Click to return to BOL home page
Banker Store Read A Reg Vendor Connect Career Connect Learning Connect Bankers Information Network
Home Compliance Lending Operations Security Marketing Technology/eBanking
Top Stories Bankers' Threads Background Checks BOL Conferences CrimeDex FREE Briefings Banker Tools

   

















    Site Map

    Our Sponsors

    Home



Lending Gurus
Operations Gurus
Security Gurus
Marketing Gurus
Technology Gurus
eBanking Gurus

Print Friendly! Email This Article! Discuss NOW!


How Do You Recover From a Security Breach? Know How to Respond - Even Before it Happens

Recently, Republic Bank of Fort Lauderdale found itself at the center of a public relations nightmare: a hacker breached the bank's security countermeasures and stole the personal data of 3,600 online-banking customers. The bank discovered the incident only after the hackers told them about it - but did not report it to their customers until a few weeks later.

As a result of the incident, the bank's officials have hired a team of security consultants to review its systems.

Yet, while the bank can repair their computer systems' vulnerabilities, the damage done to customer trust, or shareholder confidence, is not so easily fixed.

RedSiren Chief Security Officer L. Dain Gary said this brings to light a critical but often overlooked point.

"The majority of the work that goes into recovering from an incident must be accomplished before the incident occurs," he said.

This means establishing an incident response plan that includes procedures for backing up information; pre-assigned managerial and staff responsibilities; policies for handling legal issues and the news media; and plans for recovering your corporate infrastructure.

"The key is, the incident response plan needs to incorporate ALL aspects of your business, not just your computer system," said Gary. "For instance, the actions your legal counsel and marketing and public relations staffs take need to be addressed as well."

Retrofitting a security program into a production environment post-incident is the least effective and most expensive option available.

"I call it the 20/80 rule. If, up front, you spend only 20 percent on your security program, you'll be paying 80 percent on the back-end to try to recover your systems should a breach occur," said RedSiren Director of Mid-Tier Professional Services Matt Miller. "Conversely, if you spend 80 percent up front, recovering from an incident will be a lot more effective and a lot less costly."

For customer-facing institutions like Republic Bank, the incident response plan must establish a process for how - and when - customers are notified. There is no "rule-of-thumb" for this process.

"It is up to each company to decide the best way to notify customers," said Miller. "Obviously, the sooner the better. The longer you wait, the worse you'll look. You want to make sure customers have the opportunity to cancel or change their account information, such as credit cards, if they wish."

The first thing companies should do is to immediately notify the department that handles public affairs. This way, your communications team can launch a crisis communications plan and control the information that is distributed to the press. But when discussing the issue with the public - be it your customers or the media -- be certain to state not just the problem, but also the solution as well.

"Make sure that an experienced public relations professional is part of your response team," said Gary. "And establish that person as the sole media contact. Your technical staff should not be handling media inquiries."

It goes without saying, of course, that the vulnerability should be fixed before addressing the public or informing your customers.

Risk Assessments and Defense-in-Depth Security
Conducting a security assessment that includes risk and vulnerability analysis is the most effective way to uncover any existing vulnerabilities - physical or IT-oriented. In addition, a risk analysis can determine the level of security that's appropriate for your organization by identifying key business processes and the resources that support the process flow. A vulnerability analysis will examine your existing security infrastructure, rate the potential for a breach or other intrusion, and recommend steps for mitigating those risks.

When deciding upon your security infrastructure, RedSiren recommends taking a defense-in-depth approach to IT security, which is based on a system of layers that create a series of obstacles to reduce the risk of an intruder from gaining unauthorized access.

For instance, you may have installed firewalls on your network perimeter. However, if an attacker successfully breaches that firewall, it will gain entry into your network. Host- and network-based intrusion detection systems add another "layer" by immediately alerting your staff when any suspicious activity is present. IDS, in essence, is a safety net that identifies anything that sneaks past the firewall. To be effective, it should be monitored 24x7x365. A Managed Security Services Provider (MSSP) like RedSiren can provide these services for you and free your existing staff to work on other priorities.

Public Web servers, such as those used to support e-banking applications, should be placed on a DMZ, (demilitarized zone) which is separate from the protected internal network and away from corporate-critical information.

In addition, access controls must be added to limit the availability of critical or classified information. Access should be given on a need-to-know basis.

"Every access point needs to be protected," Miller said.

Most important, all of these issues need to be stated in your corporate security policy, which should address what you are protecting, how you are trying to protect it, from who you are protecting it, as well as where you are protecting it (i.e., which servers).

Why it's so critical to report incidents - and yes, you can do so anonymously
Your incident response plan needs to address how you will communicate the incident to your customers, as well as how you will report the incident - a crucial step that many organizations dread or even ignore due to fear of exposure.

"There's a fear that reporting a breach or incident will reflect poorly on the company, or that it will affect business that relies on public trust," said Gary. "But while this attitude might help a company protect its image, it certainly doesn't help security professionals monitor attack techniques and prevent their distribution.

"Security incidents - whether the result of an intruder or a software flaw -- need to be reported so that other companies can benefit from the experience of others without having to experience the incident themselves," he said.

To further illustrate the need, consider this: There were more than 52,600 incidents reported to the CERTŪ Coordination Center (www.cert.org) in 2001. But Gary states that while this number is quite significant, it addresses only an estimated 25 percent of actual incidents. There also is a misconception that businesses must report every incident directly to authorities. This is often not the case.

"CERT allows you to anonymously report an incident," said Gary. "They are interested in improving security by improving available technologies through a forensics view of the incident, i.e., what happened and how it happened, rather than in prosecuting or tracking down the intruder."

Gary also recommends that companies look into participating in their local InfraGard program (www.infragard.net), which is a collaborative effort between the U.S. Government (led by the FBI and the NIPC) and private industry, academic institutions, and state and local law enforcement agencies. The program is dedicated to sharing information to increase the security of the U.S.'s critical infrastructures

RedSiren suggests organizations take the following nine steps to prepare for incident response:
  1. Establish policies and procedures for responding to intrusions
  2. Prepare to respond to intrusions
  3. Analyze all available information to characterize and intrusion
  4. Communicate with all parties that need to be involved
  5. Collect and protect information associated with an intrusion
  6. Apply short-term solutions to contain an intrusion
  7. Eliminate all means of intruder access
  8. Return systems to normal operation
  9. Identify and implement security lessons learned.


RedSiren helps companies worldwide ensure business continuity through a suite of information security solutions, including managed security services, risk management consulting and security awareness training. We will work with you to develop solutions that meet your organization's specific needs and fit your business culture. Call us today at 1-877-360-7602, or visit us on the Web at www.redsiren.com

First published on BankersOnline.com 5/13/02
Home | Compliance | Lending | Operations | Security | Marketing | Technology | eBanking
BOL Archives    Privacy Policy    Important Disclaimer   Recommend This Site !   Contact Us


BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.