Photo Credit: MGF Customs/Reviews via Compfight cc
With the Christmas holidays upon us some are winding down their projects and all are looking for a well-deserved break. Those of us in information security still wonder, “What surprises will the new year bring?” This year has been yet another deluge of unprecedented breaches that have sent even the most prepared professionals scrambling to create better incident response plans, dutifully reporting to law enforcement and cringing at the thought of the tedious clean-up process. Sound familiar? Can we be better prepared next time?
A traditional time for reflection is upon us. What could we have done differently? Solving something unfamiliar with lessons from that which is familiar is my proposal. Using an analogous situation can help us in unexpected ways. It is no secret that this technique has worked before. In the 1950’s, Charles Lazurus took it upon himself to reinvent the way he sold toys. His slogan became “Give the Customer what they want,” when Toys “R” Us® was established. The concept of more choices and better delivery came, he says, from the grocery store model.
Take a look at the steps in the process of incident handling and what pieces are essential to everything being handled smoothly. After all, there is no better testament to info security prowess than when an incident is well-handled. That is “what the customer wants” to put it another way. Simple is best. It has been proven that people cannot follow complicated, drawn-out instructions. In an emergency or at the time of an incident, this is even more obvious. Keep it to three main points: 1) People, 2) Contact Information and 3) A Plan.
Lazurus used words like “seasonal” and “in stock” toys for his goal setting but his stores also included baby furniture originally. With the steps of incident handling in mind create goals using words like “timely”, “coordinated”, and “effective”. They all have a proper place in the goal setting. “This is how we do it now” seldom works because of unusual time constraints during an incident. Leave out the “baby furniture.” It doesn’t fit. Using analogies usually means the coordinator will rely on their arsenal of experiences and outcomes. This can be dangerous. It is similar to when one tastes a familiar food and the memories overshadow “how good” the food really is. It is critical to determine if the analogy closely matches the desired outcome. It is important to have an independent perspective on the choices before finalizing them.
Just as Charles knew his customers (the everyday shopper), the security incident coordinator needs to know the customers. Who are the people who must be involved, notified, trained and otherwise included in the response plan? Your first instinct is that it should be the same people involved in the process on a daily basis. That is a good start. (Charles’ first instinct was he needed baby furniture.) In a real incident, you may not have the luxury of using the same people who normally perform the function. That is why a “plan” is so important. It spells out who is the “primary” and who is the “backup” contact. In some cases it may be some firm outside of the company.
Contact information is critical. Charles Lazarus used traditional methods of contacting people. This is an excellent model. If you use mobile numbers to contact people, don’t be recording just their office numbers. It is often recommended that home phone numbers be recorded also in the event wireless networks are down. The strategy for some disaster plans includes alternatives if there is no cell phone usage. We know the inoperability of cell phones occurred in the disaster at the World Trade Center in New York City on September 11th. Plan for it. Identifying primary and backup numbers is the best approach.
Preparation is the key step in getting good use of your plans. You must know when an incident occurs, be able to identify “what” has happened, assess how to contain it, be able to eradicate it and then recover from it. There are a variety of services that “advertise” when an incident has occurred. There are also firms who make “vulnerabilities” known often before anyone takes advantage of the “exposure”. A plan can identify the sources for “good” information and can also help in addition to regular monitoring. Like Lazarus, who created a “demand” for more toys and a variety of toys, you can create a demand for good plans. Demonstrate that the plans work through testing and you can give the customer “what they want,” safe, secure, recoverable information. Now you can have a happy holiday with that thought! Happy New Year, 2015.