Security incidents are events that may indicate that an organization's systems or data have been compromised or that measures put in place to protect them have failed. Show
In IT, a security event is anything that has significance for system hardware or software, and an incident is an event that disrupts normal operations. Security events are usually distinguished from security incidents by the degree of severity and the associated potential risk to the organization. If just one user is denied access to a requested service, for example, that may be a security event because it could indicate a compromised system. However, the access failure could also be caused by a number of things. Typically, that one event doesn't have a severe impact on the organization. However, if large numbers of users are denied access, it likely means that there's a more serious problem, such as a denial-of-service attack, so that event may be classified as a security incident. A security breach is a confirmed incident in which sensitive, confidential or otherwise protected data has been accessed or disclosed in an unauthorized fashion. Unlike a security breach, a security incident doesn't necessarily mean information has been compromised, only that the information was threatened. For example, an organization that successfully thwarts a cyberattack has experienced a security incident but not a breach. How to detect security incidentsNearly every day there's a new headline about one high-profile data breach or another. But there are many more incidents that go unnoticed because organizations don't know how to detect them. Here are some ways enterprises can detect security incidents:
Common attack vectorsAn attack vector is a path or means by which a hacker can gain access to a computer or network server to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including human operators. Attack vectors include viruses, email attachments, webpages, pop-up windows, instant messages, chat rooms and deception. All of these methods involve programming -- or, in a few cases, hardware. The exception is deception, which is when a human operator is fooled into removing or weakening system defenses. Although organizations should be able to handle any incident, they should focus on handling incidents that use common attack vectors. These include the following:
Understanding the attackers methodology and goalsAlthough an organization can never be sure which path an attacker will take through its network, hackers typically employ a certain methodology -- i.e., a sequence of stages to infiltrate a network and steal data. Each stage indicates a certain goal along the attacker's path. This security industry-accepted methodology, dubbed the Cyber Kill Chain, was developed by Lockheed Martin Corp. According to Lockheed Martin, these are the stages of an attack:
Mitigate the risk of the 10 common security incident typesThere are many types of cybersecurity incidents that could result in intrusions on an organization's network: 1. Unauthorized attempts to access systems or data To prevent a threat actor from gaining access to systems or data using an authorized user's account, implement two-factor authentication. This requires a user to provide a second piece of identifying information in addition to a password. Additionally, encrypt sensitive corporate data at rest or as it travels over a network using suitable software or hardware technology. That way, attackers won't be able to access confidential data. 2. Privilege escalation attack An attacker who attempts to gain unauthorized access to an organization's network may then try to obtain higher-level privileges using what's known as a privilege escalation exploit. Successful privilege escalation attacks grant threat actors privileges that normal users don't have. Typically, privilege escalation occurs when the threat actor takes advantage of a bug, configuration oversight and programming errors, or any vulnerability in an application or system to gain elevated access to protected data. This usually occurs after a hacker has already compromised a network by gaining access to a low-level user account and is looking to gain higher-level privileges -- i.e., full access to an enterprise's IT system -- either to study the system further or perform an attack. To decrease the risk of privilege escalation, organizations should look for and remediate security weak spots in their IT environments on a regular basis. They should also follow the principle of least privilege -- that is, limit the access rights for users to the bare minimum permissions they need to do their jobs -- and implement security monitoring. Organizations should also evaluate the risks to their sensitive data and take the necessary steps to secure that data. 3. Insider threat This is a malicious or accidental threat to an organization's security or data typically attributed to employees, former employees or third parties, including contractors, temporary workers or customers. To detect and prevent insider threats, implement spyware scanning programs, antivirus programs, firewalls and a rigorous data backup and archiving routine. In addition, train employees and contractors on security awareness before allowing them to access the corporate network. Implement employee monitoring software to reduce the risk of data breaches and the theft of intellectual property by identifying careless, disgruntled or malicious insiders. 