Incident response: Concept and procedures
Incident is something that occurs every time or many a times. The incidence may be a good one or even be a bad one, but the basic thing in an incidence, whether it is bad or good, is that, it has a deep effect or impact on the entire system. Numerous incidences take place in the society every day. Police, Military, the corporation, the municipality, the hospitals, the fire brigade etc are the weapons or institutions that are used as a response to those societal incidences. Likewise, in computer or server network system, there also happens numerous types of incidences, and there also some agents or backup systems are there to provide a response to the entire incident or incidents. These responses are to be used at right location or for exact incidence, which requires bit knowledge about the incidences as well as their respective responses. In this article, there will be a short and effective discussion and understanding of the prominent incidences and their exact responses.
In the preparation part of the response creation for an incident, the entire process is to be categorized in few steps. The steps are necessary since without the steps being followed, the actual response to the accurate incident could not be given. So, firstly one should know about the steps of providing Incident responses.
For any problem, there requires a diagnosis, may be that is human health, or that may be anything, like an incidence of nature, a super-natural incidence or even a computer or network incidence. This diagnosis part plays the most important role in the entire process of knowledge development and also practical performance of a process. About the response to the incident, the first thing one should, or rather must do is making the occurrence of the incidence to the team leader and doing thus, making the team leader aware of the incident and so the incidence becomes escalated. This would be the first and foremost response to any server or network related incidence. If the incidence is about data theft, then the police is required to be informed but that would be a part of the responsibility of the Team leader.
Escalation and notification
Once the incidence of theft or leakage of important data or a security issue of any Personnel, House or even may be of the nation, then it is the duty and responsibility of the team leader to let his or her senior or Floor manager know about the incidence immediately. While putting the incident in the knowledge of the seniors, then, a Team leader must always put the time in the incidence reporting. The time must be in two categories. The first one is the time when, the incident came to the knowledge of him or her. The second is the time which has been reported to the Team leader by his or her subordinate as the time of occurrence of the incident. Once the incident is properly escalated to the seniors, it is also the duty of him or her to let the local Police know about the incidence of the data leakage or data theft. While reporting the police, the two things that should be mentioned to them are, the time of occurrence as is informed by the first viewer of the incident and the importance of the data that has been leaked or stolen. The rest would be done by the Police alone, where they may seal the server or put a special sensor on it to inspect every changes happening on them.
Once the incident has been correctly identified and reported to the right and proper authority, then starts the mitigation step. Mitigation essentially means the process to lessen the effect of anything. In this case, it is understandable that, mitigation means to minimise the effect of the incident on the other things or settings in the server or network. For that the loops are to be checked or the network gates are to be locked to prevent intrusion into the system by external agents. This will surely prevent the extra data loss and may even make it easier for the cyber crime department of Police to easily track the lost data or the leaked data.
Once the entire system is restored in its earlier configuration, then it is essential to turn down to the every single step and procedures applied for the entire response process, and keep a record of that. This record acts as a lesson for one, may be that is the Team leader or a general staff. However, sharing this episode as a lesson within the team will definitely increase the team's performance and experience to such incidences and also how to handle those incidences. Once those lessons are shared within the team, the lesson may also be recorded and marketed for gaining a recovery over company losses due to the data leakage or the recent data theft.
The reporting part is very important for the security purpose, and this thing can increase the company's reputation although they have recently experienced a loss. Making a gain out of a loss is not a new strategy in the business world. Many a times, losses, made by a company, becomes the sources of the next huge gains. Likewise a single reporting of the fact or incidence and thus showing the concern for the data loss helps in two ways. Firstly the other servers are given an alert about the data, which when can be tracked if they are identified by the other servers. The second thing is that the company's name is highlighted and also being reputed for their strategy of showing responsibility for the data losses from their server. Thus reporting is not something that makes a bad impression of the company but it adds to the goodwill of the company. Sometimes an urge of apologize makes a great impression on something and even greater from the announcement of their best performances, as best performances, when announced shows the boldness of the company, where as the apologize is the symbol of concern and strictness to the responsibilities and duties of the company towards the data and storage of its.
