If you think your credit union could never be hacked, thinkagain. Numerous credit unions have been hacked. While bank breacheshave gotten more news coverage, attackers are also after creditunions, often because they are easier to hack.

Ideally, the more layers of security you have around yourservers, the better off you are as hackers likely will find easierprey.

However, the adage “I don't have to outrun the bear, I just haveto outrun my friend” does not always hold up, so you should alwaysbe prepared for some sort of computer incident.

The better prepared you are for it when it strikes, the lessharm it will cause to your network and your pocketbook.

The best way to plan for a computer incident is by creating andtesting a Computer Incident Response Plan (CIRP). It is verydifficult to react to an incident unless you can detect it, so youshould monitor your organization's network and logs continuouslyfor suspicious activity. That way you're more likely to stop anincident as soon as possible, before the compromise spreads to yourcrown jewels.

A well-prepared and rehearsed CIRP could mean the differencebetween losing hundreds of dollars or tens of thousands ofdollars.

Planning

A CIRP covers the handling of an incident from the moment it isdiscovered to the conclusion of the incident. Like a businesscontinuity plan, a CIRP is a management function, which means thatit's crucial for management to be part of the planning team thatdevelops the plan.

Your CIRP should define “an incident” and categorize possibleincidents to help create an action plan. For example, categoriescould include the following: malware, suspicious activity seen frommonitoring logs and networks, lost or stolen computers andequipment, domain or website hijacking, third-party vendormistakes, DDoS, theft of IP, intentional destruction of data,etc.

Creating the CIRP

• Develop a Computer Emergency Response Team comprising businessmanagers, representatives from your IT and security groups, legaladvisors, HR directors, PR directors and internal securityauditors. Discuss the roles they and others will play during anincident and their responses to particular situations.

• Designate a facilitator and data collector, and discuss theobjectives, topics and scope of the plan.

• Decide what the participants' roles should be and what actionsthey should be responsible for taking. Roles should be adjusted asyou perform annual tabletop exercises and find better solutionsthan those written in the plan.

• As you go through different exercises below, participantsshould try to become aware of any weaknesses and adjust the planaccordingly.

• The facilitator should present one at a time a handful ofconcise hypothetical incidents that inspire responses to fulfillthe objectives. Various topics could deal with espionage, dataleakage, insider threats, malware, website compromises, or anyother topic that would affect your credit union's security.

For each incident, the facilitator should ask the followingquestions:

• What groups within the organization would be involved inhandling this incident?
• Which internal and external parties need to be notified of theincident?
• What actions would be needed to control the incident?
• How would the scenarios be different if the incident were tooccur at a different physical location?
• What measures are in place to prevent this incident?
• Who after the incident should attend a meeting regarding thelessons learned from this incident?
• What could be done to improve earlier detection of this andsimilar incidents?

The data collector should record the following:

• The type of incident
• The answers to the above questions
• The names and contact information of participants who would beaffected by the incident
• The action recommended for the participants to take.

A good tabletop exercise should expose your credit union'sstrengths and weaknesses, and further the development of respondingwell to computer incidents.

Following the tabletop exercise, the data collector andfacilitator should conduct a debriefing to discuss areas they feltwent well and areas in which people could use additionaltraining.

The training should take place soon thereafter. Your creditunion should annually perform the tabletop exercise and update theCIRP.

EricBrowning is security engineering manager atDellSecureWorks in Atlanta.