The advantage is firmly in the hands of the attackers right now. The number of easy to use tools available and the speed that new vulnerabilities are incorporated into these tools greatly outpaces the speed that most organizations can stay on top of the threats. No matter how many precautions you have taken, a breach, or incident will occur. You should operate under the assumed breach mentality. What are you going to do now?
Data centers are particularly juicy targets for attackers because there are so many different systems consolidated in a single place. Fortunately, the physical security of data centers is usually strong. Unfortunately, when you evaluate the digital security of data centers, we are far behind.
One lesson we can take from physical security principles is response: if someone were to physically attempt a breach, the plan would be clear. What’s your response after detecting a cyber-incident?
The Technical Response
For the technical response, one of the biggest questions is: do you shut down the attacker or monitor their activity? There are pros and cons for both approaches, but your organization needs to have a clear plan before the incident.
Let’s say you notice a large amount of traffic exiting your data center from a server that running an unauthorized FTP service. If you disable the service immediately, will you be able to determine the full extent that you are compromised? The attacker may still have access, and this will also cause them to go underground. If your policy is to monitor the attacker, how long do you do that and how can you wall off the attacker from gaining access to other systems?
Federal incident notification guidelines have been established by DHS/US-CERT, and there use is mandated by FISMA. US-CERT will work with agency IT personnel to analyze threats, exchange critical information with trusted partners, and engage cyber defense resources, as appropriate. Agencies also need to follow their departmental policies.
Breaches bring IT front and center to agency executives and have an immediate and often long lasting impact to agency operations. When a security breach occurs, how you respond can make all the difference. If you have a well-structured incident response plan, you can mitigate much of the damage of an attack.
A comprehensive incident response plan needs to address the different types of incidents an agency could encounter. Roles and responsibilities of the response team need to be assigned and communicated, and back-ups need to be identified. Other important parts of your plan include establishing a communication decision tree, as well as incident response procedures. And don’t forget regular testing and updating. Quarterly exercises can make sure staff know how to respond, find flaws in the plan, and lead to updating it accordingly.
Investment in prevention is necessary, but insufficient. If you don’t have a well-defined incident response plan in addition to those prevention solutions, then you aren’t doing enough to secure your data centers and critical facilities.
Find the full article on our partner DLT’s blog, TechnicallySpeaking.