Friday, December 14, 2007

First Crucial Hour

When Your Security Is Compromised, Panic May Be Your Biggest Enemy.

We always here from people that whenever there is danger or problem first thing you should do is calm down and don't get panic. Even more important is a calm response. Your initial and frantic reaction may be to fix the breach, but that is counterproductive. Instead, do three things:

  • Assessn what's really taking place. Look at the situation holistically. Is it a system error? A hardware issue? A software issue? Which system is affected? Which network is affected? Can you segment the affected networks so that unaffected networks can continue to function?
  • Diagnose the problem. Just as emergency responders do, conduct triage, a method of screening and classification. Sometimes security or network devices can send out false positives that can me misdiagnosed. Did someone make a configuration change the night before that wasn't properly documented and is affecting the network? Is there a new patch to an application that no one knew about?
  • Preserve logs that indicate what happened. Sometimes in the haste to bring a system back online, staff will use backup data to restore the system. Unfortunately, that can erase important data that helps trace and analyze the problem, so be sure someone is responsible for finding and preserving system logs that will offer vital insight into the event. In certain situations relating to complaince, companies are required to maintain records of what happened and how they resolved the problem.

No comments: