NIST Guide for Cybersecurity Incident Recovery

incident responseNIST, National Institute for Standards and Technology, just released a new guide for incident response and recovery for a cyber security incident.

What is a Cyber Security Incident?

According to NIST Special Publication 800-61, Computer Security and Incident Handling Guide, an event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt. Adverse events are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data. This guide addresses only adverse events that are computer security related, not those caused by natural disasters, power failures, etc.

A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of incidents are:

  • An attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash.
  • Users are tricked into opening a “quarterly report” sent via email that is actually malware; running the tool has infected their computers and established connections with an external host.
  • An attacker obtains sensitive data and threatens that the details will be released publicly if the organization does not pay a designated sum of money.
  • A user provides or exposes sensitive information to others through peer-to-peer file sharing services.

What is incident response and recovery?

Incidence response recovery is the steps and processes that are defined and needed to recovery from any type of incident.  This can be as simple a restoring backed up files that were lost to as complex as performing forensic analysis across a network that was compromised.  It typically involves more than just IT related staff, and if not planned ahead time, will be extremely chaotic.

Why should a business owner of any size company care?

Without consideration for disaster recovery, business continuity and incident response, your organization will not be prepared to respond to and recover from a cyber security incident.  It doesn’t matter if you write software or if you have a website, there are very few businesses that do not have email, online bank access, wire transfers, document storage either on site or in the cloud, have cell phones or have computers.

If you have any of those things, then you are likely going to have some sort of cyber security incident during the life of your business.  Do you know what to do if you can’t access your saved documents because ransomeware has encrypted them?  What if the cloud provider such as Box, or DropBox or OneDrive is hit with a denial of service attack and you cannot access your files?  What if you can’t access your email?  What if someone else accesses your email?  Would they find passwords?  Would they find information about mergers and acquisitions? Would they find intellectual property?  The list goes on.

Let’s set aside all of the technology issues.  How can spending precious time and money on something that might happen help my bottom line.  Let’s not pretend to be able to put hard numbers of what it may cost and we may save if it happens.  There are two other major components. One is many regulations and frameworks can require such as FISMA, NIST CSF, HIPAA and many more.

Additionally, many clients will not only find it more reassuring that their vendor or service provider has put this effort in place, many are requiring it and can outright turn down a vendor for not having these types of plans in place.  At the very least they are going to ask to see it and you are going to have to scramble to put it together.

The NIST guide is a good tool for small businesses to use to consider the key components of any response plan.  It doesn’t have to be comprehensive, and the needs of each business will be unique, but at the very least going through the exercise of deciding what you need and don’t need in a plan is essential for any business today.

Where do I start?

I’d start by reading this guide.  On page 7 it outlines the basic components of an incident response plan.  Part of this is performing some level of a business impact analysis on yourself.  What systems/information are critical for the business to perform?  If they go down, how much does it cost me without out them?  This helps you set your Service Level Agreements.  These and a few other questions are a good place to start, especially for a small business.

Who are you going to involve and call for help if this happens?

If I lose these systems, what do I need to do to get them back or at last continue working?

If email is down, how do we contact everyone?


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.