In the July edition of Be Cyber Aware at Sea, Phish and Ships along with Axis focus on incident response, explaining what it is and the importance of it, as the shipping industry is becoming more digital than ever.
Accordingly, incident response is the process of detecting security events that may have a negative impact on network resources and information assets and then having the capability to respond and recover effectively in a timely manner.
The digitalization of the shipping industry comes with the increase of cyber threats and attacks. Therefore, it is important to understand the risks arising and adopt an incident response.
It is advised to develop and exercise a Cyber Incident Response Plan CIRP.
Although the use of CIRP can be helpful, it is reported that there are some common mistakes that can hinder a business in making the most out of a CIRP.
#1 No document owner results:
Having no specific person to lead with the management of the CIRP can result in a lack of accountability and diffusion of responsibility. This creates the perception of there’s always another priority and consequently the document is likely to become stagnant. SOLUTION: Define a specific function along with a named individual as the document owner
#2 No document approver results:
With no defined document approver/ approvers could mean there is a lack of organization-wide buy-in and the CIRP is deemed not to reflect the interests of the business. This can also lead to approval being requested during the time of an incident, which is not the time to be asking and will hinder the ability to respond timely. SOLUTION: Define a document approver or committee a group of approvers who can review and sign off the CIRP at least once a year.
#3 Lack of representation from non-technical results:
A CIRP that is heavily reliant on technical resources only is likely to struggle during major incidents. If a business falls victim to a breach of a client’s sensitive information the response will require more than just the IT / security team’s involvement which is why cross-functional buy-in, and involvement is ideal. SOLUTION: Ensure the CIRP has cross functional contribution from Legal, Media, Finance, Risk Management, Physical Security, Executive Management, Audit, Info Sec IT and Vendors. Define limitations of authority, know exactly who can do what, where, when and how.
#4 Single points of failure results:
SPF’s can occur in many forms within the categories of people, process and technology. For example, a CIRP that point to a single position which encompasses a variety of skills can easily lead to the burn out of this individual during a large incident, or if they are not able to respond due to other commitments this can leave gaps in the response. Managing and responding to an incident should be separate responsibilities, it can become problematic if a single person is responsible for both as it would extremely difficult to communicate with both technical and operational elements at the same time and both have unique roles during an incident.
Solution: Recognize the SPF and diversify the team taking a team approach to the CIRP. Define the two specific lead functions for a technical and strategic response, they should work in tandem just have a different focus. Ideally the strategic lead should be 75% political 25% technical and vice versa for the technical lead.
#5 No pre-defined severity levels results:
This can result in the CIRP having a binary response, it’s either on or off and there are no clear levels in between. So, the binary response does not enable a variation of responses based upon the different levels of severity of the incident. If there are no defined severity levels this can result in the same response for all incidents, creating fatigue and a lack of seriousness during the time of a severe incident.
Solution: Define the severity levels from 1-4 and break the levels down into symptoms not threats, threats are constantly changing so they are not effective to respond to.
Highlights
- CIRP requires cross functional input and buy-in from senior management
- A CIRP is a live document and requires an owner, approver and regular maintenance
- Must address a range of security incidents from simple malware all the way to complex breaches by detecting the signs and symptoms of an attack. The common failures discussed are not exhaustive but simply a good start point for considerations when planning.
