Q & A
So, you’ve got to have a solid incident response policy. That way, your response will be good, useful and adequate. It’s bad enough to end up in the headlines about how you’ve been hacked. It’s a thousand times worse when you make headlines again because your response was as bad as or even worse than the hack. The bad responses are the ones that may have been planned and written down but haven’t been practiced. The ugly ones are when you have major companies that, clearly, have not even written anything down. STANGER : Corporate culture usually dictates that we don’t talk about incidents, don’t document, because if we do things that are inadequate, we’ll be held liable. No one wants to provide documentation, because it can be used out of context very quickly. But it turns out we’re held liable if we don’t document and we don’t have a plan. There’s kind of a don’t-document-and-don’t-discuss culture in many corporations. It’s the job of a good security professional to work that culture a bit. Incident response can’t just be a technical response. It has to be executive driven. It needs to include various departments, from the board, to the executive suite, PR and even marketing on some level. You have to have the right message. The techies may know what to do, but management and the board need to know as well. You need a plan for technology and for communication. Target responded well – they had good incident response. As soon as they found out, they told people. They said, here’s our plan and here’s how we’re going to Equifax held back information for a long time. You need to come out and say, “We know something happened, and we’re working on it.” If my kid got a ticket but didn’t tell me for six months, that would be bad. You have to be forthcoming. In the era of transparency and everyone airing their dirty laundry, that secrecy makes it far worse than it would have been. CompTIA: Why do corporations struggle with incident response? prevent it from happening again. On the other hand, both Yahoo and
flows, weaknesses. If an organization’s using an old version of SharePoint or Apache Server, the hackers can see this and exploit the flaws in that version to take control of the system, download passwords or other things. Once a hacker gets in, you have a persistent threat in your network – someone has come in through social engineering or a software flaw and spread laterally from one system to the next. Even though you’ve fixed it, they’ve moved on and taken over other things and are lurking around, creating shadow users that you aren’t aware of and are inhabiting the company like the rest of us. Thieves used to do the smash and grab, but now they quietly lurk in our closets while we sleep. You end up with not only lost data, but lost intellectual property. Think about all the data we capture and research – it’s bad enough if that all gets lost or deleted, but imagine if it got tampered with. We have this data we think is valid, but it’s been altered. It’s bad enough when it’s personally identifiable information, but what if hackers got into a Fortune 50 stock market organization and started manipulating data? Over long term, they’re manipulating stock data and news data. That’s scary stuff. CompTIA: What separates the good from the bad in terms of incident response? STANGER : Well, it’s kind of a The Good, the Bad and the Ugly scenario, isn’t it? Good incident response is when people have a documented plan and they’ve exercised it. They’ve done mock exercises, desktop run-throughs, fire drills. They’ve practiced. Having a plan and not practicing it is just as bad as not having a plan at all. It has to start with a policy-based approach that’s exercised so it becomes part of institutional muscle memory. When it comes to the possibilities of a security breach, thinking about the likelihood reminds me of my Dad’s theory about motorcycles. He was a veteran property and casualty insurance man. I asked him if I could get a little street bike, and he replied, “When it comes to motorcycles and accidents, it’s not if you have one, it’s when and how bad.” Needless to say, I never did get that street bike. Similarly, when it comes to security, it’s not a question of if you will get hacked – it’s when and how bad.
or multi-factor authentication. We’ll see these three things come in more and more – having better passwords, more passwords and more factors. If you think you’ll get hit with ransomware on your PC, set it up to back up every 30 minutes. Then, when you get hacked, instead of paying the ransomware, you can restore from backup. But make sure your backup is secure – there’s nothing like restoring your files from backup only to find that the backup itself is flawed or encrypted by ransomware. To keep up with end-user threats, there are some pretty good sites out there – PC Magazine, zdnet, even The Register UK and Slashdot, although those last two get a bit more techie. Go to these sites and check out the security channels – not the heavy-duty server security, but the end- user security ones. Every week or even once a month, update yourself on the latest trends. You don’t want to obsess, but you want to develop good situational CompTIA: What are hackers looking for and what do they do with the data they steal? STANGER : First, they’re good researchers and terrific detectives. They use it to learn more about you and your organization. As they get information from you, they can begin profiling an entire organization. In school, we talked about directional resources – like encyclopedias or Wikipedia. You wouldn’t want to cite a directional resource, but you can use it to guide you to a better source where the information came from. Applying this analogy to hackers, even if they don’t get the informational resources – like passwords and account numbers – from you, they can get directional information from you that helps them penetrate an organization. They can learn things like reporting structures, email address structures, what programs an organization uses and how they use it. Second, they look for weaknesses in the platforms an organization uses and how information flows across the organization. If the CEO emails an administrative assistant to make purchases, hackers can send a good phishing email, and suddenly that admin is wiring the hackers $100,000. They’re looking for how an organization works, how information awareness. Find yourself a trusted resource and listen to good advice.
Want more information? Contact Membership@CompTIA.org.
SPRING 2018 | CompTIAWorld
Made with FlippingBook Online document