Small and medium-size businesses (SMBs) are just as likely to be attacked by hackers and intruders as large enterprises. SMBs may think that because they don't have household names and brands known around the globe like, say, a large international bank or well-known consumer products companies, they aren't on the radar screen of marauders roaming the Web. Security by obscurity goes only so far, and the usual nasties floating around the Web – Trojans, malware, phishing and extortion – don't discriminate based on company size.
Small and medium businesses are also just as likely to have unscrupulous employees -- insiders who might consider stealing from the company or taking advantage of space on disk drives to store large personal files. Large enterprises often have a dedicated incident response team. Most SMBs don't have the staff or funds for such a team.
There are four steps to the incident response process for a small or medium-sized business with even the leanest staff and tightest budgets:
- Assemble your team. Your IR team should include people from your information security staff, if you have one, or, if not, from the IT staff that handles information security, probably in your networking department. The team doesn't have to be staffed full-time. It can be a virtual team pulled together as needed.
During regular staff meetings, decide who should be on that team. There should be a diverse skill set from hardware and network types, to systems analysts and developers. Also, think about their overall ability to analyze and solve problems when choosing your team. Remember, these are going to be the detectives at the crime scene, not just shock troops cleaning up a mess.
Designate one member of the virtual team as the on-call contact. This person should be available 24x7. Rotate this responsibility on a weekly basis, as you probably already do for other on-call IT staff, and, if possible, have a dedicated pager for this person.
Set up a dedicated phone number for employees to call to report incidents. If your company doesn't have the resources for a dedicated line for incidents, then provide a separate menu option through your help desk number. The number should page the on-call incident response team member.
Spread the incident response hotline number by passing out business cards with the number. These are ideal for heightening employee awareness about incident reporting, and they are cheap and easy to produce. Also put posters with the numberin public gathering spots such as coffee machines or water coolers.
- Handle the incident. So, your network traffic spikes at an odd hour and your network slows down, or someone reported that customer information on a storage server was stolen. Call your team into action. Then what? The incident responsevirtual team should immediately track down the offender: examining logs, using forensics tools or network sniffing
- Notify the appropriate parties. This depends on the nature of the incident, its seriousness and whether it's an intruder from outside or inside the company. This is also the point where you should advise people outside the incident response circle, such as senior management, law enforcement or human resources. Until now, the investigation, just like any other detective operation, had to be handled on a need-to-know basis to prevent the offender, especially if an insider or employee, from being tipped off. Remember, any network intrusion is against the law.
If the attacker is an employee, the situation may be different. If someone runs across a trove of pornography stored on a network server, for example, and reports it, the offending employee will probably be dismissed. The employee hasn't broken the law, but human resources and the employee's manager will need to be brought in.
If the employee, on the other hand, is running an illegal operation from the company, selling company data or embezzling money, these are all criminal offenses in which the FBI or Secret Service is needed. Only your incident response team, after consulting with management, should be picking up the phone. Make it clear to your employees that all calls to law enforcement should be handled by the incident response team.
Then, of course, management will have to make decisions, especially if customer information is breached, about dealing with the media. It's all part of the incident response process and should be in any response plan.
- Take corrective action to prevent reoccurrences. Once the mess is cleaned up, the appropriate parties notified and the incident has passed, the incident response team should conduct a post-mortem to see what went wrong and to figure out how to prevent a similar incident in the future. It could be as simple as discovering an unpatched server used by the attacker to dance into your network. Or, it could be something missed in your information security policy that now needs to be added. Only the post-incident autopsy can tell.
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He is a Microsoft MVP in developer security and specializes in Web and application security. He is the author of "The Little Black Book of Computer Security," available from Amazon.com, which has more tips on setting up incident response teams.
This was first published in May 2006