The Best Data Breach Incident Response Plans Require These Steps

This article was originally written by Paul Konikowski, and published on Commercial Integrator on December 10, 2018 and  My Tech Decisions on December 20, 2018.

Cybercrime is on the rise. Data breaches and cyberattacks have become more diverse and numerous, and their impact more damaging and disruptive. It feels like every other day, there is news of a large corporation getting hacked and/or losing some of your personal data. It is not a matter of “if” you will be impacted, but “when”. This is why it is so important for corporations and organizations to have a Cybersecurity Policy in place, along with an Incident Response Plan (IRP), and the right team of people who know how to react appropriately, often called the Incident Response Team (IRT).

Once a threat is detected, the IRP acts as a roadmap, allowing the IRT to take a systematic approach to solving the problem, documenting everything along the way, and minimizing human error. This reduces losses and downtime. The other big advantage is that, following an incident, evidence that the cybersecurity policy, including IRP and IRT, were in place will be useful should the attack lead to legal proceedings. Ignorance is no excuse when it comes to cybersecurity. Negligence can result in costly fines, lawsuits, and/or time in prison, all of which can negatively impact a company’s reputation.

There are many variations, but the best Incident Response Plans typically include the following steps:

  1. Analysis – Is it a false positive? The IRT should review the logs for vulnerability tests or other abnormalities. What systems have been attacked? What stage of the attack? What is the origin?
  2. Containment – Provides time to determine the next steps, while limiting the spread, and the impact. Your team should isolate the system if possible and make a backup for forensic investigation.
  3. Communication – Alert everyone on the Incident Response Team including IT, HR, Legal, Operations and Management representatives. Should law enforcement/FBI be contacted? Experts like FireEye? Third party vendors? Industry peers? How soon should you alert the public? The laws vary by state in the US. In the EU, the GDPR says within 72 hours. Your IRP should include a detailed cyber crisis communication plan, detailing who should be contacted in case of an attack, what message that will be conveyed to them, and who has the authority to communicate on behalf of the organization.
  4. Eradication – Scan all systems for malware. Isolate and disable all accounts and components that have been compromised. Remove access to systems by suspect employee logins. Change passwords, apply patches, and reconfigure firewalls.
  5. Recovery – This can take a while, so you need to prioritize what systems are most critical to resume functionality
  6. Post-event analysis – What was the dwell time? (time from breach to recovery) Are changes to policies, procedures, or equipment in order? How effective was the incident response plan? Then, test the revised IRP using simulated attack.

In conjunction with having an incident response plan, organizations need to provide adequate cyber awareness training to all employees, not only explicitly telling everyone what to do, but what not to do, in the event of a data breach or cyber-attack. Setting guidelines for communicating with outside parties regarding incidents is key. You don’t want someone in your organization tweeting “WE ARE GETTING HACKED!!!”, followed by a dozen hashtags, do you?

 

Cybersecurity In Audiovisual Systems

You Should Consider Cybersecurity During All Phases Of An Audiovisual Installation

By Paul Konikowski, CTS-D

Earlier this month, the San Francisco Bay Area was graced with the presence of President Barack Obama, who was here to participate in a Cybersecurity Summit at Stanford University.  *Side note*, I am still unsure if it’s spelled as one word or two, cyber security, or with a dash, cyber-security, and the online jury seems to be rather undecided. So for the sake of brevity, I am sticking with the one-word-version, cybersecurity. *End side note*. At the aforementioned summit of cybersecurity experts, students, and information technology managers in Palo Alto, Mr. Obama signed an executive order encouraging the private sector to share cybersecurity threat information with other companies and the U.S. government.

Rising stock prices of cybersecurity software firms like Palo Alto Networks (PANW), FireEye (FEYE), and CyberArk (CYBR) have also reflected this increased level of awareness. Why? Because unlike guns or nuclear warfare, cyber hacking can happen right under our noses, for years and years, without anyone even noticing. Larger firms have realized that they need the best of the best to combat these criminals, and investors have taken notice to the growth potential of these new age software “heroes” who will do battle for a price, much like the Routiers, the early mercenary soldiers of the Middle Ages.

As audiovisual experts we also need to become IT cybersecurity experts, at least to some degree. At minimum, we have to know what risk we are adding to the network before, during, and after the AV installation. Here is a list of ways you can protect your audio, video, and control systems against theft and hackers, in no particular order:

  • Have a frank and honest discussion with the project team about cybersecurity. Find out who is in charge of the network, and who will need access to the systems.
  • Use motorized projection screens that are fitted into the ceilings to discourage theft.
  • Mount projectors using security boxes, or scissor lifts to hide them up inside the ceilings.
  • AV touch panels and camera controllers often have passwords, but are they updated?
  • Portable TVs and poorly mounted speakers are easy targets; don’t “tempt” thieves
  • Ping all projectors and flat-panel television type displays once every minute. If the display does not respond, assume it is being stolen and automatically email security
  • Interactive whiteboards, mice, and keyboards are generally trustworthy, but who is really checking that USB stick that automatically downloads this or that app to the laptops?
  • Don’t assume that the person in charge of your computer network is the best one to test the AV installation for bugs or security breach points. Hire an expert to test it.
  • Backup all files at least once a day to a secure offsite and/or cloud storage facility.
  • Microphones and tableboxes should be periodically checked for James Bond type “bugs” that can listen to private meetings. It’s not always the newest technology that you need to worry about!
  • Videochat and audio conferencing suites should never be left unlocked while not in use
  • Make sure that end users know when a camera is on or when microphones are open.
  • Digital signage and way-finding kiosks are updated via website; use unique passwords.
  • Unfortunately, most AV equipment racks are made by just a few manufacturers, and each uses one or two different key codes in their door locks. Once you have a set of the common AV rack keys, you can open almost any locked AV equipment rack in the U.S.
  • “Security screws” can also limit the amateur thefts, but any real crook will have tools.

These are just a portion of the areas that the AV Design Engineer and Project Manager need to address during a project. The real problems are the bugs and “holes” that are accidentally left in a program, that nobody catches, mainly because, no one is looking for them. That is why it is critical that today’s AV integration firms hire a well-trained, experienced QA (quality assurance) department who will double-check the engineer’s design, the programmer’s code, and the completed installation.

We all make mistakes, its human nature. And even when we don’t make mistakes, we certainly overlook things that others might catch. Having someone else check your AV design, bug test your code, or evaluate your network or website for cybersecurity threats will always uncover more than checking it yourself.  If you are not putting up “constant vigilance” against the hackers, and paying an expert to test your systems, then you are just living in denial, thinking that your systems are working properly and secure. If these hackers can break into insurance companies and Target, you have to assume that they are trying to hack into your systems as well, (or that they already have!)

constant vigilance