The Importance of an Incident Response Plan
October 31, 2011 | POSTED BY BRETT EDGAR IN MONITORING, INCIDENT RESPONSE
Most organizations are going to experience a computer security incident each year. Those organizations that don't experience an incident only avoid doing so by being blind to what is going on in their information systems. If you are even casually looking at your computers and networks, you will find incidents. At the very least someone is going to plug an infected USB device they received as a Christmas/birthday present into their work computer. At worst, an attacker is going to be rummaging around on your internal network. Most organizations are going to experience something in between those two extremes, like a "drive by" web attack on an unsuspecting user who was searching Google for a good deal on Chuck Taylors. It's going to happen. Accept it.
Now that you've accepted that it's going to happen, you better be prepared to handle the situation. How you react depends on the criticality of the information stored on the compromised system(s) or network(s). If your CEO's administrative assistant gets malware on his/her computer, but the only access they have is to the Internet, then your response is pretty easy: clean the machine or reinstall it from a clean image. Done. If your accountant's computer gets malware, then you have some bigger issues. You're going to need to do some research to see if any of your accounting data has been exfiltrated, including, perhaps, account numbers of your business partners or customers. That would be bad.
The point is that you need to have a plan on how to escalate the handling of the incident. Do you pull compromised machines off the network immediately? Who gets involved, and when? Who makes those hard decisions like shutting down the compromised database server that powers your e-commerce website? Every organization needs to at least have a start at outlining this process. You're also going to need to have a general idea of where your data rests, and how critical that data is.
If you wait until your first incident to start thinking about this, you're response is pretty much guaranteed to fail. So start now. NIST has produced a document, SP800-61
, that goes into some depth about incident response plans and procedures. While following that document is going to be overkill for small organizations, at least having a familiarity with it will help you in writing your own basic incident response plan.