Security Incidents and Incident Response
Are security threats to your company and the process for their resolution a high-level concern for your operations? If so, you are certainly not alone. Perhaps your clients, affiliates, or partners require you to be “SOC compliant” to maintain a business relationship, or your auditors are asking you to define your incident response plan for a SOC engagement? Your company’s data can be kept safe from security incidents with a properly documented incident response plan in place, and assurance can be provided to your stakeholders. But first, you may be wondering: What exactly are security incidents, and how can I stay ahead of them?
A security incident is defined by the National Institute of Standards and Technology (NIST) as:
“An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.”
Simply put, a security incident can be any action resulting in data being compromised. Specific types of security incidents and some solutions to them include but are not limited to:
- Unauthorized Access Attacks: involving any outside logical access obtained by an entity outside the organization. The use of multi-factor authorization, where a user is required to provide multiple levels of information to gain access to the network, is a great tool to prevent these intrusions.
- Insider Threat Attacks: involving the unfortunate possibility of a perpetrator inside your organization, as well as accidental internal breaches. Solutions to combat insider threats include thorough security trainings, employee monitoring software, and confidential whistleblower programs.
- Phishing Attacks: where an attacker assumes the identity of a reputable source by stealing personal information data (PID) to gain access to the network. Again, thorough employee security training and mock phish emails performed by IT are the best way to combat these attacks and identify weaknesses.
- Malware Attacks: related to any installation of malicious software. Solutions to malware infection (outside of firewall and Endpoint Detection and Response (EDR) installation) include being prepared with a data loss prevention and backup policy ahead of time to prevent mass data loss.
- Distributed Denial-of-Service (DDoS) Attacks: where an attacker floods the targeted server with traffic to shut down the network. Keeping firewalls continually updated with most recent security patches is the best solution to combat this type of attack.
- Man-in-the-Middle (MitM) Attacks: where an attacker intercepts and alters communications between unknowing parties to gain access to data. The best solutions to combat this type of attack include the use of transport layer security (TLS), a secure shell protocol (SSH), and most importantly a virtual private network (VPN) to ensure secure connections.
- Password Attacks: where an attacker tries to obtain an unknown password through the help of programs or trial and error to gain access to the network. The use of multi-factor authorization is again the best way to combat these attacks.
Researching the different types of security incidents and how best to combat them within your company’s operations is one of the first steps in the incident response process, before training your employees. The general steps of an incident response plan are as follows:
- Preparation: where employees are trained thoroughly on their expectations and responsibilities in the response plan, all aspects of the plan are approved and funded, and mock breaches are set up to test the plan
- Identification: the process of determining the who, what, where, why, and how of any potential breach of security
- Containment: the plan set in place to quarantine any potential security breach instead of being forced to lose the entirety of your company’s data
- Eradication: the process of securely removing malware from affected systems once they have been contained
- Recovery: the process of restoration, updating, and securing previously affected systems to be placed back in service
- Follow Up: holding a meeting with all members of the Incident Response Team to go over what has been learned from the breach, and what will be done to prevent it again in the future
It is of the utmost importance to have your company’s incident response plan well documented and continually updated to ensure the safety of your data. After all, the new methods that attackers will come up with to penetrate systems are not going to stop being created, so neither should the new efforts you take to protect yourself from them.
If you would like more information regarding security incidents or help setting up your company’s incident response plan, McKonly & Asbury would be happy to help. We currently offer the full suite of SOC services to clients in a broad variety of industries. Be sure to visit our System and Organization Controls (SOC) service page and don’t hesitate to contact us with any questions.