In this type of scenario, reaction speed is vital because a compromise means that the company's entire information system is in danger. Moreover, when the compromise causes service to not function properly, a lengthy interruption can be synonymous with financial losses. Finally, in the case of a website being defaced (modification of pages), the company's entire reputation is at stake.

Reaction Phase

The reaction phase is generally the most overlooked phase in IT security projects. This phase consists in anticipating events and planning the measures to be taken in case of a problem.

In the case of an intrusion, for example, the systems administrator could react in one of the following ways:

• Obtain the hacker's address and counterattack
• Turn off the machine's electrical supply
• Remove the machine from the network
• Reinstall the system

The problem is that each one of these actions can be potentially more damaging (notably in terms of costs) than the intrusion itself. If the operation of the compromised machine is vital to the working order of the information system or in the case of an online sales website, a lengthy service interruption can be catastrophic.

Moreover, in this type of case it is important to establish proof in case there is a judicial enquiry. Otherwise, if the compromised machine was used as a rebound for another attack, the company runs the risk of being held responsible.

Implementing a disaster recovery plan can enable an organisation to keep the disaster from worsening and ensure that all the measures devised to establish proof are correctly applied.

In addition, a correctly developed disaster plan defines the responsabilities of every individual and avoids orders and counter orders, which waste precious time.

Restoring

Returning the compromised system to working order must be described in detail in the recovery plan and must take the following elements into account:

• Dating the intrusion: knowing the approximate date the machine was compromised allows the organisation to evaluate the level of intrusion risk for the rest of the network and the degree to which the machine was compromised
• Confining the compromise: taking the necessary measures so that the compromise does not spread
• Backup strategy: if the company has a backup strategy, it is recommended to verify the changes made to the compromised system's data against data that is supposed to be reliable. If the data are infected with a virus or a Trojan horse, restoring them may contribute to spreading the damage further
• Establishing proof: for legal reasons it is necessary to save the corrupted system's log files in order to be able to use them in a judicial enquiry
• Setting up a replacement site: instead of reinstating the compromised system, it is wiser to develop and activate when necessary a replacement site that allows service to continue

Practising the Disaster Plan

In the same way the fire drills are essential for verifying a fire escape plan, practising the disaster plan allows an organisation to confirm that the plan works and make sure that all players know what to do.

Last update on Thursday October 16, 2008 02:43:14 PM.This document entitled « Reaction to Security Incidents » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the licence, as this note appears clearly.