First some dismal head-line news:
- Sony can't guarantee PlayStation Network won't get hacked again
- Honda Canada warns customers of major data breach
- Bank security breach affects 10,000 credit cards
- Lockheed Martin Network Disrupted, RSA Tokens Reportedly Involved
We know the volume of direct attacks on networks, smart phones and applications are increasing -- SPAM, Phishing scams, malware, mobile devices, DDoS, advanced persistent threats etc. Unfortunately some companies still do not have a clue what to do right after they've been a victim of an incident.
There is no official word from Lockheed on the precise nature of the cyber attack they encountered. They are relatively mum on the subject. Yet reports dribbling out do paint a Lockheed at the helm as it mitigates a "significant and tenacious" threat.
Lockheed's operations team are in the throes of a well defined security incident response process. Here are snippets of Lockheed's actions (announced or reported) in the context of common incident handling framework:
Lockheed's operations team are in the throes of a well defined security incident response process. Here are snippets of Lockheed's actions (announced or reported) in the context of common incident handling framework:
- Declaration, Triage and Investigation: When an event has been reported by employees, or detected by automated security controls) the first stage carried out by the incident response team should be to understand how bad the situation is and understand the severity and set the priority on how to deal with the incident. By the announcements and its conviction we know that Lockheed immediately began an investigation strategy to determine the category of the attack – what is internal or external, the assets affected by the incident and the criticality of those assets.
- Containment: A containment strategy buys the incident response team time for proper investigation and determination of the incident’s root cause. It is reported that Lockheed shutdown its virtual private network having determined that the SecureID tokens were used to gain access to it's network.
- Analysis: Figure out what happened and try and figure out the root cause of the incident. We've read that work is well under way to preserve "electronic DNA" that may have been left by the attackers. Chris Ortman, US Homeland Security spokesman, said that his agency and the Pentagon are working with Lockheed to "provide recommendations to mitigate further risk".
- Recovery: Once the incident is understood, we move into the recovery stage which means the implementation of the necessary fix to ensure this type if incident cannot happen again. It is reported that Lockheed has moved ahead with some sort of upgrade to its existing SecureID tokens, incorporated additional security for remote login's, reset employee passwords and switched to eight-digit access codes from four-digit codes that are generated by the tokens.
You can find various activity models at CERT Coordination Center, Forum of Incident Response and Security Teams (FIRST), National Institute of Standards and Technology (Computer Security Incident Handling Guide) or ISO/27000 Series.
If its just a matter of time, then your organization's capability to properly handle incidents should be a first class citizen. Sony is reported to have had 7 security incidents in two months. They are not alone as targets. Its very likely your organization is under reconnaissance or even low-and-slow attack right now. While economic times are tight, you will have no choice but to invest in technology and processes that improve response.
And the future of incident response is "just in time solutions" to an ongoing situation. These configurable "courses of action" will be represented by remediation workflows and decision making loops. You don't want to initiate a fix to a problem in one system, only to cause a loss of function in another system.
As cyber attacks become more complex, the recovery and restoration workflows will be more diverse. They will be codified to behave in accordance to variable inputs and outputs of each of the incident investigation, analysis and containment activities. Security incident response will be optimized based upon resource availability and risk factors. To move beyond the sound-bits and theory send me a note to discuss this topic.
How best to end this particular blog entry, with a cliched, yet accurate quote: "by failing to prepare, you are preparing to fail" - Benjamin Franklin.
If its just a matter of time, then your organization's capability to properly handle incidents should be a first class citizen. Sony is reported to have had 7 security incidents in two months. They are not alone as targets. Its very likely your organization is under reconnaissance or even low-and-slow attack right now. While economic times are tight, you will have no choice but to invest in technology and processes that improve response.
And the future of incident response is "just in time solutions" to an ongoing situation. These configurable "courses of action" will be represented by remediation workflows and decision making loops. You don't want to initiate a fix to a problem in one system, only to cause a loss of function in another system.
As cyber attacks become more complex, the recovery and restoration workflows will be more diverse. They will be codified to behave in accordance to variable inputs and outputs of each of the incident investigation, analysis and containment activities. Security incident response will be optimized based upon resource availability and risk factors. To move beyond the sound-bits and theory send me a note to discuss this topic.
How best to end this particular blog entry, with a cliched, yet accurate quote: "by failing to prepare, you are preparing to fail" - Benjamin Franklin.
No comments:
Post a Comment