Computer security incident response has always been an important component of any successful information security program. However, with the frequency in cyber-attacks over the past few years and especially during COVID-19 — it has become even more critical that organizations plan accordingly to respond to new and emerging threats. An organizations ability to response quickly and effectively will reduce the impact on business operations and provide the best opportunity for the implementation of a Business Continuity Plan (BCP).
Incident response is an important part BCP, because BCP members rely on timely and accurate information to make important decision when an incident occurs and often time incident response teams are the first to investigate an issue that has occur that negatively impact business operations. Although Preventive measure based on the results of risk assessments can reduce the number of incidents, however not all incidents can be prevented. Thus, having a robust enterprise-wide incident response plan is necessary for “rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services” (NIST Special Publication 800–61)
Events and Incidents
An event is any observable occurrence in a system or network. Adverse events are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data. This brief article only addresses adverse events that are computer security- related, not events caused by natural disasters, power failures, etc. According to NIST special publication 800–61 , a computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of incidents are:
“An attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash”.
“Users are tricked into opening a “quarterly report” sent via email that is malware; running the tool has infected their computers and established connections with an external host”.
“An attacker obtains sensitive data and threatens that the details will be released publicly if the organization does not pay a designated sum of money”.
“A user provides or exposes sensitive information to others through peer-to-peer file-sharing services (NIST special publication 800–61)”.
The Need for Incident Response Plan
The increase and frequency of attacks on organization IT systems have created urgency amongst the organization to respond to attacks quickly and effectively. “The concept of computer security incident response has become widely accepted and implemented across both the public and private sectors”. An incident response capability plan is important for organizations to develop because it allows organizations to respond to security breaches systematically (i.e., following a consistent incident handling methodology) so that the necessary actions are taken.
According to NIST special publication, 800–61 incident response helps the organization reduce loss or theft of information and minimize disruption of services caused by incidents. A key benefit of incident response is the ability for organizations to use the knowledge gain during incident handling to better prepare for managing future incidents and allows organizations to add the necessary security controls to protect their systems and data. Additionally, an incident response plan also helps with dealing properly with legal issues that may arise during incidents. (NIST Special Publication 800–61)
Organizations have to factor in all the legal issues that might arise from an incident, besides the business reasons for establishing incident response capability plan, organizations must comply with federal law, regulations, and policy. In the U.S. the Federal Information Security Management Act (FISMA) requires Federal agencies to establish incident response capabilities.The Health Insurance Portability and Accountability Act (HIPAA) regulates healthcare organizations in the U.S.
In Canada,there are several laws in Canada that relate to privacy rights. The Privacy Act, which covers how the federal government handles personal information;it is required by law that organizations create and operate a formal incident response plan. The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s privacy law for private sector organizations.
The Act outlines all the rules that organizations must obey “when collecting, using or disclosing personal information in the course of their commercial activities” (Government of Canada). The Office of the Privacy Commissioner (OPC) is in charge of enforcing PIPEDA and ensuring that companies of all sizes are complying with the obligations set out in the Act.
In 2015, The Digital Privacy Act amended PIPEDA, the amendments to PIPEDA makes it mandatory for organizations to notify individuals if their personal information has been lost, stolen or inappropriately accessed, and they are placed at risk of harm. Specifically, the Act states that;
“data breaches that pose a real risk of significant harm will need to be reported to the Privacy Commissioner, and affected individuals will need to be notified;
an organization may also be required to notify other organizations if they are in a position to protect affected individuals from harm (e.g. credit card companies, financial institutions or credit reporting agencies, if their assistance is necessary for contacting individuals or assisting with mitigating harm);
records of all data breaches experienced by an organization will need to be maintained and provided to the Privacy Commissioner upon request;
deliberately failing to report a data breach, or deliberately failing to notify an individual as required will be separate offences subject to fines of up to $100,000. In the case of notification to individuals, it will be a separate offence for every individual left without notification of the breach; and
deliberately failing to keep or destroying data breach records will also be an offence, subject to a fine of up to $100,000". (Government of Canada)
Performing an incident response properly and effectively is a complex and resources intensive undertaking that requires extensive planning. Continuous monitoring for attacks is critical and ensuring that clear procedures are established that prioritize the handling of incidents is essential to the success of any organization’s security programs. The ability to effectively implement an effective way of collecting, analyzing and reporting data is also a critical component. Establishing relations and ensuring proper communication with other internal and external stakeholders is also important. Internal stakeholders can be human resources, legal team, and with external groups other incident response teams, and law enforcement.
Organizations should always strive to put preventive measures in place because it is often less costly and more effective than reacting to cyberattacks after they occur. Therefore, incident prevention is an important complement to an organization’s incident response plan. Security controls must be prioritized because inadequate security controls could result in high volumes of incidents, which could consume resources that are needed for a response which would result in delayed or incomplete recovery and possibly more extensive damage and longer periods of service and data unavailability”.
If organizations can complement their incident response capability and complement it by maintaining adequate resources to continuously maintain the security of networks, systems, and applications and ensure IT and staff are trained. Moreover, ensuring that staff are complying with the organization’s security standards and making users aware of policies and procedures regarding the appropriate use of networks, systems, and applications can contribute to an organization overall security program.
According to the Professional Practices for Business Continuity Practitioners“the objective of Business Continuity Management is to make the entity more resilient to potential threats and allow the entity to resume or continue operations under adverse or abnormal conditions”. Having a robust incident response plan will allow organizations to quickly response to threat, mitigate risk, and provide insights into the incident, thus allowing business continuity teams to respond accordingly.