←All Posts Posted on February 1, 2016 By admin
Both large corporations and small companies fall victims to cybercrime each year, but would you know how to deal with one? Doing what you think is the right thing out of the best of intentions may in fact make things worse.
It’s useful to understand exactly what a security incident is.
A computer security incident is any unauthorised event that adversely affects the confidentiality, integrity, or availability of a computer system or network.
Normally these would involve some threat to or loss of sensitive information or breach of information policy. Examples might be theft of information, use of email for threats or harassment, or unauthorised access to restricted data. It could also involve online fraud such as ransomware or denial of service (DDoS) attacks.
So, what are the key things you should and shouldn’t do when faced with an incident?
If you’ve ever watched detective shows on TV, you’ll know that the first thing the police do is seal off the scene of a crime so as not to contaminate the evidence. The same principle applies to IT incidents – though perhaps with less plastic tape.
Leave the affected machine in the state you found it, if it’s on don’t switch it off and if it’s off don’t switch it on. Don’t allow anyone to access it, but if it’s on do disconnect it from any networks – pull out the Ethernet cable or turn off Wi-Fi.
You also need to secure any related items, flash drives, backup CDs, etc. Make sure you have notes on who has been using the machine, get dates and times if possible, and details of any allegations. Do not tell more people than absolutely necessary that an investigation is under way.
The key thing is to act quickly, the longer you leave it the more chance there is that evidence will be destroyed.
There are a number of things that you should avoid doing. Firstly don’t get your IT department investigate the incident. This may sound odd, but unless they’re experienced in computer forensics they could do more harm than good.
Don’t do anything that could change the contents of the computer, or mobile device, in any way. Don’t plug or unplug any external drives or other devices, and don’t attempt to make a backup in order to preserve data. If you’re in any doubt about how to handle things consult a computer forensic specialist who is familiar with industry best practice.
Having secured the systems as above, do get in touch with your HR department. They’ll be able to advise on legal issues relating to employment. If you suspect a crime has been committed you should also contact the police.
Contact a computer forensics specialist in order to ensure that equipment is properly handled and evidence is preserved.
We all hope that we’ll never be faced with a major security incident, but there are some things you can do to ensure that you’re ready should the worst occur. Many of these are straightforward security precautions such as ensuring that everyone has their own user account and that passwords are not shared.
All networked systems should have logging and auditing tools enabled, and logs need to be backed up to a secure location in case they’re needed. Talking of backups, make sure you check what is being backed up, and test to ensure that it can be retrieved if required.
Draw up an acceptable use policy and make sure that all staff have a copy. This should be issued to new starters as part of their induction process.
Security incidents can have severe consequences. But by being prepared and following best practices when an issue does occur you can ensure that it’s dealt with effectively and that the effects are minimised.