Security Incident Handling

The security incident handling framework is defined according to NIST Cybersecurity Framework of Identify, protect, detect, respond and recover methods. This product includes actual procedures for various security incident response scenarios such as Malicious code, Phishing, DDoS, Information Loss, Unauthorized access or Hacking, etc. The product also includes a generic security incident handling procedure template for you to create your own security incident handling procedures.

Security Incident Handling

Malicious code refers to any form of viruses, spywares, keyloggers, worms, ransomware, crypto-miners, or other forms of malwares that causes harm to your information or system. The likely sources of infection includes internet, file transfer through emails or other means, USB or other forms of removable media. It is important to have a controlled environment in order to protect the business from malicious code related attacks. Blocking removable media, taking backups regularly etc. are effective measures to deal with such incidents.

Malicious Code

Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS), both makes information systems unavailable to its intended users. This is usually achieved by exploiting a vulnerability on a system to cause service outage or flood the network with large amount of traffic until  target systems are no longer capable of handling that amount of traffic. While the former form of DoS can be limited by patching, hardening and vulnerability removal, the latter is difficult to control. Your internet service provider might offer last mile DDoS protection, limited to its data scrubbing capabilities.

Denial of Service

Information and information systems shall be accessed only by those people who are authorized to access them. An unauthorized access could lead to other security breaches such as data theft, unauthorized change, hack, etc. A stringent access control process must be implemented to prevent 'Unauthorized Access' to sensitive information or information systems. When dealing with 'privileged access', a privilege access management solution is most useful in preventing access with higher access permissions. Where a technical solution is not possible, a process must be designed to control privileged access.

Unauthorized Access

Perhaps, this is the only one good thing that could come out a security incident. A well organized security incident process will include a postmortem of the security incident response to identify root-causes and other lessons that could be learnt from the incident to document them and take remedial actions to prevent such or similar incidents in the future. This process will give your incident response team enough confidence to deal with future breaches.

Lessons Learnt

Organizations need to have an effective policy on Security Incident Management. The policy should address a verity of topics such authorizing a CIRT to handle security incidents, defining what a security incident is, methodology for information security incident handling, determining the priority of the topics, what are the measurements to be captured, etc.

Policy

Phishing is the easiest attack to execute because of its mode of delivery. Anyone with an email address has become a potential attack vector. There are some good controls available on the email security such as SPF, DKIM and DMARC to enhance its defense against spamming and fishing. The modern email solutions are capable of content scanning to remove malicious code from it. A URL reputation solution will help your web users to identify malicious web-sites which should be avoided. When all controls fail, the organization must rely on the security awareness of it's end users.

Phishing

Information loss could be due to internal or external threat actors. A common data theft scenario could be a resigned employee copying his past work for future references. While this scenario may not be critical, it could, at times, include sensitive information such as system designs, secret intellectual property information etc. Such information must be protected using various data loss prevention methods. Blocking removable media is a simple yet very effective method to deal with this situation. White-listing target URLs and Email domains might also help, though such measures are seen as drastic. Need to protect sensitive information might warrant such a solution.

Information Loss or Theft

When major incidents happen, it is crucial that regular update to it's stakeholders is provided to appraise them of the situation. In some cases, there are regulatory requirements to be considered. It mostly applies to personal data or financial information breaches. All communications sent out must be approved by the respective level of authorities. A regulatory communication may not be appropriate without the management review first, or at times legal reviews. Insufficient communication might be perceived as not having a handle on the incident, incompetance, or even as an attempt to hide information which could have higher reputational damage than with the security incident alone.

Communication