It is very common for the terms “network attack” and “data breach” to be used interchangeably. However, a network attack and a data breach are two different types of events. Attacks are an attempt at gaining access or interrupting normal operation for various means. A breach is when unauthorized access to valuable information, data, or systems has occurred. Attacks may be used to veil an attempted breach or simply to disrupt network operations for the sake of causing a disturbance. Understanding each is valuable when defining methods of avoidance, response, and mitigation. Additionally, recognizing the difference between an attack and a breach is valuable when providing accurate communication to stakeholders of a network security event.
In defining practical approaches and best practices for incident response and mitigation, we will focus on attacks. In the event of a breach, each organization should define steps to be taken both legally and operationally to protect those potentially impacted by the breached data or systems.
“No network is 100 percent secure, 100 percent of the time; therefore, having an incident response plan is critical for every school district.”
INCIDENT RESPONSE PLAN
As stated above, no network is 100 percent secure, 100 percent of the time; therefore, having an incident response plan is critical for every school district. An incident response plan should define a security incident and outline the procedures to address the situation appropriately. It should address areas of responsibility and establish procedures for handling various security incidents. It is important to note that a plan cannot be successful without defined roles and responsibilities, especially if a school district outsources some or all of its network management. Therefore, defining internal participants as well as external partners to address each step of the process is critical.
Developing an incident response plan requires the active involvement of a cross-section of district personnel including leadership from information and education technology, human resources, legal, instruction, security, communications, and the superintendent. Individual contributors such as network engineers, information technology security professionals, data and business analysts, law enforcement, and communications specialists need to be included to assist in carrying out the process. As suggested above, external partners also need to be included in the planning process. This could include your Internet service providers, network management providers, cloud hosting providers, external legal counsel, external public relations firms, and security professionals. Each of these groups plays a crucial role when an incident occurs and should be an integral part of an incident response plan.
Typical incidents include:
- Distributed denial of service (DDoS) attacks
- Infection of systems by unauthorized or hostile software (virus, malware)
- An attempt at unauthorized access
- Unauthorized systems changes (hardware, software, or configuration)
- Compromised information integrity (damage to data)
- Loss of information confidentiality (theft of data)
- Misuse of services, information, or assets
- Theft of physical IT assets
- Damage to physical IT assets
- Reports of unusual system behavior
Excerpted from the newly-published Education Network Security in a Hyperconnected World white paper. To learn about the components your incident response plan should include, as well as about mitigation strategies, download the full white paper and “Network Security Recommendations Checklist” today!