Walk Through On Step by Step Action Plan On Incident Handling
Every day, organization across the world suffer-attacks, frequently resulting in the substantial brand damage as well as financial penalties. Even one security incident is enough for the customer to lose trust on an organization and shift their business elsewhere. An immediate response when a breach occurs is incredible to reduce the destruction and loss. Hence, it is important for the organization to have a process plan to deal with the misuse of networks and system, thereby they can immediately aware what to do in case an incident occurs.
What Are Security Incident And Incident Handling?
A security incident is an intrusion to an event finding a violation of security policies, standard security practices or acceptable user policies. Incident handling is a term that denotes the response by an organization or person when a violation or intrusion is suspected. A careful and organized reaction to a security incident can touch the difference between total disaster and complete recovery.
Every organization has its own method for determining, defining as well as responding to the destructions of its security standards and policies. Here we listed some of the fundamental incident handling processes
Six Basic Incident Handling Process:
Broadly, addressing the security issues includes the procedures to prevent the attack and how to respond effectively to the successful attack. Some range of preparation is required to reduce the potential damage results from an attack. Preparation for the incident can be done in two ways:
1.By having comprehensive and clear security policies and the hardware as well as software resources to enforce them.
2.By having an evidently defined plan for responding to incidents and a trained team, which can implement the plan.
At the time of successful incident, a rushed decision-making might not be operative. On the other hand, by establishing procedures, policies as well as agreements, in advance, we can reduce the incident counts.
The active plan for the preparation process includes:
- Apply proactive techniques to avoid incidents
- Mature Management Provision for an incident handling competency
- Form and organize the skilled incident handling team
- Establish an alternative communication plan
- Offer Easy reporting facilities
- Arrange training for the incident handling team
- Build guiding principle of inter-departmental cooperation
- Pay specific concentration to associations with system administrators
- Establish interfaces to law implementation agencies & another incident response team
It is not possible to respond to an attack or incident unless it is detected. The process of incident handling should pay attention to the sorts of security associated events, and mechanisms in both hardware and software. It is also essential to concentrate where it is possible to detect the destructions of the security policies. In case the network comprises segments, which are not passive or even actively monitored, then it is essential to note that down.
The identification process includes the action of identifying whether an incident has occurred or not and in case one has happened, finding the nature of that incident. Usually, identification starts after noticing an anomaly in the network or system. This phase also covers informing as well as soliciting support from experts who can able to handle and resolve the issue.
The activity plans covered in this process are:
- Allocate a skilled person to be in charge of the incident
- Determine whether the event is an incident or not (keep in mind that all the events are not the incidents.)
- Keen to keep a verifiable chain of problem
- Co-ordinate with the person who offer network services
- Notify appropriate officials
Once an incident has been determined, proper actions must be started to reduce the influence of the attack. Containment involves the administrators or user to take actions to prevent remaining network and systems from the incident and limit damage. The main goal of this process is to prevent the attack from getting worse.
The activity plans in this process include:
- Engage team to survey the situation
- Maintain a low profile
- If possible, avoid potentially compromised code
- Back up the system
- Identify the danger of continuing operations
- Continue to discuss with system owners
- Change passwords
The eradication process involves in eliminating or mitigating the factors which resulted in the compromise of security. System security compromise can be distressing for the system owner and organisation. In case the incident handling team doesn’t adequately eradicate the issues of a successful incident, and in case another compromise takes place, then the management legally question the capability of the incident handling team.
The activity plans involved in this process are:
- Determine source and symptoms of the incident
- Enhance defenses
- Perform vulnerability analysis
- Remove the source of the incident
- Locate the recent clean backup
The goal of the recovery phase is to fetch affected components back into the production atmosphere carefully, to ensure that it won’t lead another incident. Proper test, monitoring and validation of systems are incredible to put it back into production in order to verify that they’re not being infected again by malware or by some other ways.
The important decision to implement at this phase are:
- Time & data to restore the operations
- How to test & verify that the infected systems are clean as well as fully functional
- The duration of intensive care to perceive for abnormal behaviours
- The tools to monitor, test & validate system behavior
6. Lessons Learned
The main goal of this phase is to learn a lesson from the incident. That lesson will support to perform better action in the future. Executing follow-up activity is one among the most appreciated activities in the incident handling. Organization, which follow up after the issue have been controlled can enhance their incident handling ability. The follow up action also supports to accuse those who have cracked the law.
A plan for incident handling is something that the organization must have in place. Follow the above step-by-step action plan to proactively defend your business against highly dangerous cyber-attacks, now and in upcoming years.