5 common mistakes when responding to a security incident

A reminder that prior preparation prevents poor performance for security newbs looking to avoid common mistakes in incident response.

bus mistakes thinkstock

One of the greatest challenges of transitioning to a new career or starting a new job is not so much knowing what to do, but learning what not to do. Most professionals find themselves in their fields because of a passion that drove them there, and most of us want to excel at our work.  

I love crafting sentences that bring the senses of sight and sound together in a warm cadence that makes a reader say “Wow!” What I hate more than anything is when I make a mistake.  I’ve made plenty this past year. In fact, some of you may have sent me a message asking for a typo to be fixed. It happens. 

In the security industry, though, mistakes can be costly. That’s why I had a chat with Ben Johnson, chief security strategist at Bit9+Carbon Black, who offered up some sage words of wisdom on the common mistakes folks make in responding to a security incident.

Here is Johnson’s list of Top 5 most common mistakes when responding to a security incident:

1. Not being prepared –  For unprepared organizations, finding out you’ve been attacked can induce panic, incomplete response and an insurmountable clean-up bill. You know what questions you are going to ask in a breach, so set up your overall program to answer those. Preparing ahead of time gives organizations the ability to know the precise questions they will need answered, such as: “What data was stolen?” “How’d they get in?” “How long have they been in?” “Where did they go?”

Understanding how they will answer these questions, means that an organization will have the right people, processes and technology in place to confidently tackle a data breach. If not, however, an organization is simply flying blind and hoping they are never targeted. When it comes to security, “hope” isn’t a word you like to hear. “Prepared” is.

2. Not properly understanding scope — An organization may have found patient 0, or maybe it’s actually found patient 20. If it’s patient 20, there will be a lot of machines to clean up. Understanding how big or small an incident is will be critical to proper response and recovery.

Response isn't just about cleaning up computers. There could be other foot holes, back door, or accounts that have been added. Not understanding the full scope of the incident often means you’re not cleaning up the true problem. 

3. Failing to get legal involved early — While legal does not often move at the speed of security (and definitely not at the speed of attackers), there are times where getting legal involved early with help contain information under attorney-client privilege, especially since legal should be responsible for coordinating with outside parties to avoid information leakage or disclosure to other parties. Information should be presented when it has become a story that the company can tell with relevant facts around what happened, how it happened, and who’s affected.

4. “Mission Accomplished” references - Putting out a claim that only X number of records were accessed, or saying that everything has been cleaned up when, in reality, you don’t know the full scope of the impact (or the incident is still being eradicated) is a dangerous path to navigate and puts a bigger target on the company’s back.

Don’t say you’re done. Say, “We are still investigating. This is what we know right now.” There is a preemptive rush to say we know what happened, but then the initial report of only 4 million records turns into 10 million and then 50 million.

5. Not understanding the root cause and attack vector –  Not understanding the cause and the type of attack that worked today leaves an organization open to the same attack tomorrow. It’s hard to understand scope if you don’t know how they got in. How can you actually know that you cleaned it all up? If you don’t close that door that the bad guys walked through, they are going to walk through it again tomorrow or in 30 or 90 days.

The fear of making a mistake can be overwhelming, especially for those new to the industry. Remember that part of avoiding mistakes means asking for help when you need it. You are not alone. You are going to learn a ton just on the job, and companies know there are a lot of rules, regulations, and compliance, so you’re not going to be thrown into the fire without help. If you are, get some help.  

Copyright © 2016 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!