Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/27/2007
04:20 AM
50%
50%

Breach Response: No Sure Thing

Experts say they know what to do in the event of a security incident; they just don't agree on what that should be

12:20 PM -- You just have to love Slashdot. Whatever you may think of the site itself, it is a great discussion-starter, attracting everyone from jokesters to critics to the most passionate on any subject. When something you've written is posted to Slashdot, you'd better get ready to answer a lot of message board postings.

Yesterday was no exception, when a kind reader managed to Slashdot my short primer on security incident response. (See What to Do When Your Security's Breached.) That little posting has already resulted in more than 150 comments from readers, most of them security professionals. These comments were all over the map, and I'm not sure I'll ever have time to respond to them individually -- but collectively, they paint a pretty good picture of the "conventional wisdom" on incident response.

What's interesting about that wisdom is that there really isn't anything conventional about it. Even among security professionals, there's still a lot of disagreement on what to do in the event of a security breach. While many of the commenters on the story seemed absolutely certain that their responses were correct, a number of them were diametrically opposed to each other.

One group of respondents criticized the story for recommending incident response steps that were too obvious. My favorite was the guy who compared the story to advising a burned person to put ice on his wound -- and was subsequently flamed by half a dozen first-aid-savvy readers who explained that one should never put ice on a burn.

It seems to me that security incident response is a lot like that little exchange among Slashdot readers. When a breach occurs, people think they know exactly what to do (it's common sense, right?) and are subsequently faced with a raft of reasons why "common sense" might be a poor choice.

For example, several Slashdot readers objected to the notion that an IT organization might consult an incident response team before deciding how to handle a breach. "Keep the idiot suits out of it!" scowled one reader. But several readers subsequently posted responses that described positive experiences with incident response teams and said they would never do it any other way.

Similarly, there were a number of readers who advised their peers to pull the plug first on all affected systems and ask questions later. However, their postings were quickly followed by replies from other readers who said they lost critical forensic data -- and the possibility of capturing the attacker -- by pulling the plug too quickly.

And in many cases, reader responses exposed a cold, hard truth: No matter how hard you plan or rehearse, you might not be ready for the breach that finally hits your company. There are so many variables that it's impossible to prepare for every scenario -- but many readers who had suffered through an incident said they were happy they had at least tried.

The fact is that there aren't any pre-ordained processes that will work flawlessly in the case of any security incident. But there are some basic steps that companies can take to get themselves ready, and those are the steps that are outlined by experts in the story. They might be obvious or imperfect, but they're a good starting point. And it looks like there are some folks out there who could use them.

Now, if you'll excuse me, I'd better go. I've got some Slashdot replies to make.

— Tim Wilson, Site Editor, Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.