Responding to a Cyber Security Incident

By Maydeen Bartholomew-Tangaro on March 12, 2019

What is a Cyber Security Incident?

A Cyber Security Incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

Events happen all the time in a network. It is the adverse events, ones that violate the policies and standards that is created to protect a network, that classify as a Cyber Security Incident.

Examples include:

    • A user is tricked into opening an email that is malware; This malware opens a connection to an external source.
    • An attacker infiltrates sensitive data and blackmails the organization; requesting money for the information or actor publicly published sensitive data.

    Before the Incident

    Preparation is key to ensure an efficient and effective incident response. Before an adverse event takes place, you should already have in place:

    • Policies and Plans
    • Procedures for incident handling and reporting
    • Incident Response (IR) Team & Leader/Liaison
    • Stakeholder Contacts (Management, CEO, Police, PR department, Legal)
    • Tools (Incident Database, ForesenicsOS, sniffers, etc.)

    Handling an Incident

    The following flowchart depicts a possible implementation of the process of handling an incident. The flow will vary depending on organization. In any organization keeping thorough documentation of the incident throughout the lifecycle is essential.

    Identifying the Incident

    This model will work for medium to large sized organizations.

    Identifying threat flow chart

    Figure 1 Identifying Incident

    IR Team Responses

    The IR team meets to discuss validity of threat. Using the gathered information provided by IT and further analyzing the event the IR will decide how to proceed. Some question the IR team may answer is:

    • Is it a real or perceived threat?
    • Is it ongoing?
    • What is the impact to the business? (Functionally and Information wise)
    • What type of attack is it?
    • Is an urgent response needed?
    IR team response flow chart

    Figure 2 IR Team Response

    Conclusion

    No matter how secure you think your network is, there is always a way an attacker can infiltrate your system. Being proactive and not reactive is the best way to ensure the confidentiality, integrity, and availability of your system.

     

    Resources:

    IT Incident Response Plan; retrieved from iltanet.org Computer Security Incident Handling Guide; retrieved from nvlpubs.nist.gov New York State Information Technology Standard; retrieved from its.ny.gov

Related Posts