School of hard knocks

How can enterprises pledge security when so few IT staff are trained in how to handle an attack? They can't. But it's not all bad news, says Wayne Rash. Here's the solution.

When I first heard of the statistic that only 5 percent of IT staffers know how to handle a security attack, I was shocked, and questioned the credibility of the report.

Personally I suspected that 5 percent was wildly optimistic. I wondered if the number might so small as 50 people. Total. In the world. But rather than guess, I called Alan Paller, director of research for the highly regarded SANS Institute, who confirmed my suspicions that 5 percent was optimistic.

In fact, Paller suspects that almost no one who hasn't weathered a serious attack on their network really has a deep appreciation for the difficulty and complexity involved. "Most people just haven't experienced it," he explained.

So I asked him if there was any help out there for the IT staffers and managers who didn't want to wait until they were under attack before figuring out what to do about it. I'd expected Paller to recommend training, but actually he had a simpler answer. The SANS Institute, it turns out, produces a document called "Computer Security Incident Handling Step by Step."

The document includes an incident handling card that lists nine steps to be followed in order to survive an attack. What's interesting is that the committee of 30 or so contributors is a Who's Who of security experts. Collectively, these people know more about surviving attacks than nearly anyone else on the planet.

The checklist

The first item on this checklist is perhaps the most necessary: "Remain calm." After that, the check list goes through the process of gathering information, notification, getting help, communicating, and then solving the problem. It ends with "Get back in business."

This might sound like basic commonsense, but the checklist is equally useful for both IT staffers and managers. Want to know if your IT workers know anything about handling an attack? Ask them what they'd do, and compare it with what's on the card. You can get your own copy at the SANS store. Look under "consensus guides."

Unfortunately, managers appear to be a second thought. There doesn't seem to be a lot of training for them in how to handle an attack, although there's plenty for technical staff. The SANS Institute, for one, has a class on hacker exploits that includes training on how to deal with an attack. There are plenty of other organizations that do similar training.

The real secret, however, is that handling attacks isn't really a secret. The information exists, it's easy to find, and it's well presented. So why are so my IT pros left in the dark? Very simply, companies haven't made such training a priority, and have been unwilling to spend the money. At the least, maybe you can get your company to spring for the SANS checklist.

What training have you given your IT staff for handling attacks? TalkBack below or e-mail us with your thoughts.