Nexor is proud to be a sponsor of the East Midlands branch of the Institute of Information Security Professionals (IISP). The IISP arranges events that provide industry security professionals with opportunities for networking and professional development.
On Wednesday 2nd October, the IISP East Midlands ran its third quarterly meeting kindly hosted by the East Midlands Special Operations Unit (EMSOU). Over 20 security professionals joined to collaborate and explore the latest news surrounding the incident response cycle, covering both what has worked well and learning points from real life examples.
The evening included a talk from Scott Walker, an ex Royal Marine, who works at SecureLink as part of the Cyber Security Incident Response Team (CSIRT). With a wealth of knowledge on the subject he shared his expertise on how to handle a security incident.
One person said “If they got hit by Ransomware next week, they now know who to call!”
Key Takeaways
Ignorance isn’t bliss
A security incident starts at the first point of contact by the attacker. However, it could take several weeks or even months, before you as the victim become aware anything is wrong.
All too often signs of compromise exist, but are ignored by the victim, or dismissed as unexplained. It is important to investigate and record all incidents, unexplained events or false alarms, as this will be vital information later on if it turns out there is a compromise.
Don’t rush deployments
Deadlines and costs apply to infrastructure deployments as well as web application or service development. People cut corners when under pressure just to get the job completed. When infrastructure deployments are rushed, systems aren’t always configured securely. Maintenance processes to keep systems patched are also neglected. This results in more work being required later when rounds of penetration testing are being carried out.
Preparation is key
You need to make sure you have the relevant data recorded (for example log files) to be able to look back in time and find out what occurred. Many environments delete or rotate log files, meaning the ability to find out what has happened is diminished. For example, Windows PowerShell logging is turned off by default. Ensure that you turn it on as it will provide a great source of evidence in the aftermath of an attack.
Be the tortoise, not the hare
Be sure not to react before you have all the cards on the table. If you do not fully understand how the incident has occurred before implementing a containment and recovery plan you could inadvertently alert the attacker. This could lead to them escalating their plans by opening future back door paths, or bringing forward a ransomware attack making the situation worse.
Foster secure software development
Handling a cyber security incident competently requires in-depth knowledge of the subject. When in doubt it’s always better to call an expert for help rather than trying to fix it yourself. Before calling an expert, prepare in advance by making sure you have the following information to give them:
- An accurate and up to date network diagram;
- A list of all IP address ranges;
- A list of expected user accounts for all applications.
Scott was kind enough to share the slides from his presentation, so for a more detailed understanding feel free to give them a read and let us know what you think.
The IISP run quarterly meetings in the East Midlands – contact us to learn more.
Open to all security professionals – members or not!
Author Bio – Colin Robbins
Colin Robbins is Nexor’s Managing Security Consultant. He is a Fellow of the IISP, and a NCSC certified Security and Information Risk Adviser (Lead CCP) and Security Auditor (Senior CCP). He has specific technical experience in Secure Information Exchange & Identity Systems and is credited as the co-inventor of LDAP. He also has a strong interest in security governance, being a qualified ISO 27001 auditor.
Related Posts
Be the first to know about developments in secure information exchange
We value your privacy Find out more >