08-21-12 | Blog Post
The National Institute of Science and Technology (NIST) has released a Computer Security Incident Handling Guide detailing a very thorough overview of how to detect, analyze and isolate an incident (data breach, loss, unauthorized access or otherwise); response and notification policies; what resources to have prepared; and more. They even provide several real-life scenarios with questions that, if you’ve experienced a similar event, you should be asking yourself and organization/incident response team.
Since the 70-page document will likely take some time to get through, they provide a handy summary of each section and key issues that any organization concerned with security and disaster-preparedness should take into account. Here, I recount just a few examples of the NIST recommendations for handling incidents:
Tools and Resources
Prepare for an incident in advance by having the following on hand: contact lists, encryption software, network diagrams, backup devices, digital forensic software and port lists.
Prevention with Security
Securing networks, systems and applications can prevent an incident. Periodic risk assessments, reducing known risks, and security policy awareness staff training are all ways an organization can cut down on incident risk.
Security Software
Using intrusion detection and prevention systems, antivirus software, file integrity monitoring and daily log review can help identify potential incidents with alerts. The use of several, if not all, can help provide layers of security, with each approach detecting different types of data and system breaches. Logging of operating systems, services and applications can also help after an incident to identify which accounts were accessed and what actions were performed. Having a log retention policy is also key to having older logs available that may reveal previous patterns of attack.
Profile Networks and Systems
NIST recommends measuring expected characteristics and activity levels of networks and systems for easier detection when deviations from the norm occur. Easier detection allows faster escalation of issues to administrators in the event of an incident.
Incident Documentation
Recording information as soon as an incident is suspected of occurring should be thorough with timestamps. Aside from providing a more efficient and systematic remediation process, it also can help with any resulting litigation in court.
Safeguard Incident Data
Ensure that any sensitive information about vulnerabilities, security breaches and user activity has limited access, both logically and physically. Strong access controls, monitoring and alarm systems, dual-factor authentication, and more can keep data safe. Read more about data center security.
Lessons Learned
Last on their list, NIST recommends holding ‘lesson learned’ meetings after any major incidents in order to make a plan to improve security measures and even the incident handling process itself.
Incident handling shouldn’t be an afterthought for anyone concerned with security, or needs to meet HIPAA or PCI compliance. If you outsource your hosting services to a managed hosting provider, ask them about their incident response and breach notification policies.
HIPAA hosting providers need to have a clause about breach notification in their Business Associate Agreements (BAA), and PCI hosting providers must implement an incident response plan, as required by standard 12.9, that states they also have to be prepared to respond immediately to a system breach.
Read more about NIST’s recommendations on other aspects of incident handling in their Computer Security Incident Handling Guide. Or, read more about security and data center standards for both HIPAA compliant hosting and PCI compliant hosting with our HIPAA white paper, and PCI white paper.