Having an incident response plan is crucial to surviving a cyber attack, a municipal IT security conference was told this week.
“We have to be prepared for the inevitable [cyber attack] and proactively move towards getting our team and our systems ready so we can respond quickly and effectively,” Nick Powers, manager of IT security for the City of Peterborough, Ont., told the annual conference of the Ontario chapter of the Municipal Information Systems Association (MISA).
“Because you are going to have an incident, so can you mitigate it fast enough so damage will be minimal?”
The city has a population of 82,000. It also owns the Peterborough Utilities Group, which provides the municipality’s drinking water.
Many IT professionals fear planning for the wide variety of possible incidents will take up too much time, Powers said.
“That was us for a number of years,” he admitted, “really trying to understand how are we going to put this together, what will it look like? It was a fairly daunting task, but as we’ve gone through this process we realized it doesn’t have to be a ‘boil the ocean’ kind of thing. It can be fitted to our size.”
The process, he added, can be enlightening. For example, part of an incident response (IR) plan is creating playbooks for what staff would do under particular circumstances. “Up until a few months ago it was extremely ad hoc for us – ‘I think this is what we would do.’ It was reactive. We’re gradually moving to the ideal, being a more proactive response of what we’re going to do.”
Even a 2018 MISA conference was useful. “We thought we had a fairly robust backup process,” Powers said, but after hearing about the Wasaga Beach ransomware incident, where the backup server was infected, the security around Peterborough’s backup system was tightened.
Broadly, an IR plan has a number of phases: Preparing the IR plan, detection/analysis of the incident, containment, eradication, recovery and follow-up. Powers focused on three steps of preparation:
–Understand your IT environment. Inventory and document all software and hardware, and include network diagrams. Leverage existing disaster recovery or business continuity plans if they exist. (Peters gave this warning: There may be more Wi-Fi access points around than you initially know about.)
Do you have backups of data, are they secure and is the data restoration process regularly tested?
This part of the exercise also includes documenting the tools you have that may help in IR, such as a SIEM and a centralized log management tool.
Don’t forget to document third-party suppliers, who may be able to help with incident response.
Powers also noted that in-house or external security assessments will provide valuable information in helping understand your environment as well as what your weak points are.
Peterborough does a weekly security assessment, plus has an annual assessment performed by a third party.
–Decide who will respond, and how, to an incident. In addition to IT, other departments may have to be brought in, depending on the severity of the incident: These may include legal, HR, the privacy officer, and communications. They need to know what their roles are expected to be.
The creation of playbooks – reaction guides – is important. Not only will they show who is expected to do what, Powers said, they will also reveal what skills the IT team doesn’t have. That may mean setting up a retainer with a third-party supplier, like a managed security service provider.
As part of its playbook, Peterborough built a flowchart to help quickly show who does what under what circumstance. “It allows us in the heat of battle not to forget things,” Powers said.
–Create a communications plan. When will senior IT managers have to be called, senior municipal management, police?
Peterborough created a chart categorizing potential cyber incidents as low, medium and high. For example, if the incident is medium risk, these people should be called.
–Test, test, and test the plan. Usually this is done with a tabletop exercise, but it could include a live simulation. Testing will show weaknesses in the plan – we forgot someone needs to do this.
Remember to also involve more than the IT department in the IR plan test. Others need to know their roles. For example, Power said, the IT support team, or, if there is one, the application support team, will likely be the first to hear about a possible incident from customer complaints.
Peterborough tries to test its plan annually.
Powers offered a number of sources for incident response plan advice, including the NIST SP800-61, the SANS Institute and the CREST incident response guide. He also reminded infosec pros to check with colleagues and technology partners for advice on incident response plans. Powers also noted universities and colleges often post their IR plans online, which can be used for reference.
No IR plan can be successful without senior management buy-in, Powers stressed. “We spoke to our management team, told them what we wanted to do, the implications, the expectations for the organization.
“If you don’t have that you’re going to be pushing a rope uphill.”