Creating a Communications Plan

Previous page
Table of content
Next page

Creating a Communications Plan

A communications plan is the framework for how information about your organization is shared among those who need it. This plan will be different during an incident than during normal day-to-day operations. Communications techniques and content will also differ depending on whether the audience is internal or external. Determining communications policies that deal with incident response likely will represent some of the most difficult decisions a company must make. Err on the side of disseminating too much or the wrong pieces of information and you run the risk of negatively impacting the perception of your organization or worse clouding key information, thereby causing the intended recipient to miss it. And providing too little information can cause unfounded speculation or prevent an active participant from taking a specific appropriate action.

Preincident Internal Communications

Internal communications begin the first time a potential employee contacts your firm and continue until the end of that employee s affiliation with your organization. It is critical that all communications are positioned appropriately to support business requirements especially those involving security. Coordination with your HR, public relations, and legal teams will be essential for successfully creating a proper framework for communications.

New Employee Orientation

Some of the most important communications within your organization will be with new hires. Orientation sessions need to acquaint new employees with all the policies described in the Defining Incident Response Policy section of this chapter as well as why these policies are important. Each employee must understand his role in the security of the organization, know the steps required to protect company assets, know where to seek additional information or report a circumstance that warrants investigation, and anticipate the result both to the organization and himself should he fail to observe policies. These orientation discussions afford you the greatest opportunity to gain a new employee s acceptance of these security concepts. Information imparted during these initial meetings can shape every workplace decision an employee makes from that point on.

Security Refresher Courses

As a supplement to the new hire training, an organization should consider security refresher courses. These courses should do the following:

  • Occur regularly throughout an employee s career

  • Recertify that employees understand what is expected of them

  • Update employees on any changes to policy for which they might not have been notified

  • Provide employees with a forum to obtain clarification on any security topic

  • Reinforce the importance of security to the firm

Holding short trainings annually (or more frequently) or in conjunction with major events such as a reorganization or proposed merger is a good approach.

Additional Training

Certain groups in your organization might require additional training on concepts specific to their job function. For example, anyone developing software that is used internally or becomes part of a shipping product should be trained in how to write, test, and manage their code with security as a driving factor. Because such training would not be useful to every member of the organization, it should be provided separately from other new hire training so that it does not dilute other important messages.

Awareness Campaigns

Rounding out preincident internal communications is the concept of awareness campaigns. An awareness campaign can take many forms. Regardless of the methods employed, the goals of such a campaign are to change specific, undesirable behavior centered around security and to reinforce the importance of security to all staff. Awareness campaigns are most successful when they are least intrusive. For example, you should not send out daily, multiple-page memos on security because, over time, people will stop reading them. Awareness activities should be simple, should be easy to consume, and should contain the minimum verbiage required to make their point.

Examples of awareness activities include the following:

  • Posters of the Loose lips sink ships variety

  • Targeted e-mails reminding employees of a specific policy

  • A one-line sidebar in a company newsletter

  • Wallet cards with a short list of tips telling individuals how they can improve the overall security of the organization

  • Distribution of critical phone numbers and e-mail addresses

  • Any other form of information sharing that is easily assimilated by its audience

The key is to impart a message that employees can quickly absorb before making a conscious decision about whether the information is important to them (especially because you have already determined that the information is important to them). Behaviors to target with these awareness campaigns are those most likely to lead to a security incident but that cannot be easily mitigated by technology. For example, you no doubt want your employees to create passwords that are hard to crack and to not allow tailgaters to follow them into company buildings secured by a card key or similar system.

Communication During an Incident

Communication is not limited to disclosure and reinforcement of policy. During an incident, communication is a crucial component of response activity one that can cause the overall success or failure of the incident response team.

Communication Among Response Team Members

During the course of an incident, a number of types of communication must be executed effectively for the team to succeed. The first of these is communication among team members. Although it seems obvious, this is an area often overlooked during an investigation. This is because everyone is operating in a time-sensitive, reactive mode. In other words, providing status reports and sharing intelligence gathered might not be the primary concern.

