A reminder that prior preparation prevents poor performance for security newbs looking to avoid common mistakes in incident response. Credit: Thinkstock One of the greatest challenges of transitioning to a new career or starting a new job is not so much knowing what to do, but learning what not to do. Most professionals find themselves in their fields because of a passion that drove them there, and most of us want to excel at our work. I love crafting sentences that bring the senses of sight and sound together in a warm cadence that makes a reader say “Wow!” What I hate more than anything is when I make a mistake. I’ve made plenty this past year. In fact, some of you may have sent me a message asking for a typo to be fixed. It happens. In the security industry, though, mistakes can be costly. That’s why I had a chat with Ben Johnson, chief security strategist at Bit9+Carbon Black, who offered up some sage words of wisdom on the common mistakes folks make in responding to a security incident. Here is Johnson’s list of Top 5 most common mistakes when responding to a security incident: 1. Not being prepared – For unprepared organizations, finding out you’ve been attacked can induce panic, incomplete response and an insurmountable clean-up bill. You know what questions you are going to ask in a breach, so set up your overall program to answer those. Preparing ahead of time gives organizations the ability to know the precise questions they will need answered, such as: “What data was stolen?” “How’d they get in?” “How long have they been in?” “Where did they go?”Understanding how they will answer these questions, means that an organization will have the right people, processes and technology in place to confidently tackle a data breach. If not, however, an organization is simply flying blind and hoping they are never targeted. When it comes to security, “hope” isn’t a word you like to hear. “Prepared” is. 2. Not properly understanding scope — An organization may have found patient 0, or maybe it’s actually found patient 20. If it’s patient 20, there will be a lot of machines to clean up. Understanding how big or small an incident is will be critical to proper response and recovery.Response isn’t just about cleaning up computers. There could be other foot holes, back door, or accounts that have been added. Not understanding the full scope of the incident often means you’re not cleaning up the true problem. 3. Failing to get legal involved early — While legal does not often move at the speed of security (and definitely not at the speed of attackers), there are times where getting legal involved early with help contain information under attorney-client privilege, especially since legal should be responsible for coordinating with outside parties to avoid information leakage or disclosure to other parties. Information should be presented when it has become a story that the company can tell with relevant facts around what happened, how it happened, and who’s affected. 4. “Mission Accomplished” references – Putting out a claim that only X number of records were accessed, or saying that everything has been cleaned up when, in reality, you don’t know the full scope of the impact (or the incident is still being eradicated) is a dangerous path to navigate and puts a bigger target on the company’s back.Don’t say you’re done. Say, “We are still investigating. This is what we know right now.” There is a preemptive rush to say we know what happened, but then the initial report of only 4 million records turns into 10 million and then 50 million.5. Not understanding the root cause and attack vector – Not understanding the cause and the type of attack that worked today leaves an organization open to the same attack tomorrow. It’s hard to understand scope if you don’t know how they got in. How can you actually know that you cleaned it all up? If you don’t close that door that the bad guys walked through, they are going to walk through it again tomorrow or in 30 or 90 days. The fear of making a mistake can be overwhelming, especially for those new to the industry. Remember that part of avoiding mistakes means asking for help when you need it. You are not alone. You are going to learn a ton just on the job, and companies know there are a lot of rules, regulations, and compliance, so you’re not going to be thrown into the fire without help. If you are, get some help. Related content news analysis Searching for unicorns: Managing expectations to find cybersecurity talent Finding the cybersecurity leaders of tomorrow means being realistic about job descriptions and providing training and mentoring for non-traditional tech people. By Kacy Zurkus Sep 29, 2017 4 mins IT Skills Careers IT Leadership feature Vulnerability vs. risk: Knowing the difference improves security Conflating security terms evokes fear but doesn't help security newbs understand the difference between vulnerabilities and actual risks. By Kacy Zurkus Sep 26, 2017 3 mins Risk Management Vulnerabilities IT Leadership opinion What the Equifax breach means to me — an end user perspective Recovery and resiliency or apathy. Which will prevail now that most everyone's PII has been exposed in another massive breach? By Kacy Zurkus Sep 15, 2017 4 mins Cyberattacks DLP Software Internet Security opinion Abandoned mobile apps, domain names raise information security risks When app creators abandon domains for bigger, better deals, what happens to all the app-specific data? By Kacy Zurkus Sep 08, 2017 3 mins Access Control Data and Information Security Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe