Gem Infosys is a small software company. Like many companies, computers are a part of the workforce more than ever. When a company’s network is attacked, it effect’s the CIA (Confidentiality, Integrity, Availability). Computer attacks being common in today’s world, it is vital to develop an incident response plan. I am going to explain some steps to take as part of an incident response plan.
Limiting Security Incidents
Routinely assessing vulnerabilities, which should be done by a security specialist. Computers and network devices should be properly updated early as possible for security patches. Supplying training courses for professionals and users. This is important, because the inexperienced are the largest security vulnerability. For example, the ILOVEYOUWORM exploited that vulnerability from users. Posting security banners reminding users of their responsibility and restrictions. Require all users to choose a strong password and every while has users change the password for extra security. Monitoring and analyzing network traffic and system performance daily. Make sure backup and restore procedures are in place, as well as who can access those files.
The Incident Response Team
The incident response team is a group of people, each with their own responsibilities that deal with security incidents. These responsibilities will include monitoring systems for attacks. The incident response team should be able to document security incidents. The team will spread security awareness throughout the company, which will prevent future problems. The team will be learning new vulnerabilities and attacking strategies. They need to be able to research new software security patches. Be able to Analyze and develop new technologies for limiting security risks.
Incident Response Plan
Everyone in the company should be aware of what to do when an attack does occur. The incident response team would be responsible for most of the work, but its important for users to report any suspicious activities to the team. For a plan to be successful it should include: Making an assessment and communicating the incident. Having control of the damage and limiting the risk. Finding the type and level of the security attack. Protecting the evidence and notifying agencies. Compiling and organizing the security incident documents. Figuring out the damages, including the cost of the security attack. Reviewing the attack and updating policies if necessary.
Containing the damage and limiting the risks
Quickly reacting to a security incident is important to containing a small incident from turning into a bigger one. This will prevent the company from developing careless damages to accumulate. I recommend the following steps to take for containing the damages:
- “Protect human life and people’s safety. This should, of course, always be your first priority.
- Protect classified and sensitive data. As part of your planning for incident response, you should clearly define which data is classified and which is sensitive. This will enable you to prioritize your responses in protecting the data.
- Protect other data, including proprietary, scientific, and managerial data. Other data in your environment might still be of great value. You should act to protect the most valuable data first before moving on to other, less useful, data.
- Protect hardware and software against attack. This includes protecting against loss or alteration of system files and physical damage to hardware. Damage to systems can result in costly downtime.
- Minimize disruption of computing resources (including processes). Although uptime is very important in most environments, keeping systems up during an attack might result in greater problems later on. For this reason, minimizing disruption of computing resources should generally be a relatively low priority.”
Keeping the problem within the incident response team, this will help in case it’s an inside attack. When the attacker does know, he or she can cause more damage. Determining the access points of an attacker will prevent future attacks from happening. This can include shutting off the modem, including access control entries to a router/firewall, or increasing physical security measures. Future decisions may include setup a new system with new hard disks, but keeping the old ones for evidence that may be used later.
I believe the steps I went over, are important to preventing future attacks from happening. Gem Infosys is aware of the importance of computer security, and the damages to computer systems can be huge if not prepared. In the future many different types of plan will develop, and I will be ready to implement those as they come.