Security incident management: problems and their solutions

As a rule, the companies are exposed to damage as a result of incidents because of a weak dokumentirovannost and a delay with carrying out (or even absence) such main actions as:

• detection and registration of incidents with determination of contractors, responsible for them;
• developments of effective solutions, working off of incidents and elimination of their effects;
• analysis and elimination of the reasons of incidents;
• conducting scheduled maintenance with personnel and in IT infrastructure.

Let's add also lack of authentic statistics of incidents, knowledge bases on standard and most effective solutions, convenient and reliable specialized mechanisms of interaction of personnel during the work with incidents, criteria and mechanisms of efficiency evaluation and planning of activity of responsible specialists, costs for the held events and personnel.^[1]

For credit institutions observance of standards of security passes from discharge of insistently necessary, recommendatory in discharge. Loss of customer confidence, information leak, blasting a goodwill are fraught for them not only with a stop, but also business loss. Only in the USA for 2009 according to ITRC there were more than 356 cases of information leak, from which damage exceeded 1.8 bln. dollars, Russia on number of the known information leaks takes the third place in the world.

The financial sector, following requirements of regulators, is guided in the activity by requirements of the following domestic and international (or their national versions) information security standards: PCI DSS, ISO 27001, ISO 27002 (GOST 17799), NIST 800-61, ISO (GOST) 18044, service station of BR IBBS and also FZ-152. Fulfillment of requirements of the cybersecurity standards in general allows to avoid sanctions from regulators, considerably reduces costs of the company for providing and maintenance of cybersecurity, minimizes risks of loss of a goodwill, strengthens image of the company, allows to cooperate effectively with the international companies, to build interaction between divisions of the company, facilitates audit processes, increases loyalty and customer confidence.

The solution of the listed problems and decrease in damage of the company as a result of an incident and also fulfillment of requirements of regulators requires creation of the adapted Incident Management process.

According to requirements of the standards of management of cybersecurity mentioned above, process of Incident Management should contain the following main subprocesses:

• Detection of incidents using different sources.
• Classification of an incident for determination of parameters of its creation and purpose of tasks.
• Correlation of an incident with the existing registered incidents, with the unregistered messages in detection sources.
• Response to an incident, taking measures to elimination of an incident and its effects.
• The analysis of an incident on the available data, determination of origins of an incident.
• Planning of actions for the purpose of prevention of emergence of an incident further.

The system implementing such process should provide:

• Collection of information from users on different communication channels.
• Automatic collecting in real time events from program and hardware devices.
• The analysis of the arriving events and automatic registration of incidents.
• Correlation of an incident (search of interrelations in already created incidents).
• Classification of an incident (class, priority, object).
• Support of the relevant staff list.
• Purpose of an incident to a certain minimum support line capable to solve an incident (thereby unloading expert lines).
• The notification of contractors about emergence and purpose of an incident.
• Installation of the fixed terms on the solution of an incident (according to a priority) and its separate tasks.
• Possibility of escalation of the solution of an incident.
• Connection of plans of the emergency reaction with in advance regulated list of actions.
• Possibility of purpose of separate tasks within the incident on individual employees or groups.
• The notification of heads in case of violation of terms of accomplishment of tasks by employees
• Accounting of the made changes in information systems during the solution of incidents.
• The notification of the user about the course of the solution of an incident on its address.
• Integrity of processes of an incident in order to avoid concealment of the fact of an incident.
• Planning of measures in order to avoid repeated emergence of similar incidents.
• Automatic notification of heads and interested persons on emergence of an incident and its solution.
• Formation of statistics on standard solutions of similar incidents.
• Creation of detailed reports on a system an incident-menedzhenta for efficiency evaluation of its work and the analysis of KPI of individual employees and division of cybersecurity in general.

The separate SIEM and Service Desk solutions which are traditionally used for incident management even in total allow to solve only an insignificant part from the listed tasks.

Signs of that your company in risk group of date leak

The problem of information security is relevant more than ever now. According to the report of IBM, 48% of security risks are connected with activity of insiders. At the same time some companies still stay in confidence that their this disturbing statistics will not concern. Often such opinion is wrong therefore the analytical center Falcongaze prepared the list of signs that the company should attend to a question of protection against date leaks.

Lack of corporate security policy

Potential threat for confidential data is the lack of corporate security policy and the mode of a trade secret. The policy will allow all employees to understand accurately the principles and actions ensuring information security in the organization, and the mode of a trade secret will provide functioning of this policy in the legal framework. Creation of the worked security policy is a transition from the words which hung up in air to the documented rules and the principles.

