Security Incident Response  
       
 
A security incident is a deliberate attempt to gain unauthorised access to a company’s system or data in order to disrupt the service or change the system’s characteristics without the owner’s knowledge.

Security incidences can come in many forms, the most deadly being :
 
 
Malicious codes
  These include viruses, worms, Trojan horses, time bombs and pests.
   
Intrusions or breaking
  An intruder may bypass a system’s authentication process. A registered user may use his limited privilege to engineer unauthorised activity.
   
Insider attack
  This includes industrial or commercial espionage by employees, contract workers or others working inside the company’s premises.
 
     
  Effects of an Attack  
  Once a company’s computer security is compromised, it could create:  
 
Congested network or system crashes.
Data or programs may be altered or lost.
Protected data is compromised and classified data may be accessed by unauthorised users.
 
     
  Response To Security Incidents  
 
The SCAN Response is two-fold. First, it promotes proactive contingency action to tighten a company’s ICT security against incidents. Second, it initiates five stages of response to minimise damage and ensure continuity of operations when incidents do take place. These stages are:
 
   
 
   
1.
 Identification
  This constitutes determining the exact problem. Using sophisticated detection software and audit information, SCAN’s team investigates the identity, nature and extent of the network attack.
   
2.
 Containment
  Containment is limiting the extent of the attack. This may involve shutting down the system temporarily if the system is classified or sensitive data is at risk. Another alternative is to keep the system up and risk some minimal damage in order to identify the intruder.
   
3.
 Eradication
  Once an incident is contained, it is then eradicated. There is specialised software for such procedures. All backups must be ensured clean. At times, systems become periodically reinfected with viruses simply because these viruses are not periodically cleaned from the backups.
   
4.
 Recovery
  The next phase of action after eradication is recovery. Recovery means returning the system to normal. If the incident attack is network-based, it is important to install patches to all vulnerable holes in the operating system, exploited during the attack.
   
5.
 Security Impact Analysis
  This follow-up stage, the most crucial, is often neglected. This is a post-mortem analysis that is very valuable as:
  • it helps to create a set of ‘lessons learnt’ as reference to improve future performance in similar situations.
• it justifies all security measures and efforts to management.
• it yields information including a formal chronology of events, which may be essential in legal proceedings.
 
The report also estimates in monetary terms, the amount of damages caused by the incident. This refers to loss of software, data, hardware damage, manpower costs and other costs to restore the altered files, reconfigure the affected systems and so on.
 
     
   
For more information, email us at corpcomm@scan-associates.net
    Copyright © 2007 / 2008 by SCAN Associates Berhad. All Rights Reserved