How Cyber Incidents Are Like the Common Cold
As countless individuals are currently coming down with bad colds or the flu, it makes me think of the similarities between fighting off physical illnesses and dealing with the inevitability of a cyber security incident. Currently, we are in desperate need of a new attitude when it comes to cyber security incident response. The belief that if an organization spends enough time and money preparing, it will never get hit by a cyber-attack, is just nonsense. Similarly, many people assume that just because they are healthy in general, they won’t get sick.
The truth is that, given the current trends, it is inevitable that most organizations will be subject to a cyber-attack, and they may even fall victim multiple times per year. Good incident response means that your security team is prepared for such an incident, but great incident response means that your entire organization – from PR to Legal, and even your customers – have a readiness plan in place that is precise and timely.
The Inevitability and Likelihood
Children get sick more than once per year because they are still building up their defenses, much like how organizations new to cyber security will be compromised multiple times per year until they build up their network defenses. The common cold has no cure, much like there is no silver bullet for cyber security. All in all, people still catch colds no matter how much proactive effort is put in, and once sick, one must:
- Take supplements to try to shorten the symptoms
- Contain the propagation by partitioning contact with other humans
- Have a plan in place for continuity such that tasks continue to get done even in your absence.
Unlike the common cold, however, cyber-attacks are always in season, with their frequency increasing as more criminals learn how to leverage the Internet.
No amount of prevention guarantees that you will not catch a cold, and the same goes for cyber security. Prevention is table stakes, as some level of cyber fitness is required if you are to survive and recover from an incident.
Do your best with preventative methods, but never at the expense of excellent incident response. Effective incident response means that even when a host or account is compromised, it is short-lived and has a near-zero impact on the business. In order to achieve this, organizations must develop the right mix of people, processes and tools, including next-generation visibility tools that provide 24/7 insight into network activity for early threat detection. This grows more and more important as threat actors continue to exploit 0-day vulnerabilities and advance their evasion methods.
We know to not go to work or school when we are sick. We are taught to cough in our cuff and sneeze in our sleeves. We require everyone to wash their hands and use hand sanitizer. All of this is to limit the propagation of an illness that has already occurred.
Similarly, even the most advanced cyber-attacks follow a multi-step process that begins with network reconnaissance and eventually ends with data being exfiltrated or held ransom. This gives us multiple opportunities to detect an attack and prevent it from spreading across our entire network.
Just like most offices have a business continuity plan in place should employees fall ill, organizations must outline and practice cross-departmental strategies for how to maintain business operations in the case of an incident such as: source code theft, customer data being stolen and published, or a denial-of-service attack. Role-playing these scenarios can help organizations develop effective response behaviors that ensure business continuity should the real thing occur.
Just as the 2013-2014 flu season is currently in high gear, we are likely to see more cyber security incidents than ever before this year. While some may suggest just throwing more preventative tools at the problem, it has been proven time and again that, while necessary, set-it-and-forget-it tools are no longer enough to keep attackers from invading corporate networks. Organizations must elevate incident response as a key component of their overall business strategy, making sure that all the right components are in place to deal with unforeseen incidents.
Click here for details on how Lancope can help with incident response.
Follow Tim (TK) Keanini on Google+.
TAGS netflow, network security, incident response