24 October 2019

The Response plan

Hi there and welcome back to another security month blog by Hussey Coding.

You're walking down the street and see a house on fire, your initial reaction is panic and then a thought triggers telling you to call the fire brigade. You dial the emergency number and relay the information, a while later the first responders arrive, they assess the situation and then jump into action. Notice that they are first responders not first reactors, what's the difference?
A reaction is something spontaneous, something happened now you react now, there is no time to think or plan, you just react but a response is something planned, it is thought through and prepared. An irrational argument is a reaction where as a debate is a response.

According to Wikipedia a first responder is "a person with specialized training who is among the first to arrive and provide assistance at the scene of an emergency, such as an accident, natural disaster, or terrorist attack".
The last thing you want when you are being attacked by a cybercriminal is panic and chaos, an environment where no one knows what's happening, where things are out of control, which is why you NEED to put in place a ...


The response plan is very simple, it's there to tell you and all of your employees what to do when an attack hits or is discovered. Please understand that while tech teams are amazing at what they do it is not their sole responsibility to make your store or business secure, attacks can come from anywhere and everywhere and so it is everybody's duty, including yours to keep your business safe.

If your company is being hit with a phishing attack then arming all of your staff with an understanding of how this attack works and what it looks like could save your company.
If you are being hit with a DoS attack then your customer service department will undoubtedly be one of the first to hear of it and with the knowledge they have from your training they have recognised the issue quickly and have alerted all the necessary parties to be able to deal with the attack.

Your response plan needs to be in place from day 1, there is no cool down period or safe zone when it comes to cyberattack, you could have launched your store as little as an hour ago and already be under attack so having a good knowledge of what to do next is vitally important! For the majority of businesses a great deal of damage is done not because their defences were weak but because no one knew how to respond to the attack as there was no written plan or training.

So what needs to be in your response plan?
Ultimately your response plan can be as detailed, as long, as short or as technical as you want it to be, it needs to work for you and your staff, if it's too complicated for your staff to follow then you may as well throw it out, on the other hand if it's void of details on how to deal with something or who to contact when discovering a type of attack then it is equally as useless.
Below is a framework of 4 things that we believe should go into your response plan, please feel free to use, adapt or change it to help secure your store.

#1 - Preparation
There is a saying that goes "if you fail to prepare then you prepare to fail" and this is true of your response plan, if you fail to prepare one then you are preparing your business to fail in the event of an attack, if your staff are not prepared to deal with an attack then you are again preparing your business to fail in the event of an attack.

This step of your plan needs to focus on preparing your company for an attack. Let everyone know what their role is when it comes to a cyberattack, who do you contact? What order do you contact people in? What happens when your site goes down? What if it's down for a long time?
Train yourself and your staff to recognise various forms of attack, if you have a quiet period in your calendar schedule a practice attack in a controlled environment, see how your company responds, make changes where they need to be made, praise staff that did well and encourage those who maybe didn't.

But this isn't a one and done deal, schedule time to go over this plan, maybe there is a new type of cyberattack that you have heard about, go back to the response plan, does it need to change to incorporate a new tactic or contact? and if so schedule time to train your staff in these new things. The goal here is to never allow it to become outdated.
The better oiled the machine is the easier and quicker attacks will be detected, prevented and/or countered. The key with preparation is to encourage the attitude of "I'm ready when it happens" and not "I can't believe this is happening! What do I do now?!"

#2 -Recognition
The next stage is to recognise and assess the level of threat to your company, this is where an attack has happened or is happening and your response plan is put into action. It lets people know what to do, when to do it, how to do it for each type of attack or if they aren't sure what to do then where to go to find out. Let's use a spear phishing attack as an example.

John in accounting has received an e-mail from Katie in purchasing asking for some bank details as she has accidentally deleted them and there are supplies that need to be bought urgently. Normally John would just send these details through without question as the e-mail seems legitimate however he remembers the training that he and all the staff, including Katie received saying that this kind of request is only ever to be made using the companies internal phone system. John picks up the phone, dials Katie's extension number and asks her to confirm she sent the e-mail, Katie has no knowledge of ever writing it. On closer inspection John can see that Katie's e-mail address has been slightly altered and by picking up the phone has just saved you thousands.

John now recognises this as a spear phishing attack but he doesn't stop there, he pulls up the response plan on his desktop and sees that in the event of discovering this attack he is to e-mail all company addresses notifying them of this instance and, as noted in the response plan, asks that anyone receiving a similar e-mail report it to Larry on the tech team.
It is then Larry's responsibility to asses and analyse the threat and respond accordingly.

#3 - Response
Your response will completely depend on the make up of your company, if you have in house or contracted developers then by this point you should have handed this over to them. If you don't have a regular developer or development team then now is the time to pay out for one.
This is where whoever is dealing with the attack is going to need to focus on containing the attack to the already affected systems before it has change to cause more damage, locating the origin of the attack and discovering any weakness in the systems, eliminating all traces of the attack and then attempting to restore systems and data.
Depending on how long your company has been under attack and the severity of the attack it could be a while until you are fully back up and running and though it is frustrating and inconvenient you already covered that possibility during your preparation phase, didn't you?

#4 - Learn
Nelson Mandela once said "I never lose, I win or I learn" and this is the final step in your response plan. Once the attack is over and the restoration of your company is under way it's time to asses the damage and see what can be done to better prevent another attack.
Talk with those who dealt with the attack and find out if they found a weakness? Could it have been easily prevented? What can be done to prevent a similar attack in the future? and what can be done now to improve company security?

We will take a deeper look into some easy and practical steps that you can do to help the process of recovery and learning in an upcoming blog but for now thank you for your time today and we hope that we have helped in making your store a safer more secure place.
Don't forget that you can find amazing developers right now using our new service developerconnection.co.uk where you can enjoy our FREE £25 project offer until November 1st 2019.
And on the subject of Developer Connection we are very excited to be featured on the home page of 365retail.co.uk where they have an article all about it, so head there to check it out and until next time, stay safe and have a great day.

Want to contact Hussey Coding? here's how
You can mail us at info@husseycoding.co.uk
Visit our website at www.husseycoding.co.uk

Or join in all the fun on our social media profiles
Facebook - facebook.com/husseycoding
Twitter - twitter.com/husseycoding
LinkedIn -linkedin.com/company/hussey-coding
We look forward to hearing from you soon.


No comments:

Post a Comment