A July, 2013 report by the Center for Strategic and International Studies, (CSIC) sponsored by McAfee, estimated annual losses in the US due to cybercrime at anywhere from $24 billion to $120 billion, depending on calculation method.
Security incidents harm organizations in several ways:
- Loss of intellectual property
- Financial loss
- Loss of personal or sensitive business information
- Service disruptions
- Increased security costs to recover from cybercrime
- Reputation damage
Security incident handling should be at the forefront of every IT manager’s mind, and every organization should have a systematic security incident handling procedure for guidance during what is always a tremendously stressful situation. Being prepared can help you minimize loss of data and disruption to services after an incident like a malicious code attack, denial of service attack, outright sabotage, or hoax.
Here are the basic actions involved in security incident handling.
Create a formal incident response plan and make sure all key players, executives, and managers know about it. Here you’ll define the organizational structure of security incident management along with each person’s responsibilities. This plan should be written, and it should be distributed up front so that everyone is aware of what should happen after a security incident. Your incident response team should not only include IT management, IT service desk workers, and other technicalpeople, but also someone from PR and your organization’s legal team. Make sure end users know how to report a suspected security incident should normal communication infrastructure be disturbed. Consider handing out cards with mobile numbers to call in this event.
“Our patented cellulose fiber containers hold three days’ worth of negative vibes, with no leakage.”
Contain the Damage
This is where you choose and implement your containment strategy, whether that means shutting the system down, disconnecting the network, or monitoring activity closely. How you limit damage depends on the magnitude of the security incident. Don’t rush the process of capturing forensic and incident response data, whether this is in a paper notebook, with voice recordings, or by powering off and taking an image of the disk. This will be important if legal action is taken against the hackers.
Eradicate the Problem
How you do this obviously depends on what the problem is. Maybe it’s removing a virus, or maybe eradication is much more complicated. You should identify exactly how the hacker exploited security vulnerabilities so you can develop measures to prevent a future attack. While the IT team is dealing with problem eradication, PR, legal, and management may be dealing with employees and the public to reassure everyone that things are under control.
Recover and Learn
Eventually you’ll re-image the system, restore a back-up, or otherwise get your organization operating again. Restoration to service should be accompanied by closer monitoring at first in case there were elements of the incident that evaded detection the first time around. Once everything is back to normal, follow-up is important. This is where you can document what happened, write down what you learned, and benefit from hindsight. What worked, and what didn’t work? Here you can fine tune your security incident-handling policy and processes so you’ll be prepared should another attack occur.
Your IT service desk and IT asset management software are integral to providing proper security for your IT infrastructure. Samanage helps you maintain robust security with detection tools, and automatic alerts to compliance risks, so you can identify problems early. Samanage is powerful and flexible enough to be an essential part of your organization’s security management and security incident response program, while providing outstanding help desk and other services that keep your organization’s infrastructure running day in and day out.