Incident Response Preparedness
Posted by: Paul Criscuolo in Commentary, Computer Security, network security, tags: insider threat, network vulnerabilities, phishing, zero-day attacksComputer security is not a static field. Some people call it job security; others call it life with a beeper that goes off always at the wrong time. However, for a dynamic field the nature of the threats don’t seem to change that much. Back in the day, Script Kiddies earned their name and most were only interested in defacing web sites. Today, these same attacks are coming from a much more educated group, working in unison, to gain personal information or monetary goals. To compound the issue, technology is always changing. Our users demand these technologies in the name of productivity, (I hear a lot of the world’s major issues have been solved with bitTorrent) but early adopters usually get rewarded with the latest zero day attack. The one thing that hasn’t seemed to advance is the savvy of our end users. Phishing and email scams continue to grow because they continue to work.
The only responsible thing to do as security professionals is to make sure we are ready to respond to incidents, and find the best methods to limit the access gained once an intrusion occurs. With the ever-growing sophistication of the attacks against our networks, we should be prepared with the best tools and procedures to help detect and recover from the attacks. How often do we proactively test our networks for weaknesses? How often do we review our response plans? If you are like most, you probably answered these questions with “right after a real incident”. So what can we do — often as the worker bees, not the CIO — to help rectify and better protect our networks?
Our attention should be focused first on the end users. The insider threat. Malicious intent or not. Do users operate with the least privileges to get their work done? What kind of data do they have access to? Do they need access to all of it? How are the computers administered? With shared passwords? What other ideas can you think of to quickly increase the security of our networks? One thing to keep in mind is that all our adversaries have to do is find a single mistake that we made or capitalize on a single mistake an end user makes. We have to be perfect to prevent an attack from succeeding.
I would love to go into deeper details, but I have to answer an email about a secret opportunity to help a wealthy Nigerian businessman get some funds to his account in America.
Entries (RSS)
January 22nd, 2008 at 2:02 pm - Edit
I think there are two major mistakes that organizations make about computer security that cost them the most money, time and energy:
1) There can be no security events. Everything must be perfect at all times in order to meet this goal. This causes everyone to end up with endless paperwork trying to ‘prove’ that they meet this impossible expectation.. and in some cases you end up with lots of investigations of blame the other guy when something happens. Incident response becomes a case of ‘duck, cover, and blame’ versus remediation and learning.
2) Security is hard, so lets not do it. In this case, any pretext of trying to secure systems is dropped because since events are going to happen, why try to stop them. In this case incident management ends up being basically a bit-bucket or dealing with worst case scenarios that would not have happened if people had had reasonable expectations.
Having worked at places in both extremes.. I am not sure what is worse.