The “Action – Reaction – Managing the first hour of an IT crisis” seminar by APSI, Amcham and PwC held on 28th September gave an overview of how to be smart as well as quick.
It is widely acknowledged that speedy reaction to a cyber attack is key to minimising damage to data and systems, as well as reducing reputational risk and speeding the identification of the perpetrators. The “Action – Reaction – Managing the first hour of an IT crisis” seminar by APSI, Amcham and PwC held on 28th September gave an overview of how to be smart as well as quick. By ITnation
There were two sections to the event organised by the Information Society Professionals’ Association (APSI), the American Chamber of Commerce and PwC. A role-playing session gave a real-time insight into the early steps that need to be taken. Also, some key dos and don’ts were described by Mo Cashman, Director Enterprise Architecture Cyber Security at Intel.
“The first action needed in a crisis is to understand the full scope of the attack because only then can you start to contain it,” Cashman explained. He described how the nature of attacks and responses have evolved. The advanced persistent threats of the mid-2000s taught him the importance of a joined-up, enterprise-wide response. All interested parties need to be involved, silos need to be bridged, and small reactive groups need to be prepared. In Iraq in 2008/9 an enemy agent managed to distribute malware-contaminated USB keys. This demonstrated the vulnerability of certain types of systems architecture, but also the counterproductive nature of knee-jerk responses. The use of USB sticks was completely forbidden, but this had a serious impact on operational activity. The WikiLeaks affair of 2010 demonstrated how HR needs to be involved. They are in a position to identify behaviour by individuals which may result in a malicious data leak or a malware infection.
Both Cashman and the panel highlighted the importance of planning. Indeed, the role-play session was to a large extent a demonstration of how the first hour of a cyber security attack should consist of on acting on pre-defined, rehearsed procedures. After an attack, the crisis team would be assembled by a dedicated leader, with this group probably featuring the CIO, a pre-selected representative from HR and communications, with the CEO (or a trusted delegate) kept closely in the loop in case major decisions need taking. Lawyers should not need to be involved as procedures should be in place to understand the implications for data protection and professional secrecy. These roles were acted out and explained by a panel of six local professionals (see link for details).
Understanding the nature of the problem is the first step to putting the crisis team in control. Taking a record of logs and backing up all data were also recommended, not just to help recover information, but also to track the perpetrators. The CERT should be contacted, and maybe the data protection authorities. The financial sector regulator and the police could also be informed. However, the temptation to shut down the system to prevent further infections or attacks should be resisted. It is common for malware to trigger further destruction when servers and systems are turned off. The panel also warned against paying any ransoms demanded by hackers, as the criminal is by definition acting in bad faith.
More important than the first hour, however, are the months of prior work needed to boost resilience. Making sure systems and staff are geared up to preventing an attack in the first place is most effective, and having well designed back-ups and recovery procedures is central to a quick return to normality.