High staff rotation and reductions

Due to the long crisis phenomena recently staff rotation increased in the companies. Other problem for the same reason — mass reductions. Probability of date leak increases in such conditions many times. The workers dissatisfied with dismissal can carry away with themselves confidential information and in general the routine of the personnel negatively develops on motivation of employees. The companies solve this problem by different methods. First, this special attention to the leaving and demoted employees — control of their activity in workplaces using specialized software, such as SecureTower. Secondly, explanatory works with personnel. It is important to remind the worker of the signed nondisclosure agreement of a trade secret and also of responsibility which he will bear in case of violation of obligations and disclosure of confidential information. The employee familiar with all possible effects of violation, will hardly decide on it.

Messengers, e-mail, social networks

Modern technologies dictate new behavior models of workers during the working day. The increasing part of working communication is the share of messengers and social networks, and employees whose direct activity is not connected with online Wednesday, it is possible to count on fingers. If 10 years ago work on the Internet was a prerogative of people in the majority grounded, and opportunities of leaks in it was 10 times less, then now threats in online space became much more sophisticated, and workers — less and less to them prepared. Besides, mail and messengers are one of the main channels of date leaks therefore to leave them uncontrollable — it is all the same what to leave unguarded the machine with the included ignition.

Business trips and business trips

Existence in the company of the employees spending much time at business meetings with clients and partners and often going to business trips also is risk factor. Workers quite often take in business trips corporate notebooks for holding the presentations and use in other working purposes. Quite often such trips are wrapped in information leaks with serious effects. It is important to control activity of the employees who are outside the company by means of the specialized software working in a standalone mode. In the presence of such software throughout all business trip information on all of action of the employee is located on the notebook in reserve storage. At connection of the notebook to network the security officer of the company has an opportunity to receive full data on whether corporate security policy was broken – for example if the employee on a trip sent confidential documents to the USB carrier, and it is forbidden by policy.

Uncontrollable document flow

It is very important to limit access to certain information for employees whose direct work with it is not connected and to control document flow in the company, stopping hit of a confidential information "not in those hands". Often heads do not think how valuable can be these or those data while all have access to them. Having decided on the list of really important and sensitive information and having differentiated access rights, it is necessary to introduce the regime of a trade secret is the only efficient way to provide confidentiality and, if something happens, to punish guilty persons.

In addition to above-mentioned, there are also other signs that protection against information leaks should pay special attention. However if during reading any of points you remembered the company, then you the best time to take measures to information security support — now is unambiguous in risk group, and.

Security against the background of convergence of personal and working accounts of users

The Gemalto company in December, 2016 published results of the Authentication and Identity Management Index index according to which 90% of corporate IT specialists express certain concerns on the fact that use by employees of the personal credentials for the working purposes is capable to lead to security compromise. However considering that two thirds of respondents (68%) have no objections against employees in their companies used the personal accounts from social networks for access to corporate resources, in the research Gemalto comes to a conclusion that the greatest reason for concern for the organizations is use by employees of personal applications (for example, e-mail).

Convergence of personal and working accounts

The corporate and consumer worlds become closer to each other, and the edge between them is gradually erased, at the same time departments of IT security in corporations are even more often forced to implement the same methods of authentication which are usually used in consumer services, including scanning of fingerprints or recognition of a retina. Six of ten respondents (62%) reported about it, at the same time the same number (63%) considers that security methods developed for consumers provide the protection level, sufficient for corporations. Actually more than a half of respondents (52%) considers that within the next three years these methods will become completely indiscernible.

The impact of date leaks in the consumer sphere on security of the enterprises

Plunder of personal data makes 64% of all date leaks recorded in ^[2] at the same time the number of leaks continues to grow in consumer services therefore it is necessary to change security policies regarding access control nearly 9 of everyone ten (89%) corporations. Approximately at a half of the enterprises (49%) additional training of employees is provided that it is designed to reduce concern of the guide to an occasion of security, 47% increased the expenses on security, and 44% selected additional resources.

The approach to implementation of authentication and access control used by the enterprises is influenced in many respects by expectations of employees concerning practicality, usability and mobility of services. About a half of respondents reported that their enterprises increase resources and expenses on access control. Also the number of implementations of the corresponding systems increases: 62% assume to implement solutions for strict authentication within the next two years that is 51% more than number of the respondents who expressed the similar intention in a last year's research, at the same time about 40% of respondents expressed the intention to implement in the closest two years of Intel Cloud SSO or IDaaS.

From the point of view of the enterprises of advantage are obvious, at the same time more than nine of ten respondents (94%) use two-factor authentication for protection of at least one application, and almost all respondents (96%) are going to use this technology at some point in the future.

Security of mobile solutions still causes concerns

As more and more enterprises begin to use mobile technologies, there are also all new tasks connected with need to protect corporate resources, but at the same time and to provide additional flexibility for employees who work not at office. Despite increase in number of the enterprises permitting to the employees to work in the mobile mode, about a third (35%) of the organizations completely blocked to the employees access from mobile devices to corporate resources, and 9 of 10 (91%) partially limit to the employees such access. At the same time respondents from a half of the companies (50%) confirm that security is for them one of the main concerns at implementation of mobile technologies in a working environment.

