How to prepare for and respond to a cyber attack

Only 3% of organisations have the technology in place to address the most common cyber attacks, according to a recent survey by Tripwire, and just 10% said they have the skills in place to address such attacks.

The survey asked 403 IT security professionals in Europe, the US and Canada about their readiness for a variety of cyber attacks. It found that most organisations can reasonably handle one or two key threats, but, as Tim Elin, Tripwire’s senior director of IT security and risk strategy, said in a statement, “the reality is that they need to be able to defend against them all”.

With so few organisations prepared for cyber threats, Ed McAndrew, partner at Ballard Spahr, LLP and a former assistant US attorney, and Patrick Dennis, president and CEO of Guidance Software, have compiled a list of best practices for mitigating and responding to a cyber attack.

Identify key assets

An organisation may not have the resources to protect its entire enterprise. If that’s the case, it should determine what data, assets and services warrant the most protection before it creates a cyber incident plan.

Have a plan of action

Plans and procedures that address the steps that need to be taken after an attack can help an organisation limit damage. This includes identifying who has lead responsibility for different elements of its cyber incident response; the ability to contact critical personnel at all times; knowing what mission critical data, networks or services should be prioritised for the greatest protection; and how to preserve data related to the incident.

Stay informed about threats

An organisation’s awareness of new or commonly exploited vulnerabilities can help it prioritise its security measures. McAndrew and Dennis point out that some organisations share real-time intelligence on threats – such as Information Sharing and Analysis Centres (ISACs).

Make an initial assessment of the threat

It is critical to assess the nature and scope of an attack. It is also important to determine whether it was a malicious act or a technological glitch. The nature of the incident will determine the organisation’s next course of action.

Capture the extent of the damage

An organisation should make a forensic image of the affected computers as soon as the incident is detected. This preserves a record of the system for analysis and potentially for use as evidence at a trial.

The organisation should restrict access to these materials in order to “maintain the integrity of the copy’s authenticity, safeguard it from unidentified malicious insiders and establish a chain of custody”.

Take steps to minimise additional damage

An affected organisation should prevent the loss of further data through preventive measures, including rerouting network traffic, filtering or blocking a distributed denial-of-service attack, and isolating all or parts of the compromised network.

McAndrew and Dennis also recommend keeping detailed records of the steps that were taken to mitigate the damage as well as any costs incurred as a result of the attack.

Work with law enforcement

McAndrew and Dennis also advise organisations to work with law enforcement at all times. A pre-existing relationship with law enforcement officials prior to a breach will help develop a trusted two-way relationship. It is also essential to notify law enforcement following a breach. An organisation may be reluctant to do so, because of the disruption it could cause to business and the damage it could do to its reputation. However, notifying the appropriate authorities is often a legal requirement.

Subscribe to the Daily Sentinel for all the latest cyber security news and advice.

Leave a Reply

Your email address will not be published. Required fields are marked *