No matter how much time and money we spend trying to protect our company’s systems and data, cyber criminals continue to find ways to gain unauthorized access and steal our most sensitive data and intellectual property. It is no longer a matter of if you will be breached, but when? So, what do we do?
First, companies and information security teams must be focused on creating an environment in which an intruder can be detected early in the cyber attack lifecycle. According to the M-Trends 2015 Cyber Threat Report (https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf), it took companies an average of 205 days to detect that their systems were compromised. This is obviously way too long and allows attackers an opportunity to roam freely throughout a company’s networks looking for valuable data to steal. To increase your chances of detecting a breach in a timely manner, companies should harden their internal systems and increase their level of situational awareness. This would include taking administrator access away from users, eliminating shared accounts or passwords, enforcing multi-factor authentication for administrator access, disabling split tunneling, and increasing logging at the endpoint and on the network.
Second, companies should form a Cyber Security Incident Response Team or CSIRT. The CSIRT is responsible for quickly responding to a cyber security incident, containing it, and restoring systems back to normal operations. The CSIRT may be a dedicated, full time team in a large organization but is more commonly only formed when an incident occurs. The CSIRT should be comprised of trained professionals from the information security and information technology teams and includes members with skill sets in malware analysis, network and endpoint forensics, and IT professionals responsible for administering email, firewalls, servers, and endpoints. If these skill sets are not organic to the organization, then the company may need to enter into an incident response retainer with an information security advisory company to ensure such skills are available if needed.
Finally, the company should have an established and battle-tested incident response plan. An incident response plan is a company’s playbook for responding to a cyber security incident. The plan should include key roles and responsibilities, contact information for the CSIRT members, a classification system for determining the severity of an incident, and detailed run books that identify the step-by-step instructions for responding to different types of incidents – e.g., denial of service, data breach, phishing emails. At least annually, the incident response plan should be tested through different war-gaming scenarios to both keep the plan current and ensure the CSIRT members are adequately trained and prepared. After each incident, the response plan should be updated based on lessons learned.
At Regis, we offer several courses that will help you and your organization prepare for the inevitable cyber security incident. We not only teach you the fundamentals and principles of information security, but also equip you with real world skills that can be applied immediately to your current and future jobs.