Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/27/2020
06:35 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Top 10 Cyber Incident Response Mistakes and How to Avoid Them

From lack of planning to rushing the closure of incidents, these mistakes seriously harm IR effectiveness.
Previous
1 of 11
Next

A well-run cyber incident response team (CIRT) can prove the ultimate backstop for a cybersecurity program by stopping an early intrusion from turning into a full-blown data breach. At the very least, a CIRT can minimize the impact of breaches when they do fly under the radar.

While many cybersecurity organizations today field early CIRTs, not nearly as many run them well.

According to cybersecurity experts who have helped organizations clean up after disastrous security breaches, many of those events were made so much worse due to incident response (IR) failures. And those failures tend to cluster around the same common IR mistakes that enterprises make time and again.

The pundits point to the following top 10 mistakes, along with advice on how to avoid them.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. 
View Full Bio

Previous
1 of 11
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:38:38 PM
Playbooks
It's not good enough to just have an overarching and strategic IR plan. IR teams also need tactical plans for common scenarios so they shave time off their mean time to respond and streamline operations. True. Come up with a playbook and keep it up to date.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:36:41 PM
Collaboration
Successful IR programs enable teams to collaborate closely and handle incidents together more swiftly, whether responders are working from an on-site SOC or remotely. Important point to make. Especially working remotely collaboratively.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:33:17 PM
Root cause
Taking the shortest path to closing cases and avoiding asking questions about root causes Obviously root cause is critical to be identified to avoid repetition.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:29:26 PM
Priorities
Alert prioritization and triage are important components of managing analytics workloads Really good point. Priorities are important but you can not leave low priorities forgotten, they will come back and bite you.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:26:59 PM
Assets
Failing to tackle things like asset inventories or data classification and management leads to a lot of mistakes Exactly. If you do not know your assets how could you protect them?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:25:08 PM
Automations
Automation can make a big difference in the efficacy and efficiency of an IR program This is really important. Not everything can be done manually and be effective.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:23:06 PM
Test
Failing to Test the Plan Another important point. Plan not tested will put you at risk.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:20:53 PM
Re: Message Matters More Than Timing
Plenty of breached companies make things worse by getting the timing right and the message completely wrong. That is true. It becomes a PR nightmare after that.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:19:46 PM
Re: Message Matters More Than Timing
The timing is often dictated by disclosure requirements, and when it's not, it's only relevant in the context of maintaining trust and reputation. This makes sense. Truth will eventually come out.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/28/2020 | 8:17:58 PM
No IR
No IR Plan in Place I think this is what gets most companies. They do not know what to do when there is an incident without a plan.
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4306
PUBLISHED: 2020-05-29
IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 17...
CVE-2020-4352
PUBLISHED: 2020-05-29
IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when running in restricted mode. IBM X-Force ID: 178427.
CVE-2020-4490
PUBLISHED: 2020-05-29
IBM Business Automation Workflow 18 and 19, and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a vitcim to a phishing site. IBM X-Force ID: 18...
CVE-2020-5572
PUBLISHED: 2020-05-29
Android App 'Mailwise for Android' 1.0.0 to 1.0.1 allows an attacker to obtain credential information registered in the product via unspecified vectors.
CVE-2020-5573
PUBLISHED: 2020-05-29
Android App 'kintone mobile for Android' 1.0.0 to 2.5 allows an attacker to obtain credential information registered in the product via unspecified vectors.