24 October 2019

The Response plan

Hi there and welcome back to another
security focused blog by Hussey Coding.

You're walking down the street and see a house on fire, your initial reaction is panic! Then a thought triggers telling you to call the fire brigade. You dial the emergency number and relay the information, a while later the first responders arrive, they assess the situation and then jump into action. Notice that they are first responders, not first reactors, what's the difference?
A reaction is something spontaneous, something happened now you react now, there is no time to think or plan, you just react, but a response is something planned, it is thought through and prepared. An irrational argument is a reaction, whereas a debate is a response.

Wikipedia describes a first responder as "A person with specialized training who is among the first to arrive and provide assistance at the scene of an emergency, such as an accident, natural disaster or terrorist attack."
The last thing you want when you're under attack by a cybercriminal, is panic, chaos, an environment where no one knows what's happening or where things, are out of control. This is why you NEED to put in place a ...


The response plan is simple, it's there to tell you and all of your employees what to do when an attack hits or is discovered. Please understand that while tech teams are amazing at what they do, it's not their sole responsibility to make your store or business secure. Attacks can come from anywhere and everywhere and so it is everybody's duty, including yours to keep your business safe.


If your company is being hit with a phishing attack, then providing your staff with an understanding of how this attack works and what it looks like could save your company.

If you're being hit with a DoS attack, then your customer service department will be one of the first to know about it. With the training you've given, they have identified the issue quickly and, have alerted all the necessary parties to be able to deal with the attack.


Your response plan needs to be in place from day 1, there's no cool-down period or safe zone when it comes to cyberattack. You could have launched your store as little as an hour ago and already be under attack so, a good knowledge of what to do next is vitally important! For the majority of businesses, a great deal of damage is done not because their defences were weak but because no one knew how to respond to the attack.


So what needs to be in your response plan?

Ultimately your response plan can be as detailed, as long, as short or as technical as you want it to be, it needs to work for you and your staff. If the plan is too complicated for your team, then you may as well throw it out. On the other hand, if it's void of details on how to deal with something or who to contact when discovering a particular type of attack, then it's equally as useless.

Below is a framework of 4 things that we believe should go into your response plan, please feel free to use, adapt or change it to help secure your store.


#1 - Preparation

The saying goes "if you fail to prepare then, you prepare to fail", this is true of your response plan. If you fail to produce a response plan, then you are opening your business to fail in the event of an attack. If your staff are not ready to deal with an attack, then you are again preparing your business to fail in the event of an attack.


This step of your plan needs to focus on preparing your company for an attack. Let everyone know what their role is when it comes to cyberattack, who do they contact? In what order do they inform people? What happens when your site goes down? What if it's down for a long time?

Train yourself and your staff to identify various forms of attack. If you've a quiet period in your calendar, schedule a practice attack in a controlled environment to see how your company responds. Remember to make changes where they need to be made, praise staff that did well and encourage those who maybe didn't.


However, this isn't a one and done deal! Schedule time to review the plan, are there new types of cyberattacks? Go back to the response plan, does it need to change to incorporate a new tactic or contact? And if so schedule time to train your staff in these new things. The goal here is to never allow it to become outdated.

The better oiled the machine is, the easier and quicker attacks will be detected, prevented and/or countered. The key with preparation is to encourage the attitude of "I'm ready when it happens" and not "I can't believe this is happening! What do I do now?!"


#2 -Recognition

The next stage is to identify and assess the level of threat to your company. This is where an attack has happened or is happening, and your response plan is put into action. It lets people know what to do, when to do it and how to do it for each type of attack or if they aren't sure what to do then where to go to find out. Let's use a spear-phishing attack as an example.


John from your accounting department has received an e-mail from Katie in purchasing. She's asking for some bank details that she has accidentally deleted because she urgently needs to purchase some supplies. Usually, John would gladly send these details through without question, the e-mail seems legitimate. However, he remembers the training that he, and the staff, including Katie, received the previous month. It stated that this kind of request can only be made using the companies internal phone system. John picks up the phone, dials Katie's extension number and asks her to confirm she sent the e-mail, Katie has no knowledge of ever writing it. On closer inspection, John can see that Katie's e-mail address has been slightly altered and by picking up the phone has just saved you thousands.


John successfully identifies this as a spear-phishing attack, but he doesn't stop there. He knows that when discovering this type of attack, he is to e-mail all company addresses notifying them of this attack. Anyone receiving a similar e-mail is to report it to Larry on the tech team.

It's then Larry's responsibility to assess and evaluate the threat and respond accordingly. 


#3 - Response

Your response will completely depend on the makeup of your company, if you have a team or contracted developers then by this point, you should have handed this over to them. If you don't have a regular developer or development team, then now is the time to pay out for one.

Whoever is dealing with the attack is going to need to focus on containing it to the already affected systems before it has change to cause more damage. Locating the origin of the attack and discover any weakness in the systems, eliminating all traces of the attack and then attempting to restore systems and data.

Depending on how long your company has been under attack and its severity, it could be a while until you are fully back up and running. It is frustrating and inconvenient you already covered that possibility during your preparation phase, didn't you? 


#4 - Learn

Nelson Mandela once said "I never lose, I win or I learn" and, this is the final step in your response plan. Once the attack is over and, the restoration of your company is underway its time to assess the damage and see what can be done to better prevent another attack.

Talk with those who dealt with the attack and find out if they found a weakness? Could it have been easily prevented? What can be done to stop a similar attack in the future? And what can be done now to improve company security?


We'll look further into some easy and practical steps you can take to help the process of recovery in an upcoming blog. For now, thank you for your time today, we hope that we have helped in making your store a safer, more secure place.

Until next time, stay safe and have a great day.

 

You can also join all the fun on our various social media profiles
Facebook - facebook.com/husseycoding
Twitter - twitter.com/husseycoding
LinkedIn - linkedin.com/company/hussey-coding

Sign up to developer connection at www.developerconnection.co.uk
Facebook - facebook.com/DeveloperConnection
Twitter - twitter.com/devconnectionuk
LinkedIn - linkedin.com/company/developer-connection

No comments:

Post a Comment