Yet, a large number of companies still do not have procedures in place to cope with the immediate issue of being a victim in a computer security incident. They are unable to marshal the correct responses that would curtail the damage as events unfold over time.
Just over a month ago, a security attack against the largest US defence contractor; Lockheed Martin was reported. At the time, Lockheed Martin released a short memorandum saying that whilst the security team had detected a significant and tenacious attack, their customer data had not been compromised.
Here are snippets of Lockheed's winning actions in the context of an incident handling process:
- Declaration, Triage and Investigation: When an event has been reported by employees, or detected by automated security controls, the first stage carried out by the incident response team should be to understand how bad the situation is, understand the severity and set the priority on how to deal with the incident. By the announcements and its conviction we know that Lockheed immediately began an investigation strategy to determine the category of the attack - what is internal or external, the assets affected by the incident and the criticality of those assets.
- Containment: A containment strategy buys the incident response team time for proper investigation and determination of the incident’s root cause. It is reported that Lockheed shutdown its virtual private network having determined that the SecureID tokens were used to gain access to its network.
- Analysis: The idea here is to figure out what happened and try to figure out the root cause of the incident. We've read that work is well under way to preserve "electronic DNA" that may have been left by the attackers. Chris Ortman, US Homeland Security spokesman, said that his agency and the Pentagon are working with Lockheed to "provide recommendations to mitigate further risk".
- Recovery: Once the incident is understood, we move into the recovery stage which means the implementation of the necessary fix to ensure this type if incident cannot happen again. It is reported that Lockheed has moved ahead with some sort of upgrade to its existing SecureID tokens, incorporated additional security for remote logins, reset employee passwords and switched to eight-digit access codes from four-digit codes that are generated by the tokens
These standards-based frameworks are just a starting point. Organisations will need to stay one step ahead by investing in incident response capabilities that can adjust to ongoing threat situations. For example, you don't want to spend time fixing low-priority vulnerabilities, as a loss in function somewhere else continues to impact your business.
Posted by Walid Negm, Director Cloud and Cyber Security Offerings, Accenture.