Lessons Learnt for Incident Response from the Ebola Virus Outbreak
Over the past number of months we have witnessed the Ebola crisis grow from being a localized problem with little impact on a global scale to a major global concern with the World Health organization (WHO) warning that the disease could infect up to 10,000 people per week if it is not dealt with. While this is a major health crisis, I could not help draw parallels on how this crisis has developed and been handled to how many organizations deal with their incident response for computer security incidents.
This article on why Ebola won’t gain a foothold in Western countries examines how the disease has managed to spread to date. Some of the key points from the article are;
- The health systems and infrastructure in many of the countries in West Africa are very poor and could not cope with the initial outbreak.
- Many of the initial patients displaying symptoms were misdiagnosed as having Lassa Fever.
- Hospitals dealing with infected patients did not handle or dispose of infectious material in a safe manner.
- Health professionals did not have the appropriate tools to deal with the crisis or to treat patients properly.
- Health professionals failed to quarantine infected patients who in turn infected others.
Having worked on various security breaches for clients, and reviewing details of security breaches such as Target, there are many lessons we can learn from the Ebola crisis to ensure that we can improve our own cyber security incident response. When looking at our own environments we need to ask ourselves;
- Are our infrastructure and systems robust and resilient enough to survive a cyber-attack? Do we really understand what the key business processes and systems are and what is needed to keep them running in any crisis? It is also important that the organization has the appropriate security systems in place to provide an early warning in the event of a suspected breach. There is no such thing as 100% security and the security controls we put in place may not deter an attacker, but they should delay an attacker long enough for them to be detected. It is essential that effective alerting mechanisms are deployed to identify and alert to potential issues.
- Has the incident response team received the proper training in critical analysis so that when investigating an incident they diagnose the issue correctly and accurately? Are the security monitoring solutions in place working as they should and optimized for the environments they are in? And more importantly, are the alerts generated by them being acted upon?
- When working on a cyber-security incident the team may come across malicious software and code. Does the team have the right tools to safely handle and analyze that code? What are the facilities in place to ensure that malicious code can be stored, and where necessary, shared with others such as law enforcement, anti-virus companies and Computer Emergency Response Teams? The last thing any incident response team wants is to be responsible for accidentally infecting other systems.
- Dealing with cybersecurity incidents is a specialized task and requires specialized tools to conduct investigations, analyze logs, collect evidence in a forensically sound manner and record all actions taken during the incident, among other tasks. It is essential that the team has the appropriate tools in place to enable them do their job effectively and efficiently.
- The most important element in the incident response team are the people that make up that team. An effective team requires experienced and skilled individuals who can also work under extreme pressure, have strong analytical capabilities and have excellent communication skills. To ensure this team remains effective at all times, it is necessary to ensure they received the appropriate training in both their technical and soft skills. It is also important to make sure the team conducts regular exercises to maintain their level of preparedness and capabilities.
While hopefully we may never have to deal with the cyber equivalent of Ebola in the cyber realm, it is worth taking time to analyze how major crisis in the real world are handled and how to apply lessons learnt from them to the digital realm.