Your Network is Under Attack. How Do You Respond to the Threat?
Incident response handling procedures are crucial and will continue to be necessary as long as there are viruses/worms, hackers, crackers, phishers, disgruntled employees and script kiddies.
An incident can be defined as any irregular or adverse event that occurs on any part of your banks network and network appliances. Examples of security incidents include:
- The discovery of a virus that has infected your system(s),
- Activity log file alerts that tell you someone who is not authorized is trying to log into your network, or has logged into your network system,
- You notice that an unknown process is running on your system and utilizing a great deal of processor time,
- Your intrusion detection or intrusion prevention system is alerting you to someone trying to penetrate the system remotely.
The steps involved in handling a security incident are categorized into five parts, these include: Protection of the system(s) affected by the incident; Identification of the problem; Containment of the problem to the systems(s) already affected; Eradication of the problem from the affected systems; Recovering from the incident, contact appropriate agencies, and perform a follow-up analysis.
Maintaining a log is very important. Logging of information is critical in situations that may eventually involve state and/or federal authorities and the possibility of a criminal trial. The implications from each security incident are not always known at the beginning of, or even during, the course of an incident. Therefore, a written log should be kept for all security incidents that are under investigation. The information should be logged to a secured location that cannot be modified by other people. Manual logs are preferable since on-line logs can be altered or deleted. The kind of information that should be logged include: the date(s) and time(s) of incident and when the incident-related events were discovered or occurred, amount of time spent working on incident-related tasks, people you have contacted or spoken to and the names of systems, programs, appliances or networks that were affected.
After the incident has been completely addressed and all affected systems have been recovered to a normal state of operation, a follow-up analysis should be completed. The follow-up analysis is one of the most important stages for handling your security incident. All involved parties should meet and discuss actions that were taken and share the lessons learned from the incident. All response procedures should be evaluated and if necessary modified, based on the results. Finally, an incident report should be written by someone designated by your bank and distributed to all appropriate personnel and, if warranted, to the Board of Directors.