A Practical Guide to set up incident Management for SMEs
Cyber Criminals understand most of the organizations have their employees working from home, so they are using new different ways to find vulnerabilities, or to extort money. The launch of Covid-19-themed attacks in the form of phishing emails with malicious attachments that use malware to disrupt systems and steal confidential data is on the rise.
According to ‘APWG’s Phishing Activity Trends’ Report for Q1 2020, phishing attacks rose in prevalence to a level that hasn’t been observed since 2016, with over 60,000 phishing sites being reported in March alone.
Recently, there has been several cases of business disruption where video conferencing tools are hacked using the newfound vulnerabilities.
Adding to this, the IT team is under a tough task of securing and monitoring users connecting from personal devices from home networks. Although several advisories have been issued on securing workstation and home networks in public interest, compliance is not easily trackable.
Let’s take the example of Zoom video conferencing application which is being widely used for remote working. Researchers have found the credentials for more than 500,000 Zoom users. This doesn't really mean Zoom got hacked. What it means is that the accounts that were on sale on the dark web were obtained using "credential stuffing” where the hackers use a combination of email and passwords obtained through previous hacks.
Another example, where Micah Lee and Yael Grauer, writing for The Intercept, (article dated March 31, 2020), reported that Zoom meetings and calls were vulnerable to eavesdropping and weren't End-to-End Encrypted, despite misleading marketing on various media platforms. The article explores and explains what end-to-end (E2E) encryption is, why it's important and points out some of the claims that Zoom makes on its website about using end-to-end encryption for video conferencing.
The attackers are taking advantage of the lack of general security awareness and using this situation to launch well-known exploits on vulnerable devices and tinker with unsuspecting places such as router's DNS configuration, changes that most will most easily go unnoticed.
So how exactly does one get organized for Incident Management and Responses?
Below are few best practices that can be adapted by any company/ organization to ensure efficient incident management.
The IT Support teams are either in-house or outsourced. The point where an outsourced model outscores the in-house model is the stringent SLA definition.
Although the IT team falls under the support services category, it needs to be driven like a cost center to ensure that incident response is timely and appropriate. SLA definition will involve defining an acceptable time frame within which any incident needs to be responded to and resolved. A cost component can be also added to improve the competency.
We recommend that while defining SLAs parameters like category, impact, urgency etc. be included to ensure clarity.
A workflow is very crucial for timely and appropriate response upon incident detection. It channelizes the roles and responsibilities of all the members in the incident response team.
We recommend defining the following as part of the workflow:
Proper documentation to capture the details of the incidents and the actions taken for resolution will prove to be useful for any investigation / forensic analysis. It ensures that time is not wasted in re-inventing the wheel for incidents that have previously occurred and resolved successfully.
More Documentation –> Prevents Communication gaps
More Documentation -> creates more records
More Records -> Generates more accurate information on the resolution.
We strongly recommend maintaining an Incident Wiki: Most organizations have a knowledge base of all incidents and incident resolutions – having them indexed can be useful for people to refer to when a similar incident occurs, increase in efficiency comes without saying.
There are many benefits of having an incident wiki rather than having a paper trail/individual documents for incidents:
We commonly find that incident management workflow misses out defining components for incident resolution. This is critical to ensure that the resolution is fool-proof and that the resolution is based on advisories from authorised sources.
We strongly recommend:
This unexpected shift towards working remotely has bought in many new risks. And while each organization has their own ways to tackle these circumstances, the above-mentioned steps can help you get started in the right direction.
The above pointers can help the teams working from home to improve their incident response procedure, achieve a good level of readiness for new incidents along with giving the team the right amount of confidence to handle incidents. While working remotely for SOC, NOC, Support role can be overwhelming at the start, it only gets better with every passing day.
As the we gear up along with the entire world to fight this pandemic, we continue to be inspired by our frontline workers and by others who are caring for people around the world.