For protection against the threats connected with implementation of mobile technologies, the enterprises still most often rely on a linking of user names and passwords - on average about two thirds of users in the organizations of respondents resort to such method of authentication. At the same time, now about 37% of users in the organizations of respondents it is necessary to apply two-factor authentication to access to corporate resources from mobile devices. However respondents consider that, as well as in a case with access to resources in office, within two next years this number will increase more than to a half (56%).

See Also:

• Mobile Device Management (MDM)
• Mobile Device Management (MDM) Mobile device management of Enterprise Mobility Management (EMM)
• Cybersecurity - Authentication

"It is obvious that current consumer trends have a huge impact on corporate security – here appropriate to remember the most different aspects, since problems of use of the same accounts by different employees, and finishing with practical approaches to authentication, - François Lasnier, the senior vice president for technologies of protection of accounts in Gemalto says. – At the same time it is important to companies to make sure that their data will not be compromised as a result of bad personal habits of their employees. For us it is very pleasant to see increase in number of implementations of two-factor methods of authentication and increase in level of consciousness concerning management of cloud access as it is the most effective solutions allowing the companies to secure cloud resources and to protect itself from internal and external threats. For heads of IT departments it is important still to continue to raise questions of security on the agenda at the level of board of the company, consistently trying to obtain that the information security was a priority for all staff of the organization".

Methods of solution of the problem of unauthorized access in the organizations

• Leaving of user authentication by the password for each user and for each system. It is necessary to replace it with authentication on a token or the card. For example, if the user makes a business trip, then it is possible to use the one-time passwords transferred by the SMS.

According to a research of Trustwave company, 80% of incidents in the field of information security take place in a consequence of use of unreliable passwords. The global report on security of Trustwave company of 2012 is devoted to vulnerable elements in information security of the company. Authors of the report investigated more than 300 incidents in 18 countries which happened in 2011. The report focuses attention on the continuing growth of cyber attacks and also to increase in number of malefactors in the field of information security. The majority of incidents arises in the investigation of organizational and administrative problems. During the research it was revealed that 76% of cases of violations happened because of vulnerability of a security system of the departments responsible for system support and development of the company. The most part of a research is devoted to a problem of use of weak passwords. According to specialists of Trustwave, 80% of incidents take place in the investigation of weak passwords. Weak passwords continue to remain the main weak spot used by malefactors both in large and in the small companies. Upon, use of weak and standard passwords facilitates work of hackers for penetration into information systems. Occasionally criminals do not need use of the difficult, thought-over methods for cracking. According to Trustwave company, the most used password in network is 'Password1' (parol1). In a research it is mentioned that application of standard passwords is inherent also during the work with servers, network equipment and different devices of users. The Trustwave company provides the list of the most used passwords in the research. The English word 'Password' (password) is used in 5% cases, and the word Welcome (greeting) in 1.3% of cases. It is also worth paying attention to use of seasons and dates. Also one of problems is that many devices and applications are used with the initial standard passwords often giving completeness of access rights, the study says.

• It is necessary to book audit of accounting of users how many users, when they logged in last time what their activity and to analyze all this information.
• Reduction of sources of accounts. The uniform strict list of sources of accounts for information systems is necessary.
• If the company has a regional network, then it is necessary to work is centralized, to use I will bargain authentication because differently it is impossible to control it from the center. For example, if some bank has an extensive network in regions. What we would not issue orders, people will write all the same the passwords on a piece of paper and to store at the monitor. And here it is possible to manage access for users to information systems from one place. Besides, if a system is not integrated, it is difficult to collect information on incidents. The single system it allows – it stores everything a log: who, when where came and that there made.

Main methods of protection against the insider

• Know the employee
• Accounting of storage locations and methods of processing of critical information
• Control of channels of receiving and dissemination of critical information
• Implementation of procedures on identification and suppression of the known schemes of fraud
• Assessment of possible risks at implementation of new technologies, products and services
• Increase in awareness of workers in questions cybersecurity

Systems of protection against activity of insiders

• Use of a system of protection against leak (DLP)
• Monitoring of requests of users to a DB
• Monitoring of addressing of users shared directories
• Use of systems a fraud analysis for identification of internal swindlers
• Use of management systems for access rights
• Use of control systems for work of privileged users

Means of identification of anomalies as element of identifications of internal abuses

• Anomalies in requests of the assorted user
• Anomalies of network activity
• Anomalies in work with applications
• Anomalies during the work with files, with devices of external data storage
• Anomaliiv accomplishment of business challenges