future incidents. An incident response capability also helps with dealing properly the legal issues that may arise during incidents.

Best Practices in Effective Incident Response

Goal setting

The goals of the plan have to be effectively portrayed and set. Having specified goals for each section will help personnel in understanding the context of the assignment, and the explanation for their actions, which are key factors. 

Choice of Individuals

“The weakest link in the security chain is the human element,” says Kevin Mitnick, famous white hat hacker and security consultant, highlighting the importance of cyber security education among employees. There should be predefined role for each individual with a point of contact that can manage the policies and procedures. 

A Cyber Security Incident Response Team (CSIRT) to respond and manage incidents with decision-making capabilities has to be established for effective incident response. The CSIRT should also have the ability to assign strike teams to assess the severity and potential impacts of an individual incident.

Recovery Mechanism

The events and activities within your organization have to be monitored or reviewed regularly to identify potential information security incidents. Identification of the most possible number of triggers including theft of hardware, access logs, unauthorized access records, and malware traces can be an active input for efficient investigation of the incident.   

Active CSIRT

Identifying the most apt staff level to act upon depending on the type of information security incident is also key element of an incident response.

Breach Determination Methodology

The strategies to identify the type of attack and the category of data that was compromised have to be described within the incident response team. Additionally, it is important to record any likely violated state and federal regulations. The HIPAA federal regulation composes guidelines that can reflect a breach. The four-factor test, according to HIPAA definitions 45 CFR 164.402:

•    The nature and degree of the protected information involved, including the kind of identifiers and the possibility of re-identification.
•    An unauthorized person who used the protected information and/or to whom the disclosure was made.
•    Whether the confined information was actually acquired or viewed.
•    The extent to which the risk affecting the protected information has been mitigated.

Triggering Events

Based on regulatory and contractual obligations, the trigger for any breach notification to contract partners, employees, consumers, law enforcement, and regulatory bodies has to be determined by the team. 

Breach Response Team

The breach response team is developed in combination with the CSIRT for immediate response after a data breach has been identified. These staff members can be both internal and external, including vendor representatives, technical staff, legal and compliance officers, marketing, and public relations staff.

Detail Remediation Efforts:

After an incident, there should be remediation work to return your organization to normal operations including application reinstallation, rebuilding databases or host machines, Network configurations and setup monitoring services. Remediation should be initiated as soon as possible to help prevent additional incidents triggered by the vulnerability, procedure, or policy that allowed the incident to occur in the first place.

Reporting and Documentation:

Spending enough time for proper documentation of events, actions and results that happened during a security incident are inevitable. Maintain the copies of all communications and notifications, and document all activity related to the breach.  

Review Policy and Procedures

A significant security incident or a breach can be a great opportunity to improve the data protection policies and procedures. The drawbacks of current security settings can be rectified and improved by reviewing the documents and mode of attack.

Train and update staff

The staff has to be trained and made aware about your organization’s cyber security incident response plan to avoid inaction, delays, and mistakes. Empower the employees to be certain and prepared to act when the inevitable occurs.

Today other companies hold more of our data in the cloud and more of the actual networks are outsourced. Security is the blend of protection, detection, and response, where response plays an integral part in recovery. Making the response work is the ultimate key to effective cyber security. The goal here is to bring people, technology, and process together in network security.