4. Phishing attack In a phishing attack, an attacker masquerades as a reputable entity or person in an email or other communication channel. The attacker uses phishing emails to distribute malicious links or attachments that can perform a variety of functions, including extracting login credentials or account information from victims. A more targeted type of phishing attack known as spear phishing occurs when the attacker invests time researching the victim to pull off an even more successful attack. Effective defense against phishing attacks starts with educating users to identify phishing messages. In addition, a gateway email filter can trap many mass-targeted phishing emails and reduce the number of phishing emails that reach users' inboxes. 5. Malware attack This is a broad term for different types of malicious software (malware) that are installed on an enterprise's system. Malware includes Trojans, worms, ransomware, adware, spyware and various types of viruses. Some malware is inadvertently installed when an employee clicks on an ad, visits an infected website or installs freeware or other software. Signs of malware include unusual system activity, such as a sudden loss of disk space; unusually slow speeds; repeated crashes or freezes; an increase in unwanted internet activity; and pop-up advertisements. Installing an antivirus tool can detect and remove malware. These tools can either provide real-time protection or detect and remove malware by executing routine system scans. 6. Denial-of-service (DoS) attack A threat actor launches a DoS attack to shut down an individual machine or an entire network so that it's unable to respond to service requests. DoS attacks do this by flooding the target with traffic or sending it some information that triggers a crash. An organization can typically deal with an DoS attack that crashes a server by simply rebooting the system. In addition, reconfiguring firewalls, routers and servers can block any bogus traffic. Keep routers and firewalls updated with the latest security patches. Also, application front-end hardware that's integrated into the network can help analyze and screen data packets -- i.e., classify data as priority, regular or dangerous -- as they enter the system. The hardware can also help block threatening data. 7. Man-in-the-middle (MitM) attack A man-in-the-middle attack is one in which the attacker secretly intercepts and alters messages between two parties who believe they are communicating directly with each other. In this attack, the attacker manipulates both victims to gain access to data. Examples of MitM attacks include session hijacking, email hijacking and Wi-Fi eavesdropping. Although it's difficult to detect MitM attacks, there are ways to prevent them. One way is to implement an encryption protocol, such as TLS (Transport Layer Security), that provides authentication, privacy and data integrity between two communicating computer applications. Another encryption protocol is SSH, a network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network. Enterprises should also educate employees to the dangers of using open public Wi-Fi, as it's easier for hackers to hack these connections. Organizations should also tell their workers not to pay attention to warnings from browsers that sites or connections may not be legitimate. Companies should also use VPNs to help ensure secure connections. 8. Password attack This type of attack is aimed specifically at obtaining a user's password or an account's password. To do this, hackers use a variety of methods, including password-cracking programs, dictionary attack, password sniffers or guessing passwords via brute force (trial and error). A password cracker is an application program used to identify an unknown or forgotten password to a computer or network resources. This helps an attacker obtain unauthorized access to resources. A dictionary attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password. To handle password attacks, organizations should adopt multifactor authentication for user validation. In addition, users should use strong passwords that include at least seven characters as well as a mix of upper and lowercase letters, numbers and symbols. Users should change their passwords regularly and use different passwords for different accounts. In addition, organizations should use encryption on any passwords stored in secure repositories. 9. Web application attack This is any incident in which a web application is the vector of the attack, including exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms. One example of a web application attack is a cross-site scripting attack. This is a type of injection security attack in which an attacker injects data, such as a malicious script, into content from otherwise trusted websites. Enterprises should review code early in the development phase to detect vulnerabilities; static and dynamic code scanners can automatically check for these. Also, implement bot detection functionality to prevent bots from accessing application data. And a web application firewall can monitor a network and block potential attacks. 