Use your computer fearlessly.

Mission Services Articles Research

business: response, Part 3: Coordination

Rapid Response to Breach, Part 2

by Brent Kirkpatrick

(Date Published: .)

The intensity of the breach determines the number of people to involve in the response.

Who do we involve in a breach response? Depending on the intensity of the breach we could involve anywhere from one IT person to the whole organization.

Suppose the breach were to be of one computer and one file under the permissions of one user. This means that the attackers did not gain root access. In such a case, one IT person may be able to detect the damage, the extent of the breach, and to respond to the problem. If the issue was file permissions being set wrong, the response and recovery is implemented by a single person.

Does paperwork always need to be generated? No. In some cases, excessive paperwork can hamper the response. In all cases, someone technically competent to asses the problems needs to be involved with protection, detection, and response. The amount of paperwork and the levels of management to notify are a judgment call.

Suppose the breach were to involve a large database containing all the company's customer data. Then the response needs to proceed simultaneously at multiple levels of management. The technical people can iteratively work to protect, detect, and respond while the upper levels of management work to notify customers and coordinate multiple departments. For example, the legal and public relations people would be needed to document and draft announcements to effected customers.

One crucial question is whether the team wants to pursue a technical response or a non-technical response to the breach, or both. For example, in the Equifax case, the company decided to offer a high-tech solution to the compromise of customer credit data---a lifetime credit lock. This was a technical solution to a technical breach that may have required using hacked computers to implement. A non-technical solution would have been to encourage all the customers to manually review their credit records with an eye for signs of fraud. This solution is non-technical and requires human effort, but it has the advantage of not involving hacked computers. Equifax could have rolled out a customer service effort to aid customers in this effort. Given the volume of phone calls they handled for the technical solution, they many have been able to roll out both the technical and non-technical services with the same cost to the company.

defendIT. AI-driven security measures derived from security incident data.

What Is New? | Contact | Tips

© 2015, 2016, 2017, 2018 Intrepid Net Computing. All rights reserved.