The Security Catalyst

You should be familiar with the phrase, “Be Prepared.”  It’s been used by millions of Boy & Girl Scouts around the world since 1907 [1].  Boy and girl scouts are trained to be in a state of readiness in mind and body, so that you know the right thing to do at the right moment and are willing and able to do it. 

As security professionals, shouldn’t we also “Be Prepared?”  We need to have a “tool bag of knowledge” that we can open whenever an event occurs.  This is a set of resources, instructions or processes that you can use when responding to a security event. An organized and careful reaction to an incident can mean the difference between complete recovery and total disaster.

One of the “security triangles” is protection, detection, & reaction.  Our response to an incident is just as important as how we protect key assets and detect anomalies.  An incident doesn’t have to be related to computers; it can be almost any unexpected event.  Also, your response should be a process that uses available tools, techniques, and technologies to address the most common risks.

The following are basic, high-level steps that prepare you for incident response:

 1. Risk Identification.  No one person or organization can prepare for everything that may possibly happen.  It just doesn’t make sense.  We in the Midwest are not prepared for a tsunami, nor should we be.  But we are ready for tornados, especially this time of year.  You need to take the same approach in preparing your incident response.  Ask yourself, “What’s the worst that can happen?”  What threats are most likely to occur and have the greatest impact?  Identifying the greatest risks will help you prepare an incident response plan that covers the most likely events.

 2. Get support.  You cannot possibly know nor do everything.  You need to have a support group ready to help when the time comes.  The group you will need depends on the threats and the incidents identified in step 1. 

 3. Practice. The only way to get good at something is to just do it.  Realistically, this isn’t always possible when responding to an incident.  At the very least, you should conduct a paper exercise where you and your support team discuss the incident and your response. As you practice, document what you do, what works and what doesn’t work. 

Note: these steps are not computer specific.  They will work for any type of incident: technical or not; business or personal.   In researching this topic, I searched on “incident response steps.” It’s interesting is that the top results all have to do with Computer Security.  Incident response is not and should not be unique to computers.  The basic, high-level preparation steps are the same, whether you’re responding to a shooting or a computer intruder.

Louis Pasteur said, “Chance favors a prepared mind.”  Improve your chances of success by being prepared.  You can join a discussion of Incident Response on the Security Catalyst forums: http://community.securitycatalyst.com/forums/index.php/topic,366.0.html.  Let us know how you prepare.

By helping each other, we all become stronger.

If you enjoyed this post, make sure you subscribe to my RSS feed!