If you think your credit union could never be hacked, think again. Numerous credit unions have been hacked. While bank breaches have gotten more news coverage, attackers are also after credit unions, often because they are easier to hack.

Ideally, the more layers of security you have around your servers, the better off you are as hackers likely will find easier prey.

However, the adage “I don't have to outrun the bear, I just have to outrun my friend” does not always hold up, so you should always be prepared for some sort of computer incident.

The better prepared you are for it when it strikes, the less harm it will cause to your network and your pocketbook.

The best way to plan for a computer incident is by creating and testing a Computer Incident Response Plan (CIRP). It is very difficult to react to an incident unless you can detect it, so you should monitor your organization's network and logs continuously for suspicious activity. That way you're more likely to stop an incident as soon as possible, before the compromise spreads to your crown jewels.

A well-prepared and rehearsed CIRP could mean the difference between losing hundreds of dollars or tens of thousands of dollars.

Planning

A CIRP covers the handling of an incident from the moment it is discovered to the conclusion of the incident. Like a business continuity plan, a CIRP is a management function, which means that it's crucial for management to be part of the planning team that develops the plan.

Your CIRP should define “an incident” and categorize possible incidents to help create an action plan. For example, categories could include the following: malware, suspicious activity seen from monitoring logs and networks, lost or stolen computers and equipment, domain or website hijacking, third-party vendor mistakes, DDoS, theft of IP, intentional destruction of data, etc.

Creating the CIRP

• Develop a Computer Emergency Response Team comprising business managers, representatives from your IT and security groups, legal advisors, HR directors, PR directors and internal security auditors. Discuss the roles they and others will play during an incident and their responses to particular situations.

• Designate a facilitator and data collector, and discuss the objectives, topics and scope of the plan.

• Decide what the participants' roles should be and what actions they should be responsible for taking. Roles should be adjusted as you perform annual tabletop exercises and find better solutions than those written in the plan.

• As you go through different exercises below, participants should try to become aware of any weaknesses and adjust the plan accordingly.

• The facilitator should present one at a time a handful of concise hypothetical incidents that inspire responses to fulfill the objectives. Various topics could deal with espionage, data leakage, insider threats, malware, website compromises, or any other topic that would affect your credit union's security.

For each incident, the facilitator should ask the following questions:

• What groups within the organization would be involved in handling this incident?
• Which internal and external parties need to be notified of the incident?
• What actions would be needed to control the incident?
• How would the scenarios be different if the incident were to occur at a different physical location?
• What measures are in place to prevent this incident?
• Who after the incident should attend a meeting regarding the lessons learned from this incident?
• What could be done to improve earlier detection of this and similar incidents?

 The data collector should record the following:

• The type of incident
• The answers to the above questions
• The names and contact information of participants who would be affected by the incident
• The action recommended for the participants to take.

A good tabletop exercise should expose your credit union's strengths and weaknesses, and further the development of responding well to computer incidents.

Following the tabletop exercise, the data collector and facilitator should conduct a debriefing to discuss areas they felt went well and areas in which people could use additional training.

The training should take place soon thereafter. Your credit union should annually perform the tabletop exercise and update the CIRP.

Eric Browning is security engineering manager at Dell SecureWorks in Atlanta.