10. Advanced persistent threat (APT) An APT is a prolonged and targeted cyberattack typically executed by cybercriminals or nation-states. In this attack, the intruder gains access to a network and remains undetected for an extended period of time. The APT's goal is usually to monitor network activity and steal data rather than cause damage to the network or organization. Monitoring incoming and outgoing traffic can help organizations prevent hackers from installing backdoors and extracting sensitive data. Enterprises should also install web application firewalls at the edge of their networks to filter traffic coming into their web application servers. This can help filter out application layer attacks, such as SQL injection attacks, often used during the APT infiltration phase. Additionally, a network firewall can monitor internal traffic. Examples of security incidentsHere are several examples of well-known security incidents. Cybersecurity researchers first detected the Stuxnet worm, used to attack Iran's nuclear program, in 2010. It is still considered to be one of the most sophisticated pieces of malware ever detected. The malware targeted supervisory control and data acquisition systems and was spread with infected USB devices. Both the U.S. and Israel have been linked to the development of Stuxnet, and while neither nation has officially acknowledged its role in developing it, there have been unofficial confirmations that they were responsible for it. In October 2016, another major security incident occurred when cybercriminals launched a distributed DoS attack on domain name system provider Dyn, which disrupted online services worldwide. The attack hit a number of websites, including Netflix, Twitter, PayPal, Pinterest and the PlayStation Network. In July 2017, a massive breach was discovered involving 14 million Verizon Communications Inc. customer records, including phone numbers and account PINs, which were reportedly exposed to the internet, although Verizon claimed no data was stolen. A month earlier, a researcher from security firm UpGuard found the data on a cloud server maintained by data analytics firm Nice Systems. The data wasn't password protected, and as such, cybercriminals could have been easily downloaded and exploited it, according to the security firm. Trends in the causes of incidentsAccording to the 2019 "Data Security Incident Response Report" by BakerHostetler LLP, a U.S. law firm, certain types of security incidents are on the rise. Phishing is still the leading cause of security incidents. Nearly one-quarter of all the incidents BakerHostetler responded to in 2018 resulted from lost devices, inadvertent disclosures or system misconfigurations. Employees were responsible for 55% of the 750 incidents the firm responded to in 2018, partly due to simple mistakes and falling for phishing scams. Increasing employee awareness and implementing multifactor authentication are still two of the best defenses to address the employee risk factor, the report noted. On the bright side, organizations continue to improve their in-house detection capabilities. In 2018, 74% of incidents were detected internally, an increase from only 52% in 2015. However, although more companies have invested in security tools to help investigate security incidents, few organizations have the experience and capacity to investigate security incidents without third-party help. Attacks by nation-states are increasing. Nation-states continue to engage in cyberoperations to support espionage, economic development (via the thefts of intellectual property and trade secrets) or sabotage. And it has become more difficult to differentiate between the methods and procedures used by nation-state actors and criminal actors. The reason: It's hard to find good data on how often these attacks occur, in part because they go undetected or unreported. Creating an incident response planThe expanding threat landscape puts organizations at more risk of being attacked than ever before. As a result, enterprises must constantly monitor the threat landscape and be ready to respond to security incidents, data breaches and cyberthreats when they occur. Putting a well-defined incident response plan in place and taking into consideration some of the tips provided in this report, will enable organizations to effectively identify these incidents, minimize the damage and reduce the cost of a cyberattack. Such a plan will also help companies prevent future attacks. What is the best way to improve an organization's response to an incident?Follow these suggestions to improve incident response across your organization.. Hire the Right Staff. ... . Establish Clearly Defined Team Roles & Responsibilities. ... . Increase End User Awareness. ... . Learn From Past Breaches & Incidents. ... . Deploy the Right Tools. ... . Upgrade Your Analysis & Monitoring Systems.. How do you protect against a similar incident occurring again in the future?How do you protect against a similar incident occurring again in the future? conduct a post-incident analysis; By analyzing the incident and figuring out the details of how an attacker compromised a network or system, you can learn what vulnerabilities were exploited and take steps to close them.
Which type of incident response team is made up of experts who have other duties?A cyber-incident response team is composed of employees with expertise in different areas. Organizations often refer to the team as a cyber-incident response team, a computer incident response team (CIRT), or a security incident response team.
Which type of planning is used for the identification Classification response and recovery from an incident?Incident Response planning covers: identification of, classification of , and response to an incident.
|