Were there a computer incident Hall of Fame, you could probably imagine strolling the halls and browsing through exhibits of history's most dynamic electronic viruses and worms - the villains whose names have sent shivers down the spine of any security expert equipped with a decent memory: The Morris Worm, Melissa, Nimda, Code Red, LoveLetter, Klez and, of course, the most recent inductee, SQL Slammer. You might also see some of the more notorious service outages, hacker penetrations, denials of service, malicious e-mail and Internet attacks on display. All have caused varying degrees of chaos, and some have even stopped businesses in their tracks, crippling productivity and costing millions of dollars in lost commerce.
And yet all could have been tamed. Had someone the foresight to put an incident response plan in place, those viruses and worms and outages and attacks might not be so infamous today.
Of course, such a place doesn't really exist, but the threat of cyber-attacks does. And it's growing every day, due in part to the widespread use of e-mail and the Internet. According to statistics from Carnegie Mellon's CERT Coordination Centre (CERT/CC), the number of reported cyberincidents has surged from only six in 1988 to a whopping 82,000 in 2002. Despite the rising threat, however, CERT/CC finds that most CIOs and CSOs don't even think about their response to an incident until after they've experienced an intrusion of some sort, says Chad Dougherty, an Internet security analyst at CERT/CC. "That's because most companies feel relatively safe. They believe that the hackers won't target them, specifically," he says.
But they'd be wrong, says Dougherty. The majority of computer incidents are no longer focused on a particular company. "Most attacks now are automated," he says. "They spread with the intent to damage everyone and everything they can."
Clearly, it's time for CIOs and security execs to come to terms with the need for response planning. "For a long time, incident response meant having a loose team of people on call if something went wrong," says Gene Fredriksen, vice president of information security at Raymond James Financial. "Then companies started getting hit regularly, and I think [people] are finally beginning to realise that incident response is not optional."
Not optional, but also not easy. Even a well-prepared CIO knows that an incident response plan can't keep his or her company completely safe from attack - even with the latest tools for intrusion detection. "There's just no such thing as zero risk," says Leslie Macartney, CISO for Reuters. "And you can't always predict the number, nature or severity of the attacks. But incident response plans are necessary because, in short, no matter how much you try, things will occasionally go wrong. Your company is at its greatest exposure in the time between when an incident occurs and when the containment actions are completed - that's when most of the damage occurs."
And it's not just an internal matter, says Macartney. "Customer confidence can be damaged if it appears the company has been remiss in its handling of security events. The company's reputation could be at stake."
But you can't protect everything completely, so you must prioritise, Macartney adds. By creating a specific strategy that states what to prioritise and how to react if an incident does happen - and by making your security organisation capable of detecting, analysing, and responding quickly and knowledgeably to an event - you can limit the damage done and lower the costs of recovery. And then, by knowing who to call and what to do next, you can decrease the amount of time it takes to recover and possibly save you and your staff from additional disasters along the way.
"The organisations that don't know how to respond to incidents are the ones that will really get hurt," says Kevin Connell, director of information security for the shared data centre of the Securities Industry Automation Corporation, which runs the computer systems and communications networks of the New York and American stock exchanges. "And while it's hard to protect against something you can't predict, it's not so hard to react decisively in crisis situations once you have a plan in place and a procedure to follow."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.