Once the data is recovered, it is time to restore the entire system. During the restoration process, proper back up of the system should be followed with inclusion of proper log and loops. This will easily track the intruder. In this process, the Forensic Department of Cyber crime segment of police may provide one with a big support. The support is not only to reconstitute the system, but also to provide a network to track the exact role and strategy of the intruder. So, one may need to form a Incidence Response team, and entrust them with incident response plan to protect the system from future incidences. But a plan is then only effective if that is updated every time. Cyber segment, in the modern world is the most dynamic system and so is an area where rapid changes are going on every time. Unless a plan based on this segment is made dynamic with common and uncommon updated every time, the plan turns poorer and poorer and ultimately that becomes useless and ineffective. So, the incident response team must be made up of the most dynamic natured employees and thus the plan also turns to be dynamic.
The first responder is the first person to observe the incidence. He or she may have seen the incidence to be happening or otherwise he or she was the first person to observe the data to be missing, or to be leaked or deleted. When the police will be called, the interrogation part will include him or her as the first episode. Data will be collected mostly from him or her. When was the time he/she first saw the incident, what was his /her reaction to that instantly, what has been done initially by them to confirm the occurrence of the incident, and how were they confirmed that the incident has surely taken place. These are some of the common question that the first responder has to face. After that Police may take the finger prints on the systems and also of the employees working there, may go for DNA test even, for the suspected finger prints to identify the intruder.
One may have to behave just like the police do after the happening of any incidence. Police seals the things attached with any incidence, like the room of incident, or the suspected elements used for the incident to occur. Just like that, one may need to isolate the incident by keeping the systems or devices attached with the incident.
Quarantine: Quarantine is a medical terminology, which is used to refer the isolation of a patient, who is affected by a disease. Here the patient is the server or the devices and the disease is the incidence. So the first thing of the isolation process is to make the system idle from the server and thus making the disease locked in an area.
Device removal : Once the device is isolated, then the operation is needed to remove the device from the server or the entire system. For that the looping or logging has to be again done. The loops are to be reconstructed as the response of the network must be kept intact, even after the removal of the device. Not only the loops but the logs are also to be changes as the previous logs may be hacked by the intruder, ad so keeping the system or server alive with the same log may be a open to risk situation.
Data breach is an incident of data leakage or intentional data sharing. Generally this type of things, like data spill or data threat are prone to internal threat more than that of the external threat. Generally this information or data sharing need so many passwords and logs to pass by, that the process of making the incident occur also becomes tough for the hackers. So the finger pointing turns to the internal staffs. Therefore, identifying the incidence as a data loss or a data leakage is very important. Data loss may be due to the external threat, and mostly the external agents are the one who are generally involved in stealing of data. But, if the incident is a data breach then scenario is more critical, and the work of police becomes much simple and easy as the crime doer is within the team. Interrogating and finding out the crime offences by cracking the crime scenes is not a big deal for the Police Investigators.
Damage and loss control
Every incident, wherever that may be, and at what sector that may happen, bears with it some damage. If the damage is not even a loss of any fixed asset, then the Liabilities of a company to its clients, or the losses of the company due to inability of the company to finish up the assignment and the concurrent economic losses are surely to be among the some damages of the company due to the incidence. So that is to be maintained and restored by the company as quickly as possible. For restoring the losses, a loss control team can be built within the team. This team is going to plan the policy to control the losses or damages of the company due the incident and thus may easily restore the company's inside and outside stability by taking proper control plans.
So, in short these are the steps or plans or the schedules of the incident response process, by following which, one can be responsible to his or her job, responsible to the security of his or her job, responsible to the security of the client or even to a nation. Knowing the steps to be followed after an incidence makes the decision making process at such a condition full of pressure and stress much easier.