The upsurge of internet attacks over the recent past has caused several small internet companies a lot of disruptions. Besides the downtime caused as a result, these companies also loose out in terms of finances and reduction of the productivity of the employees. It is therefore prudent for these companies to develop an incident response policy that entails an incident response team development, disaster recovery processes and a business continuity plan as a means of curbing future malware attacks.
Computer Security Incident Response Team
Most small companies respond to security incidents after they have happened by which time they are often numerous costs incurred. Responding to an incident ought to be an integral part of a company’s security policy and risk reduction strategy; this has both direct and indirect financial benefits. Successfully responding to an incident has pre requisites among which is assembling of a core Computer Security Incident Response Team(CSIRT), definition of an incident response plan for disaster recovery and the development of business continuity plan. A good information security policy should therefore be succinct, understandable, practicable, cooperative and dynamic.
The development of a CSIRT is necessary for reduction of future security incidences. A team has groups of individuals that deal with security incidences. It consists of the team leader who is in charge of activities, coordinates the team’s activities and may change policies and procedures for dealing with future incidences. The incident lead coordinates response in case of an incidence and is the spokesperson of the CSIRT concerning an incident; they should not be the team leader. The associate members are other individuals from different departments within the firm to whom duties can be delegates as deemed appropriate. The team members should have clearly defined roles, should be trained on proper utilization and sites of vital security utilities and be provided with portable computers pre-fitted with the utilities to enable prompt response to security issues. The team should assemble relevant information of people within the firm who should be notified for instance legal contacts, law enforcement agencies’ contacts and internet service providers. All emergency system data should be placed in a central office site; these include passwords to systems, internet protocol addresses, certification authority keys and firewall rule set list among others; the data should then be encrypted on a security portable computer put in an access limited vault.
The disaster recovery process aims at containing damage, minimizing disruption of computing resources and protection of: human life, classified and sensitive data, hardware and software and other data like proprietary, scientific and managerial data. The system should be taken off network to reduce risk of further damage, the access points used by the attacker should be identified and measures implemented to prevent future access and the rebuilding of a fresh system with new hard disks considered. The recovery of systems depends on security breach extent and there may be need to restore existing system leaving as much as possible intact or completely building the system. The duration of an incident can be determined using file system integrity software and intrusion detection systems as they could corrupt data for long periods before discovery. Data backups help in restoring the lost data if they were made before the incident occurred.
Business continuity planning requires a firm to compile and organize incident documentation in which thorough description of the security breach and details of action taken are documented, thereafter it is organized chronologically, checked for completeness, signed and reviewed by management and legal representatives. The firm also assesses incident damage and cost as part of business continuity planning. The direct and indirect costs due to the incident are considered; costs due to loss of competitive edge from release of propriety or sensitive data, legal costs, labour costs to analyze breaches, reinstall software and recover data, costs relating to system downtime as well as repairing and updating ineffective and inefficient security measures and the loss of reputation and customer trust. Finally, in business continuity planning, the firm has to review the response and update policies during which the response process is reviewed and steps successfully executed and mistakes made determined. The firm should also put up any necessary modifications to improve the whole process.
In summary, firms come up with incidence response plans and implement them to prevent attacks and therefore reduce downtime. The incident response policy is an ideal tool necessary in curbing cybercrime and should be embraced by internet agencies. This goes a long way in improving the quality of service to clients which translates into benefits both in financial and employee productivity.