However, during a crisis, communication needs to be a primary concern of response team members. The incident response leader needs to have a complete understanding of all aspects of the investigation at all times, to ensure that the direction she provides to the team represents the best possible course of action. If the incident response leader does not have complete information, she likely will make less-than-optimal decisions and provide inappropriate guidance, both of which can have a negative impact on the speed or capability of team members. All information must flow through the incident response leader. The leader, in turn, will provide summaries to the team, along with any necessary analysis and instruction.

Communication among team members can be made more difficult by the nature of a specific incident. For example, if the incident is a denial-of-service attack against your e-mail servers or a worm that forces you to close down your routers or key systems to prevent its spread, communicating by e-mail might not be possible. Or, if a natural disaster occurs at night, other communications media might be impacted. Identifying all possible occurrences ahead of time and crafting a clear, easy-to-follow communications plan can mean the difference between a successful and failed incident response.

The communications plan should include both a primary and secondary form of communication as well as details on what to do when communication using either of those methods is not possible. The plan should also outline the chain of command in the event of an incident so that team members know what to do and who to contact should a key member of the team be unreachable.

Another team communication concern is that an intruder could be monitoring specific communications channels. If the e-mail system has been compromised, the attacker could be reading the e-mail of administrators involved in the investigation. If the voice mail system has been compromised, the intruder could be eavesdropping on those communications as well. Furthermore, Trojan horse applications can enable the microphone or Web cam of an infected computer system, thereby capturing information and activity conducted nearby. An attacker who can leverage your communications channels can easily gain the upper hand.

Frequently, investigation communications will extend beyond the technical members of the incident response team. In such cases, the incident response leader will also act as the liaison to the business managers likely to be impacted the most. Business managers whose workflow is impacted, who are at risk of sensitive information being leaked, or who might be at risk of missing internal or external deadlines as a result of the incident and its investigation become ad-hoc members of the incident response team. These managers will provide guidance to the incident leader on how to choose the best course of action in other words, how to choose the least bad outcome, or the outcome that is least detrimental to the organization as a whole. Such choices are about mapping business need to technical implementation.

Communication with Law Enforcement Agencies

Communications with law enforcement agencies are also important in the early stages of an incident investigation. Before an incident occurs, you will have determined the circumstances under which you need to involve specific law enforcement agencies, and you will have established appropriate contact processes for each agency. By communicating with those channels early in an incident investigation, you bring additional resources to the response and ensure that evidentiary procedure is adhered to. You also ensure that any steps taken do not interfere with later prosecution.

Companywide Communication

At various points during an investigation, it might be prudent to engage in companywide communication on the status of the investigation or remediative work. Such communication can minimize speculation and drive specific supporting behaviors. In the latter capacity, companywide communication is similar to an awareness campaign.

Companywide communication is very sensitive when conducted during an investigation. Whether an attack is internal or external, broad communications can tip off the attacker on the success or lack of success of the investigative process. The most appropriate communications in this scenario are brief, concise, and easily assimilated, without providing any specifics on the incident. For example,

We are experiencing intermittent outages of various network resources, the appropriate personnel are working on correcting the problem, and we hope to have service restored quickly. If you have an immediate concern, please contact the service desk.

would likely be more effective than

We are collecting evidence on an attacker who has compromised at least seven systems in our e-business unit, and the FBI will be shutting systems down intermittently to collect forensic images before the attacker has a chance to cover his tracks.

Basically, you are keeping your cards close to your vest.

Companywide communication can also include a wrap-up message at the close of the investigation on lessons learned and next steps to be taken. For example,

Our security team, during a routine analysis of our network, has identified and removed several unapproved network services. Specific policy requires that all network services be approved by the Director of IT and implemented through our normal change control process. Because of the potential security implications, we will be forcing a password reset for all users over the next three days.

