Auditing your data breach incident response plan

IT security commentators believe that most organizations probably already have experienced some form of a data breach. For instance, a recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300 percent increase over the 1,000 daily attacks reported in 2015). The ongoing challenge is to overcome the different and emerging sources of security breaches and to install the right defenses to address areas of vulnerability.

It is also why companies need to be prepared and shift to a paradigm of incident response. Compliance and privacy teams, in conjunction with internal audit, can help an organization move to a state of readiness against cyber-threats by promoting an environment in which potential breaches are anticipated and proactively addressed. Since it is unlikely that companies will ever be able to fully prevent a data breach, it would be wise to prepare in advance with a well-integrated response plan for managing such incidents. Boards should encourage management to have a well-established response plan in place for any potential cyber-attacks that may arise.

Testing your breach incident response plan

The problem with plans (and policies) is that they can sit on a shelf and never be actually applied. The worst time to determine if an incident response plan is effective is in the middle of an actual breach. As compliance professionals and auditors are well aware, some processes cannot be automated—and incident response is one that requires considerable judgment on the appropriate steps to take.

An audit of information security practices should include a review of the company’s breach incident response plan. One feature for internal audit to evaluate is whether or not the plan has been tested to ensure that the right people and processes are ready to act. In essence, such a test is like a fire drill to minimize panic and keep the response team focused.

Data breaches, ransomware, and other malware with potentially severe operational impacts are becoming increasingly widespread and dangerous and costly. Internal auditors can assist information security and privacy colleagues in determining whether the organization has taken sufficient steps to prepare and respond against such attacks.

There are several approaches to test the readiness of your incident response plan. According to the Homeland Security Exercise Evaluation Program, there are seven types of exercises, each of which is either discussion-based or operations-based. Discussion-based exercises familiarize participants with current plans, policies, agreements, and procedures—or may be used to develop new plans, policies, agreements, and procedures.

A good starting point is the tabletop exercise. A tabletop exercise involves key personnel discussing simulated scenarios in an informal setting. Tabletop exercises can be useful for assessing plans, policies, and procedures that are already in place. This should precede more time-intensive operations-based exercises. Performing a formal drill is a type of operations-based exercise (e.g., a fire department conducts a decontamination drill).

A tabletop exercise is a way to ensure the core functions and right individuals are aligned from the start. Senior executives will need to participate or be actively informed, especially with regard to messaging and communications for all audiences, inside and outside of the company.

A key feature to evaluate is the composition of the incident response team. Although IT often leads the response effort with executive representation from impacted business units, and especially involvement by compliance, privacy/legal, and communications/public relations. The placement of the information security officer in the organization may be a factor to consider. Does the CISO report to the CIO, or is there some degree of independence? Independence in the process lends credibility, objectivity, and integrity to a result while also creating a defensible record if challenged later. The incident response process should ideally segregate to some degree those areas that may ultimately bear responsibility for the breach.

The plan should clearly define, document, and communicate the roles and responsibilities for each team member. Testing the plan through a tabletop exercise or more formal drill is a good way to identify gaps and potential confusion in the response process. As individuals and internal functions change, you have to continuously exercise your plans.

The incident response team’s goal is to coordinate and align the key resources and team members during a cyber-security incident to minimize impact and restore operations as quickly as possible. This includes the following critical functions: investigation and analysis, communications, training, and awareness as well as documentation and timeline development.

The benefits (and risks) of cyber-security information sharing

A tangible outcome of the increasing number of breaches is the efforts of organizations to pool their threat knowledge, responses, and other resources. In December 2015, as part of the 2016 Omnibus spending package, Congress provided funding to enable the National Institutes of Standards and Technology to establish the National Cyber-security Center of Excellence and directed the Department of Health and Human Services to establish a task force to analyze how other industries are addressing cyber-security.

Companies are already sharing cyber-threat data, but many remain leery as they engage in this largely unchartered territory. Receiving critical threat data has been shown to be an effective tool in both preventing cyber-attacks and mitigating the effects of ongoing attacks. In a recent study, PwC found that 82 percent of companies with “high-performing security practices collaborate with others to deepen their knowledge of security and threat trends.”

Last year, one of the most highly respected information-sharing platforms—the Financial Services Information Sharing and Analysis Center—was able to significantly mitigate the effects of a cyber-attack on the sector by analyzing threat information it received from some of its members and quickly pushing it out to other financial institutions. This year, the benefits of information sharing made headlines when the retail unit of a Fortune 100 company announced that it discovered malware on its system as a result of receiving threat intelligence from a government advisory. As those examples show, threat data is pushed out to companies from a variety of sources stemming from both the private sector and government.

The U.S. Department of Justice sought to address the commonly expressed concern that information sharing runs afoul of the various state and federal privacy laws governing the collection, storage, use, and disclosure of certain types of information. Recognizing that companies were concerned over this issue, the DoJ released a white paper announcing its interpretation of how information sharing interacts with the Stored Communications Act (SCA), which prohibits the disclosure of certain consumer information. According to the Justice Department cyber-threat data may be shared with the government as long as any consumer information is in “aggregate form,” so it cannot be connected to a single individual.

Clearly companies should make the sharing of breach information their default position.

Responding to a ransomware attack

Another emerging reason to have a breach response plan is to be able to effectively react to cyber-incidents that have an immediate operational impact on data or systems. Ransomware is a type of malware that locks a device or renders its data unusable until the victim pays the attacker a ransom, often in an alternative currency known as bitcoin. According to Symantec, there are two primary categories of the malware: locker ransomware (which locks the device until the ransom is paid) and crypto ransomware (which generally encrypts individual files without locking the user out of the device entirely). Both types of ransomware ultimately deny the victim access to the data stored on the device.

Organizations that are highly dependent on the availability of data and electronic systems should treat ransomware as a real and serious risk to their operational viability and consider it within their enterprise and cyber-risk management processes. Responding quickly and effectively to ransomware is essential to minimize its operational impact, which can be a highly complex undertaking if multiple systems are impacted. Unlike most security incidents involving a compromise of data, such as payment card breaches or data breaches involving personal information, ransomware attacks can leave victims with little time to decide how to respond before their operations are halted.

The FBI recently advised that individuals and organizations “should not pay the ransom” and highlighted that the “best way to protect yourself and your organization is to have a backup of your data, maintain it, and disconnect it from your computer.” US-CERT recently issued a ransomware alert recommending that entities take several added protective measures in addition to backing up data, including the use of application whitelisting, avoiding enabling macros from e-mail attachments and ensuring that software patches are downloaded and antivirus programs are kept up-to-date. Additionally, both the FBI and US-CERT recommend that all instances of ransomware, whether affecting individuals or businesses, should be reported to the FBI’s Internet Crime Complaint Center, and victims should consider reaching out to reputable security vendors for assistance.

Data breaches, ransomware, and other malware with potentially severe operational impacts are becoming increasingly widespread and dangerous and costly. Internal auditors can assist information security and privacy colleagues in determining whether the organization has taken sufficient steps to prepare and respond against such attacks.