Published on 07 May 2014
Is your organisation prepared for a cyber-security incident? Hacking and other forms of cyber-attacks have become more prevalent as organisations continue to leverage heavily on ICT to maintain their competitive edge. These cyber attacks have become more costly and disruptive as organisations are unprepared to deal with the sudden interruption to business operations and the unexpected loss of sensitive and proprietary information. Many organisations only start to learn how to respond to such an incident after the cyber-attack has taken place. Hence, having a structured and tested cyber security incident response plan should always be part of the organisation’s risk management strategy.
Cyber-attacks occur frequently. To respond to these security incidents efficiently, organisations, in general, need to:
Minimise Possibility and Severity of Cyber Security Incidents
Adopting a preventive approach is often less costly and much more effective than reacting to a security incident after it has occurred. Although it is impossible to prevent all security incidents, steps can be taken to ensure that its impact is minimised. Organisations should therefore consider the following:
|1||Secure IT Networks, Systems, and Applications|
A higher number of cyber-security incidents may occur if these components are not secured. Organisations should routinely check all network and system devices to ensure that they have all the latest patches and relevant security controls installed, and enforce strong password requirements for user accounts.
|2||Assess and Monitor IT Systems and Services|
Besides attempting to secure the ICT infrastructure, organisations should routinely assess their security posture. This can be done by performing security vulnerability assessments (conducted by security specialists), monitoring and analyzing network traffic and system performance, and regular checking of all logs such as system, event, applications, and intrusion detection logs. Continuous monitoring allows the organisation to have an increased awareness on their ICT systems and services, enabling them to be better prepared in the event of a cyber-security incident.
|3||Strengthen Response Capabilities and Resources|
Organisations can handle security incidents more effectively and efficiently if they complement their incident response capabilities with adequate resources. This would mean that organisations need to establish and enforce clear ICT security policies and establish an incident response team. Many incidents are inevitably caused by employees who did not followed or were not aware of the proper procedures; or were caused by wrongly configured devices such as network equipment and authentication services. Proper training for employees should also be undertaken to ensure that they are aware of, and comply with the organisation’s ICT security policies.
Incident Detection and Response Capabilities
Indicators of cyber-security incidents can come from multiple sources. Detecting unauthorized changes made to critical systems or application files can be an obvious sign that a cyber-attack had taken place. Organisations can use anti-virus software to detect malware infections, monitor logs from intrusion detection or prevention systems to identify attack patterns, and analyze records from firewalls to detect unusual network traffic patterns.
Large organisations may also consider forming a dedicated Computer Security Incident Response Team (CSIRT), to be the main point of contact for dealing with cyber-security incidents in the organisations – including detection and mitigation of cyber security incidents, and to restore the organisation’s ICT services. Members of the CSIRT should be trained and prepared to deal with any type of cyber security incidents. Their roles and responsibilities must also be clearly defined.
There are several benefits of having a CSIRT:
Define Your Incident Response Plan
Organisations in preparation for a cyber-security incident need to design an incident response plan. This plan should cover procedures that are needed to be followed in phases such as:
To determine if the incident is caused by an actual cyber-attack or a false positive. Besides determining the cause of the incident, the responding personnel / team will have to gather enough information to decide on how they should proceed from their initial assessment.
Contain Damage and Minimise Risk
Limiting and preventing any further damage is the main purpose of this phase.
Removal and Recovery
Steps taken here are to remove the malicious content and restore the affected systems. Examples can be using the original disk images to restore the system, installing patches, scanning for malicious software, and disabling unused services to harden the system. Testing, monitoring, and validating the recovered system are also required to avoid repeating the security incident.
Lastly, the responding personnel / team will have to document the lessons learned from the security incident, providing a source of reference in the event of a similar incident, as well as suggestions on how to improve the organisation’s effectiveness in dealing with future incidents.
Report Cyber Security Incident
In event that the organisation is unable to resolve the security incident, they can contact the Singapore Computer Emergency Response Team for further advice and assistance.