We can learn a lot of very important lessons from cyber security crises, even those that are not actually happening, but more fictional than reality.
We often hear the saying that societies do not deal with problems until they become a crisis. Unfortunately, this is often the case in the field of information security, but it could have been avoided. As security practitioners, we can not solve the ills of the whole society. However, we can ultimately avoid these crises by learning how to distinguish between real and fabricated security crises and learning from each crisis we experience.
In this spirit, I summarized 20 questions that need to be considered when facing the real enterprise network security crisis.
1. what is the real threat? No matter what information you hear in specific situations, you need to understand what the actual threats are dealing with. Guess and exaggerated speculation are useless. Instead, you need to understand objectively the risks that threats pose to the organization.
2. How exposed is an organization to a threat? Once you understand the real threat, you can assess the exposure of your organization to that threat. This step is very necessary, because it can make your organization fully aware of the seriousness and danger of the situation.
3. What are the risks of this threat to an organization? Once you know how exposed the organization is to threats, you can assess the risk problems faced by the organization. Through this step, you can really begin to understand the importance of seriously considering threats and responding positively.
4. Is the hype around this threat reasonable? It is important to separate reality from fiction. If facts support a certain degree of hype around a particular threat, then this situation is allowed to exist. However, if the facts are quite different from the fabricated stories, then this fictional story needs to be broken.
5. Will hype around threats translate into a real risk for the organization? If the risk is real, then it is time to respond appropriately, including maintaining effective communication with the right stakeholders.
6. when did we first realize this problem? Did we just realize that it has been aware of it for some time? This difference is very critical. If you know that the organization is facing significant risks and has not responded to them or upgraded appropriately, this is a significant security mistake.
7. why is it that this crisis is not too late? If there is a reason, it can be resolved as part of the continuous process improvement. If there is no reason, it is important to know why.
8. Can we avoid this problem beforehand? In many cases, this problem can be avoided if risk assessment is conducted more actively, or if the attack area is significantly reduced. Of course, this is not always the case, but it’s a good thing to know that it’s a question.
9. why haven’t we succeeded in avoiding this problem? Once we know how to avoid problems, we need to ask why it has not been achieved.
10. Has this problem caused any damage to the organization? Of course, this is a typical problem. If there is no damage, you need to repair the risk in time, learn from the mistakes, and be grateful. If damage has occurred, you still need to repair the risk in time, learn from the mistakes, and of course, respond to events.
11. What steps need to be taken to fix the problem? If you need to respond and fix, the first step is to determine the steps needed to perform the operation correctly. Take some time to sort out the problems and make sure that the measures taken cover all the bases so that you can save time while achieving better quality results.
12. What lessons have been learned from this problem? After dealing with any problem, we need to extract and learn some lessons from this problem. This will help security organizations improve and eventually mature.
13. Can we apply these lessons to avoid similar situations in the future? Obviously, crisis models are the last resort. If you can apply the lessons learned, you will be able to avoid making the same mistakes again.
14. What other potential crises may we encounter? “Post-crisis” is a good time to jump out of the box and do some analysis. Understanding other potential crises you may encounter can help mitigate these risks in advance and improve the security of your organization.
15. What else can you do to avoid future problems? After the crisis, you may have completed repairs, strengthened controls or improved monitoring methods, but what else can you do to avoid the same or similar situation in the future?
16. how do we ensure that our remedial measures are effective? Your plan may be just “talking on paper”, so in order to make the remedial measures more efficient, you need to map the technology and application affected by the problem, and then conduct a full range check to determine whether the preset remedial measures can achieve your desired goal.
17. Have we confirmed that the remedies are effective? If you have completed the repairs, have they been tested to ensure their effectiveness? If not, similar problems may still occur in the future.
18. What steps have we taken to avoid similar situations in the future? You need to make sure that no matter what remedies you have taken and what lessons you have learned from your mistakes, any improvements you make must be durable rather than one-off.
19. Have we accurately and effectively communicated the content of action to management and senior management? Whether you have experienced a real crisis, handled the incident properly, and improved the security organization, your actions need to be recorded and communicated to management and senior management. This will help build the organization’s confidence in the ability of the security team and avoid too many “aftershocks” when the next problem arises.
20. Have we taken measures to avoid possible future damage? Finally, everything will depend on whether you have taken measures to avoid or minimize possible future damage. This may be the most difficult question to answer, but it may also be the most important one.