On February 1, 2010 in Mountain View at Symantec, the SDForum Security SIG presented “Strategic Considerations in Incident Response” by IOActive Director of Services Glenn Kaleta. He is a former Military Intelligence Officer in the US Army Reserve, a graduate of the FBI Network Intrusion Investigation Course, an expert in computer forensics, incident response, fraud risk assessment and investigations management. He has investigated everything from murder and armed robbery to highly sophisticated fraud, financial misconduct and network intrusion schemes involving the use of proprietary applications and technology.
You find out how strong flexible and resourceful your organization is when it faces a crisis. The plans you make are not as important the process you put in place to respond to an incident with talent, leadership and execution. Incidents like physical threat or theft can be dealt with using standard security measures. New strategies and responses are needed with corporate presence online to reduce damage to the financial, legal, operational, political and reputation assets of your company.
Consider your capabilities. How has your organization learned from previous incidents? Were the lessons incorporated in current practice? Can your organization deal with a malware infection, data breach or internal incident related to fraud or misconduct? Are your people trained on what to look for and how to respond? Have they practiced together? Rather than weekend rafting trip for team building, maybe you should plan a cyber attack and see how everybody handles the situation. Who is in charge when that call comes at three in the morning? Identify the key leaders and clearly state their responsibilities. No matter what happens, do they have the presence of mind to keep evidence of the incident for forensic investigation afterward?
Consider your risk. Can you afford to be knocked offline and put out of business? Are you prepared for constantly changing threats from inside and outside your organization? Kaleta had some very instructive stories about common surprises and what to do about them. All of them had similar components. Every incident response requires identifying, quarantining, investigating, eradicating and preventing the next incident. Any changes should be implemented within thirty days or the lessons learned will be lost.
One obvious vulnerable spot are vendors. While you may have checked out your people, what about your cleaning staff or tech support? How thorough are the background checks of your vendors and are they willing to supply you proof? If an incident happens do you have legal recourse in the country where it occurred? Asking awkward questions now will avoid awkward situations later.
I would like to thank Ross Oliver for his help with the presentation. SDForum Security SIG people are great when things don’t go according to plan.
Copyright 2010 DJ Cline All rights reserved.