Responding to and recovering from a Cyber-attack
View(s):Hackers grabbed gigabytes of data from JP Morgan and other US banks recently. Hackers are slipping in through phishing emails and other means; the tools are so efficient and cheap that hackers can afford to attack anyone and everyone around the clock. Every organisation with an Internet connection is a potential victim. Even the smallest businesses now have to worry about network security and protection. Cyber-attacks have become inevitable.
Cyber security involves protecting the IT infrastructure by preventing, detecting and responding to cyber incidents. The cyber incidents include viruses erasing entire systems, intruders breaking into systems and altering files, using your computer or device to attack others or stealing confidential information. The spectrum of cyber-risks is limitless.
Hence, organisations have to prepare for the inevitable attack. This is no longer an “if” but a “when and how bad”. So, organisations have to be ready to respond and minimise the impact of any cyber-incident. As a first step, the business and technology teams have to manage their vulnerabilities and understand the risk profile of the organisation. The threat landscape is diverse and growing. Organisations should zero in on the probability and impact of specific threats, focusing its energy and attention to develop a way to minimise the impact of those threats or reduce them to an acceptable level by building tools and implementing technology to protect that level of risk.
Next, the business should engage in a conversation around incident response, business continuity and disaster recovery, which assumes that a threat will materialise and develop a cyber-incident response plan. The response plan identifies cyber-attack scenarios, appropriate responses and includes basic components such as response team members, reporting, initial response, investigation, recovery and follow-up processes, and public relations plans and law enforcement notification. The idea is to have a prescribed plan to recover from an incident and conduct business as usual.
The response team shall be responsible for developing the written-cyber incident response plan. They will also investigate and respond to cyber-attacks in accordance with the plan. The cyber-incident response plan identifies and classifies cyber-attack scenarios, determines the tools and technology to be used to detect and prevent attacks, secures the organisation’s computer network and sets up a checklist for handling initial investigations of cyber-attacks.
The cyber-incident response plan must also address procedures to take on discovery and reporting of cyber-attack incidents, including designating response team members to monitor industry practices to ensure that the organisation’s information systems are appropriately updated, and that the organisation installs the latest software security patches to allow for early discovery of attacks. It must also make provisions to continuously monitor the organisation’s computer logs to discover any incidents, set up a database to track all reported incidents and create a risk rating to classify all reported incidents as low, medium or high risk, so as to facilitate an appropriate response.
If a potential attack is reported, the designated response team member should conduct a preliminary investigation to determine whether a cyber-attack has occurred. If a cyber-attack has occurred, the response team should follow the investigation checklist set out in the cyber-incident response plan to conduct the initial investigation. The initial response varies depending on the type of attack and level of seriousness. However, the response team should aim to stop the cyber intrusions from spreading further into the organisation’s computer systems and document the investigation.
Following the initial response assessment, the organisation may decide to undertake a formal internal investigation depending on the level of intrusion and its impact on critical business functions. An internal investigation allows the organisation to gain a fuller understanding of the computer intrusion, increase its chances of identifying the attacker, detect previously unknown security vulnerabilities and identify required improvements to computer systems. If the organisation’s response team or IT department lacks the capacity or expertise to conduct an internal investigation, the organisation may retain a legal counsel and a cyber security consultant.
Ultimately, companies that prepare for cyber security attacks have a better chance of avoiding business disruption. Those companies that are unprepared are more likely to fail at the response, take more time and experience more disruption.
(The writer is a Governance, Risk and Compliance professional and Director at Layers-7
Seguro Consultoria (Pvt) Ltd. He can be emailed at
sujit@layers-7.com).