Small and midsize businesses have unique challenges as they work to protect themselves from being victims of cyberattacks. Daniel Lowrie, a certified ethical hacker who has spent the last 20 years in the information technology field, spoke with Rob Carson, founder and CEO of Semper Sec, a company that builds security programs and navigates security compliance for companies, on a recent ITPro.TV webinar entitled “Cybersecurity Incident Response for Small to Medium Sized Businesses.”
Carson said it’s important businesses “have a plan written down and test the plan to see what people’s roles are and to make sure everyone understands their role.” He said that communication between people is important so that they can work with each other should they see something suspicious. He believes companies should assign specific roles to employees during a security incident such as those who are members of a security council, computer security incident response team (CSIRT), incident manager, communicator/public relations, recorder, legal, and supporting functions.
“It’s not CSI Cyber where you’re going to solve the problem in 30 minutes,” Caron said, adding that in the security world there are events, incidents, and breaches. He believes it’s important to distinguish between the three as the classification dictates how people should respond. Events are things that occur every day, incidents are problems such as recent news that a laptop was stolen, and breaches are severe problems such as if it was discovered that the stolen laptop was unencrypted and had sensitive information on it.
“After seven years in the Marine Corps and 10 more years in cyber, I can tell you initial reports are always wrong, so don’t start the clock ticking on notifications to customers before it’s required because you don’t know; you have to work through the discovery piece,” Carson warned. He explained that companies need to notify their legal department regarding possible security breaches so proper investigations can be done. He believes companies should do the following regarding security breaches:
- Preparation
- Identification
- Assessment
- Containment
- Eradication
- Recovery
- Follow-Up
Preparation
Carson said that preparation can be done by educating employees to threats like phishing, which are fake e-mails designed to look real to get personal information from them. He said that companies can hire outside vendors to help employees understand what phishing attempts and other threats will look like. They should also be educated about scams regarding money wire transfers, purchasing of visa cards, and requests of security codes.
Identification
Threats should be properly identified as such by a company’s domain or group either by a computer logging and reporting program or by individuals, Carson said. He explained at this point it needs to be determined whether this is an incident and what level of incident it is. Also, Carson said, it must be documented what critical business process are affected by the threat.
Assessment
According to Carson, these threats should be assessed by looking at how it will impact computer data or systems.
“The data classification is a big piece, and that’s how I used to write a lot of my rules; the level of data dictates the level of response and notification,” Carson explained, adding, “Think about how the military does it. They have rules for FOUO (For Official Use Only), they have rules for CUI (Controlled Unclassified Information), rules for secret, they have extra special rules for top secret and how things are handled are different.”
Containment
Carson said that threats can be contained through several ways, including changing passwords, remote computer wipes, blocking Internet access, or shutting power to the device.
“Let’s stop the bleeding, let’s make sure they can’t go any further,” Carson said, adding that in a ransomware attack you may want to disconnect the computer. Ransomware attacks happen when someone encrypts files on your device and demands money to have them unencrypted. Those attacks highlight the importance of backing up your devices regularly.
Eradication
Eradicating the threat can be done when it is determined how exactly the attacker gained access to the system and how to prevent it from happening again, Carson said. He said appropriate questions to ask would be, “Was it a credential breach? Is anyone else’s credentials compromised?”
Recovery
To recover from the threat, Carson advocates notifying the correct people based on the type of threat detected, calling it “Commander’s Critical Information Requirements,” a term used in the Army about information used to make timely and effective decisions. “What things as a CEO do you want to be woken up for versus not?” Carson asked.
Follow-Up
Depending on the situation, Carson said that such an attack might result in contacting local or federal law enforcement or might fall under breach notification protocol requiring contacting those affected by the breach.
In the end, Carson said that employees should know “what normal communication from IT should look like versus what is not,” to prevent falling prey to cybersecurity attacks.