Connecting the Dots: Experiences in Real-Life IT Security Incident Handling
The IBM Emergency Response Services (ERS) team helps clients prepare for and respond to the inevitable IT security incident that their organizations will eventually face. The ERS team deals with very diverse security incidents in a variety of industries, which, in turn, gives them a privileged point of view into current threat data and methods used by attackers.
When this data is closely analyzed, two things become apparent.
1. Zero-Day Vulnerabilities Are Less Important
Organizations should worry less about zero-day and focus more on the 60-, 90- or even 180-day vulnerabilities present in their networks.
Although headlines are frequently stolen by the latest clever act performed by a government-sponsored team of attackers, the number of targets that should really worry about this kind of incident is quite limited. Most attacks can be prevented — or at least detected very early — by focusing on “Security 101” knowledge such as applying updates in a timely fashion, teaching employees to develop a healthy suspicion against unsolicited emails and following up on security alerts.
It is indisputable that hard-to-catch, clever attacks exist. However, everybody, including cybercriminals, appreciates low-hanging fruit.
2. History Repeats Itself
Regardless of industry, similar initial errors in security posture will generate similar security incidents. For example, consider an organization that doesn’t enforce accountability by allowing system administrators to use shared administrative accounts. This is a dangerous choice since it affects termination procedures and may cause bigger issues down the road when administrators are not happy with the way they feel they were treated by the organization.
These findings — and many more — are the basis for a recently published ERS Trend report. This report contains information on several attack scenarios frequently seen in the field and describes, in detail, both the circumstances that led to the incident and the countermeasures that would have prevented it.