By Samantha Agather, Information Security Analyst – Intrinium
Incident Response Plans: More Planning, Less Panic
In less than one year, we’ve seen whole cities taken out by ransomware with no business continuity or disaster recovery plan in place to bring themselves back up- but it’s not just cities that don’t have a plan for when a catastrophe (digital or physical) hits.
Having a plan to restore business operations will save time, money, and stress, but that’s half the equation. The other half is to practice the plan, make sure all the moving pieces fit together and make sure everything is practical and timely. Enough businesses have spent six digits or more due to not having an incident response plan- set your business and your industry apart.
How Do We Begin Planning?
Is your geographical location susceptible to natural disasters, such as flooding, earthquakes or hurricanes?
Are you a financial institution, or do you deal with healthcare information?
These are all points that you must consider – if you’re subject to natural disasters, storing backups in an off-site location away from the danger zone will help mitigate the loss of data.
If you are likely to be subject to attacks more than usual, say if you’re a government office or a bank, having multiple backup styles and good documentation of your network will be crucial should you face a compromise, or worse, a data breach.
Typical Hang-ups: The I Don’t Have Time Paradox
A significant portion of companies that don’t have plans either didn’t know they should or worse: they didn’t have time to develop a proper plan. What these organizations don’t realize is by taking a couple of hours to get together with all the stakeholders to plan will save them days, weeks, or in extreme cases, months of time and energy recovering and rebuilding networks and servers. Furthermore, the cost to you or your business in assets and finances can range from inconvenient to putting you out of business.
The difficulty in getting everyone who will be involved in this planning is well worth being prepared, but as the saying goes… many companies, especially small to mid-size businesses, will trip over dollars to save dimes. Creating your plan will take time away from other projects, and reviewing and testing the plan may cause other issues, but working these bugs out now will save time later when something as simple as a power outage takes your business out for a day or two.
Basic Items to Consider
Creating your Incident Response Plan is a daunting task but by breaking it into digestible pieces it may alleviate some of the challenges and apprehensions your team may have about the Incident Response Plan. The following questions are great steps to begin to scope your Incident Response Plan.
- If something happens, who do you call?
- Is this on a hard copy, stored online, or both?
- Is it easily accessible by all parties who may need it? (We’re thinking ISP, cloud provider, management team, executive team, Incident Response Team…)
- Do you have a current network diagram? Do you know all your IPs and their subnets?
- What other information would be useful if you needed to rebuild from scratch?
- Are your backups cloud-based, on-premises, air-gapped, or something else?
- Have they been tested recently?
- Are there any servers or devices that are not being backed up?
- Do we know why?
- Are the backups managed by your company, or a third party?
- Do you know if the third party has backups of your backups?
- Are their agents configured correctly?
- How would you audit that?
- If you’re hit with ransomware, do you pay?
- Does this change if the system is business critical?
- Does this change if the ransom is more than a thousand dollars? Ten thousand? One hundred thousand?
- If all your backups are compromised, how badly would your business be compromised?
Data Breach/Stolen Customer or Employee Data:
- How can you tell the data was stolen?
- What do you do when you confirm it?
- Who do you contact?
- Are there services that you can offer, such as credit monitoring services, to protect your clients or employees?
- How did the data get stolen?
Media or Other Publicity:
- Do you have a protocol for in case the media gets the story, or the story is leaked to them?
- Do you have a dedicated PR person?
- What if it’s a hacktivist who announced that they were behind an attack?
- Can you prove or disprove this?
- If all of your physical laptops, switches, desktops, etc. are destroyed, how long will it take you to replace them?
- How much will it cost?
- Are you able to find equivalent devices, or will you have to spend more money to upgrade?
- Will you attempt to salvage things?
- For end-user devices (laptops/phones/desktops that belong to the company) do you have standardized images to deploy software/drivers/updates to any new devices easily?
- If you do, when was the last time you updated it with the latest software?
Take a Breath, You’re Prepared… Or Are You?
You can be the best in the industry and still forget minor details that can cause issues down the line; we’ve all been there, and it’s the same with creating Incident Response plans. It’s all too easy for one missed detail, or a misplaced priority to cause a butterfly-effect style chain reaction when it’s time to actually implement the plan in the middle of a semi-literal fire at your workplace.
Contact a Managed Security Service Provider (MSSP), like Intrinium with what you’ve got- they’ll help you go over it, and in certain cases, they may perform or recommend an Incident Response Tabletop (a scenario-based exercise that looks at possibilities and questions that you may not have an answer to… yet). They will help you visit angles that you may not have explored and help ensure your priorities are in order (They will help you raise your standards and become industry-leading in emergency preparedness, whether from a digital frontier or the physical world around you.