Lockdown: How would you handle emergency network operations?

Are you ready for a natural disaster, denial of service or security breach? If one happened right now, would you have a plan ready to respond to it? What the recent highly publicized security breaches demonstrated was that some companies were ready and some were woefully unprepared. Part of that has to do with technology and security controls, but most of it is about planning and process, not tools. So what does it take to be ready for an attack?

Obviously, a big part of the planning has to do with the operations team. To be prepared, you must have an emergency response team that can come together before an attack and run drills and practice response plans. Then during an attack or disaster, that team will be ready to respond.

MORE ON SECURITY: Smartphones and tablets create huge corporate security challenge

Equally important, though often overlooked, is your emergency network operations plan. What's that, you ask? It's a plan you must put in place that helps you decide:

- What needs to stay running;

- What can be temporarily disrupted;

- What should be deliberately disconnected;

- What additional security measures should be enabled;

- How to communicate all of the above.

Essentially, what I'm suggesting is that you plan in advance to run your network in an "emergency mode" or "lockdown mode" and are ready to transition to this mode very quickly in response to a threat. It might mean isolating chunks of the network, disconnecting sensitive assets, turning on full packet capture and generally reconfiguring the network to a state that contains and mitigates threats while maintaining critical functions.

Companies that face serious attacks, disruptions or disasters will usually make such changes to their network, on the fly. But rarely do you see discussion about planning for "lockdown" in advance. Most network operations teams would consider having to go to "lockdown" as a failure in prevention, a state of last resort that they hope will never be reached. That's all true, but it doesn't remove the need to plan for that state.

So consider for a moment how your network should operate during a security breach, where there is an active infiltration and you are trying to contain, eradicate and mitigate the threat. What does "lockdown" mean to you? What would you do differently on a compromised network and what would be the minimal set of services that you would need to run?

Now, while planning for this scenario, you might want to consider several different variations, addressing ever-increasing threats. Consider the two extremes: a fully functional network (normal operations) and a complete shutdown (bring in the cleanup crew). Sony spent 25 days in the latter state because of an attack, though it is unlikely the company had much of a plan.

The key insight from this planning will become evident once you start putting the plan together: If you don't have a plan, then you will move much faster from "normal operations" to "pull the plug." If you act too slowly, you must make bolder and bolder moves to catch up with an evolving situation. The better your plan and the faster you can execute it, the more likely you can get ahead of the situation and avoid the need for extreme measures. In other words, if you are ready to go to lockdown, you are less likely to need to pull the plug.

Learn more about this topic

Security: Risk and Reward

US needs cyber-emergency response, lawmaker says

Dealing with disruption

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

IT Salary Survey: The results are in