Avoid These 3 Things In An Incident
Small mistakes in an incident can have a big downstream impact.. here are some mistakes to avoid.
1. Do Not Use The Word “Breach” Incorrectly
The word breach has lots of implications legally. Unless you have definitive confirmation of such an event, then you really don’t want to use this word casually internally and in discussions.
Of course as a responder, you always want to “assume breach”, but when the term is used so casually, especially when there has been no confirmation it can cause confusion, panic, and have legal ramifications.
Get more security tips in your inbox…
Terminology is a big thing actually during an incident.
Here are some additional examples:
Say “at this time” to help make your declarations a point in time statement, vs definitive
Use “event” when triaging or investigating until you have an actual “incident”
2. Don’t Panic
If you had too much coffee that day, or are not experienced with incidents, then you might not want to be the lead responder in an incident. 😅
Having someone in the room that can be collected, think through a scenario, and calm the room down, is really essential.
Unfortunately, not every ship has a Deanna Troi or Captain Picard to assuage fears and panic. However, if you can find that person, have them there.
Hasty decisions in an incident may cost you later on.
3. Avoid Large Assumptions Without Data
When responding to an event and trying to determine an incident, you will have to go through several scenarios and suss each one out. Assume nothing, but everything, or a combination thereof, is on the table.
Go through as many possible scenarios and don’t have over or under confidence from a likelihood perspective.
To help you with this, I recommend reading incident write-ups to learn more about all the ways an attacker can get into a system.
If you liked this article, share with your peers!