Contacting the Attacker

One particularly sensitive area is communicating with the attacker. Depending on the specifics of the case, contacting the attacker might be a valuable component of the investigation. For example, if the attacker is trying to extort money or other gains from your firm, contact with the attacker could buy you valuable investigation time (by stalling the attacker) and stave off further intrusion. Of course, the opposite is also possible. Contacting the attacker could cause her to take additional action, such as formatting all your network systems to cover her tracks because she knows she has been discovered.

If law enforcement agencies are involved, they likely will have more experience dealing with these issues than your response team so you should defer to their judgment of these agencies. Of course, prudence dictates a careful evaluation of the capability of these agencies before deferring to them. You will find a wide range of capabilities and technical sophistication, depending on whether you are dealing with local or federal investigators and on the frequency with which an agency handles computer crime investigations. You might also want to involve your legal counsel because contact with an attacker could have an impact on any prosecution attempt.

Finally, you will want to evaluate the risk created by making contact with an attacker before deciding to do so. Profiling the attacker s behavior is a critical element in deciding this. Each of these questions can help you develop a fair amount of insight about the attacker s probable next moves:

  • Does the attacker seem to be after something specific, or simply snooping around?

  • Has the intrusion gone on for months, or did it begin recently?

  • Was the attack method exceptionally crafty, or did your firm get caught with its defenses down by not being up to date with vendor-released patches?

  • If the attacker has made contact with you, what can your response team infer about his education or locale based on the phrasing used in that contact?

  • Is it possible to use this contact with the attacker to collect additional information that law enforcement authorities can use to locate him?

Once you have determined that the risk of contacting the attacker is appropriate, consider your goals for the communication and the method by which you will make contact. If the attacker s intrusions typically occur during certain hours of the day or night, it might be prudent to time your contact at the beginning of that window. If the attacker has not contacted your organization directly, you should determine the best way of contacting her. It is unlikely that the attacker will have left her home telephone number on any given compromised system.

Finally, make certain that the goal of your contact is clear: Are you trying to slow the intruder s attacks? Gain additional evidence against the attacker? Find out the extent of her intrusions? Ask her nicely to go away? Something else? Each answer might point toward a specific method of communication and the framework for the conversation, including whether you use a medium you can log and trace.

Dealing with the Press

When wider knowledge of a security breach exists, it is possible that the event will garner the attention of the press. In such cases, you must brief your public relations staff on the incident and prepare them to respond to inquiries. Contact with the press should be reserved for duly appointed individuals within your organization that you trust to represent the information in an appropriate manner. All other staff members should be trained to direct press inquiries to the appropriate resources.

When speaking to the press, your public relations representatives should adhere to several core principles:

  • Be precise in your use of language. Say exactly what you intend to say in short, complete sentences that cannot be misinterpreted or taken out of context.

  • Stick to the facts, and do not let emotion play into the discussion. Similarly, avoid speculation about the root cause or parties involved or their motives unless you have sufficient evidence to that effect.

  • When being interviewed, ensure that with every answer you bring the conversation back to a point that you want to make.

  • Keep the technical detail low enough that you do not inadvertently invite additional attacks and that you do not exceed the understanding of the interviewer.

  • If you are working with law enforcement officials, ensure that any information, documents, photos, or other materials provided to the press does not impair the investigation or decrease the likelihood of successful prosecution.

  • Ensure you are prepared with answers to the most likely questions. Do not go into any interview situation before you are ready.

  • Recognize that, in many cases, your tone and manner say as much as your words.

  • Do not allow media attention to interfere with the investigation.

In some cases, it might be appropriate to provide a press release about the incident. This might seem contrary to conventional wisdom about how best to protect your company s image and brand, but in some cases, it can be a valuable step. Specifically, releasing your own press announcement allows you to provide an appropriate context for the event and highlight important points you feel need to be made clear. For example, you might want to stress that even though a security breach occurred, no source code in a specific Web service or product was compromised.


Previous page
Table of content
Next page
Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189
Authors: Ben Smith, Brian Komar
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
Managing Enterprise Systems with the Windows Script Host
101 Microsoft Visual Basic .NET Applications
Extending and Embedding PHP
.NET System Management Services
Special Edition Using FileMaker 8
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy