The First line of Defence against a Cyber Attack for Business:
A Cyber Incident Response Plan
It does not matter what size a business is, in today’s environment every business needs to have a cyber incident response plan enabling a quick and effective response in the event of a cyber-attack which minimizes the impact of the attack.
The following article provides a framework for developing and preparing a Cyber Incident plan. The size and detail of the plan should be reflective of the complexity and size of your business. It must however detail what steps need to be taken for the most common form of cyber threats, i.e., data breaches, staffing, social engineering (business compromise) or a ransomware attack.
Cyber.gov.au is a handy reference site to use when developing a cyber incident response plan. Cyber.gov.au provides a sample template that can be used to build a cyber incident plan. Your local IT service provider should be aware of this site and should be able to locate the template for you. This templated plan identifies the common threat vectors identified by the NIST Computer Security Incident Handling Guide (leading framework for businesses in the USA.) These threats are listed below:
- External/Removable Media an attack executed from removable media or a peripheral device (e.g., malicious code spreading onto a system from an infected USB flash drive).
- Attrition is an attack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services (e.g., a DDoS intended to impair or deny access to a service or application or a brute force attack against an authentication mechanism, such as passwords).
- Web attack, executed from a website or web-based application (e.g., a cross-site scripting attack used to steal credentials or a redirect to a site that exploits a browser vulnerability and installs malware).
- Email an attack executed via an email message or attachment (e.g., exploit code disguised as an attached document or a link to a malicious website in the body of an email).
- Supply Chain Interdiction is an antagonistic attack on hardware or software assets utilising physical implants, Trojans or backdoors, by intercepting and modifying an asset in transit from the vendor or retailer.
- Impersonation is an attack involving the replacement of something benign with something malicious (e.g., spoofing, man-in-the-middle attacks, rogue wireless access points, and SQL injection attacks all involve impersonation).
- Improper usage is any incident resulting from a violation of an organisation’s acceptable usage policies by an authorised user, excluding the above categories (e.g., a user installs file-sharing software, leading to the loss of sensitive data).
- Loss or Theft of Equipment the loss or theft of a computing device or media used by an organisation (e.g., a laptop, smartphone or authentication token).
Sounds confusing but that is where an IT professional comes into the picture, as their services should include the provision of tools and services to protect against such attacks occurring.
The next aspect is to be sure that your plan highlights the actions that are to occur when an attack is discovered. The Cyber.gov.au template provides a table listing the common cyber incident types.
The following list is an extract of the common Cyber incidents:
- Denial of Service (DoS) and Distributed Denial of Service (DDoS): overwhelming a service with traffic, sometimes impacting availability.
- Phishing: deceptive messaging designed to elicit users’ sensitive information (such as banking logins or business login credentials) or used to execute malicious code to enable remote access.
- Ransomware: a tool used to lock or encrypt victims’ files until a ransom is paid.
- Malware: a Trojan, virus, worm, or any other malicious software that can harm a computer system or network.
- Data breach: unauthorised access and disclosure of information.
- Industrial Control System compromise: unauthorised access to ICS.
When an attack is discovered, the plan defines what actions are required in the response. This means having clear instructions on the steps to be undertaken to defend and stop the attack from spreading.
A consideration in building your plan is whether this list needs to be expanded due to the nature and activities of the business you are running.
What do you do if you do have an Incident?
The first step is to ensure you have somebody allocated to be the leader of the response. In a smaller business, this is still likely to be an internal resource, who is responsible for bringing the response team together. The team’s composition will be determined by the complexity and the size of the business, but as a minimum, it will be an internal resource and your IT leader. In a small organisation, this should be your IT support provider. The business may engage other resources such as a legal person for legal matters, and a communication marketing expert for communications with all affected parties. If you have cyber insurance through an Insurance company, they may be able to assist with expertise as required.
The actual steps your response team need to undertake are guided by the SANS Institute Incident Handlers Handbook. The steps are:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons learned.
Another key factor is to use/develop checklists and to document all actions undertaken in the response.
Yes, this is a detailed subject that can be confusing, In today’s business world a cyber incident response plan is an essential element.
In need of developing a cyber incident plan or need to identify how resilient your business is against a cyber incident. Then why not start with a friendly discussion around your IT security with then Visit computertroublehsooters.com.au or Phone 1300 28 28 78 to locate your nearest Computer Troubleshooter.