Cybercriminals are constantly looking for new ways to bypass security measures. In a survey conducted by the SANS Institute on the behalf of Guidance Software, 56 percent of respondents assumed they have been breached or will be soon, compared with 47 percent last year.
Assistant United States Attorney and Cybercrime Coordinator with the U.S. Attorney's Office in the District of Delaware Ed McAndrew, and Guidance Software Director of Security Anthony Di Bello, have compiled best practices for preparing and responding to a cyber attack and working with law enforcement:
* Have an incident response plan. Creating established and actionable plans and procedures for managing and responding to a cyber intrusion can help organizations limit the damage to their computer networks and minimize work stoppage. It also helps law enforcement locate and apprehend the perpetrators.
* Identify key assets. It may be cost prohibitive to protect the entire enterprise. Before creating a cyber incident plan, an organization should determine which of its data, assets and services warrant the most protection. The Cybersecurity Framework produced by the National Institute of Standards and Technology (NIST) provides excellent guidance on risk management planning and policies and merits consideration.
* Make an initial assessment of the threat. Once an attack or breach is identified, it's critical to assess the nature and scope of the incident. It is also important to determine whether the incident was a malicious act or a technological glitch. The nature of the incident will determine what kind of assistance the organization will need and what type of damage and remedial efforts may be required.
* Engage with law enforcement before an attack. Having a pre-existing relationship with federal law enforcement officials can help facilitate any interaction relating to a breach. It will also help establish a trusted relationship that cultivates bi-directional information sharing that is beneficial to both the organization and law enforcement.
* Have a post-attack plan of action. Establish procedures addressing what steps you need to take after an attack. This includes identifying who is responsible for different elements of an organization's cyber incident response, having the ability to contact critical personnel at all times, knowing what mission critical data, networks or services should be prioritized for the greatest protection and how to preserve data related to the incident in a forensically sound manner.
* Capture the extent of the damage. Ideally, the victim of a cyber attack will make a forensic image of the affected computers as soon as the incident is detected. Doing so preserves a record of the system for analysis and potentially for use as evidence at a trial. Organizations should restrict access to these materials in order to maintain the integrity of the copy's authenticity. Safeguard these materials from unidentified malicious insiders and establish a chain of custody.
Sign up for Computerworld eNewsletters.