Preventing cyber attacks is a dominant topic for IT security. It is the first layer of defense. The more attacks prevented the better - no question about it. However, does great prevention guarantee there will no successful cyber attacks? Of course not.
Good Security is more than Prevention
In general security terms, a secure web application is like a secure house. If you take basic precautions to secure your house most burglars will simply move on to an easier target. In fact, according to Verizon Enterprise’s 2013 Data Breach Investigations Report, 78% of successful intrusions were “simple to pull off”. The same is true for web security. If you take the necessary steps to secure your online assets, most hackers will move on to look for easier targets. However, while good security reduces the chances of a break in, it is no guarantee. Even the most reputable high tech companies have been victims of successful cyber attacks. Comprehensive security methods will not always prevent someone who is skilled enough and determined enough from breaking in.
So websites and web applications security is a three tier platform of prevent-detect-respond. All of these security facets must be accounted for with clear plans, tools, and methods.
In many organizations, prevention is the priority while the need to prepare for responding to security breaches comes in at a distant second place. Here we will focus on the basics of properly responding to successful cyber attacks. After all, our ancient cities did not just build walls and then give up on defense. They had armies and defensive strategies in place in case the walls were breached. And so should your business in the case of a successful cyber attack.
A business should assume that no matter how much effort is put into prevention that eventually there will be unauthorized access to their network. How you respond is important to the business and its stakeholders. After all, a business may not survive a debilitating cyber attack just like some businesses do not recover after other disasters that seriously impact operations and bring large unexpected expenses. Business who have properly prepared are the most likely to survive.
There are also other important consequences to how a well business responds to a cyber attack. For example, in 2009, in the case of Shames-Yeakel v. Citizens Financial Bank, the court found that “use of single-factor password identification to secure online accounts may create negligence liability”. The court also found that “a reasonable finder of facts could conclude that the bank was negligent by breaching its duty to protect plaintiff’s account against fraudulent access”.
In another separate case, the judge threw out the suit against the bank with a summary judgement because the bank demonstrated it had implemented standard commercial security practices like user names, passwords, security questions/answers, and so on.
Create a Response Plan
You can’t wait for a cyber attack to happen in order to decide what to do. There has to be a process already in place that defines how to deal with the attack. The basic plan should lay out the following:
A cross functional response team with clearly defined responsibilities has to be in place. The response team, working with management, will quickly convene to investigate and consider specific incidents then lay out a detailed response plan for each incident according to the type of attack and the threat to the organization and its stakeholders.
Most cyber attacks fit into one of a few categories or types. The plan should address how the most common cyber attack scenarios will be handled. Common scenarios include; an inside attack from a current or former employee, social engineering where employees are tricked revealing passwords or other security information, malware accidentally downloaded by employees, and blackmail with threats of an attack.
The plan should clearly describe how discovered cyber attacks should be reported, tracked, and documented internally, and who in the organization needs to be made aware of in-process cyber attacks.
Preservation of Evidence
Procedures need to be in place to ensure all the related evidence is preserved. This data is critical in determining the extent and the nature of the security breech.
Tools and Resources
The technical tools and resources have to be in place to properly deal with any discovered cyber attack. Technical tools aid in securing the network and with a proper forensics-based investigation. As Mr. Barlow describes, there also has to be expertise and properly trained personal in place to deal with an attack. If you do not have the in-house expertise, then there should be an already-developed outside expert resource (i.e. security consultant) to call on.
Ensure all relevant personal are trained on the response plan, especially the response team and anyone involved in reporting and preserving evidence.
Local and federal law enforcement agencies responsible for cyber crimes should be identified in the plan along with the person responsible for making the report. As with outside security experts, having an existing relationship with law enforcement before an attack is helpful. During the response plan creation, contact appropriate agencies to ask for some basic information like how to contact or involve them, how they should be incorporated in the response procedures, and ask for any additional information or advice that might be useful in developing a response plan.
There should be periodic reviews of the plan, plus an evaluation of how the plan worked after each incident with needed improvements and updates.
Prevent-Detect-Respond for Cyber Resiliency
The ultimate goal of security is to maintain secure operations and ensure business continuity. That requires focusing on more than just prevention and detection, but on properly responding to successful attacks as well. In today’s highly connected technological world, our networks need to be able to survive in the environment in which they exist. Unfortunately the current environment includes constant probing for access to our servers and our data, and at some point we have to assume someone will find a gap.
When an organization is able to quickly and appropriately respond to cyber break-ins with minimal impact, then they have developed the cyber resiliency needed to survive in today’s business world.