Connecting the Dots: Experiences in Real-Life IT Security Incident Handling

The IBM Emergency Response Services (ERS) team helps clients prepare for and respond to the inevitable IT security incident that their organizations will eventually face. The ERS team deals with very diverse security incidents in a variety of industries, which, in turn, gives them a privileged point of view into current threat data and methods used by attackers.

When this data is closely analyzed, two things become apparent.

1. Zero-Day Vulnerabilities Are Less Important

Organizations should worry less about zero-day and focus more on the 60-, 90- or even 180-day vulnerabilities present in their networks.

Although headlines are frequently stolen by the latest clever act performed by a government-sponsored team of attackers, the number of targets that should really worry about this kind of incident is quite limited. Most attacks can be prevented — or at least detected very early — by focusing on “Security 101” knowledge such as applying updates in a timely fashion, teaching employees to develop a healthy suspicion against unsolicited emails and following up on security alerts.

It is indisputable that hard-to-catch, clever attacks exist. However, everybody, including cybercriminals, appreciates low-hanging fruit.

2. History Repeats Itself

Regardless of industry, similar initial errors in security posture will generate similar security incidents. For example, consider an organization that doesn’t enforce accountability by allowing system administrators to use shared administrative accounts. This is a dangerous choice since it affects termination procedures and may cause bigger issues down the road when administrators are not happy with the way they feel they were treated by the organization.

These findings — and many more — are the basis for a recently published ERS Trend report. This report contains information on several attack scenarios frequently seen in the field and describes, in detail, both the circumstances that led to the incident and the countermeasures that would have prevented it.

Read the IBM X-Force Research report: The 4 top cybercrime trends

Share this Article:
Luca Pugliese

Emergency Response Service Consultant, IBM

Luca Pugliese is an Emergency Response Consultant for IBM Security Services based in Italy. Throughout his 13 years in IT security, he has had experience as a firewall administrator, security engineer and consultant and penetration tester. He holds multiple certifications in his field, including CISSP, CISA, CEH and GCFE. His focus is now on computer security incident response, digital forensic analysis and advising clients from a wide variety of industries on security best practices.