Security

Tech Tip: Handle security incidents in seven steps

By Mike Mullins

The possibility of encountering a security incident grows each day. You don't want to wait until you're in the middle of a crisis before you begin to develop a rational plan for handling an attack. Being prepared for an incident is essential to the survival of your network and its resources. Incident handling begins with planning and establishing policies and procedures.

Developing a plan of attack for each type of security incident is crucial to the restoration of normal operation. The most common incident categories are:

  • Elevation of file privileges: A user or guest gains greater privileges.
  • Data alteration: Files are changed by unauthorized users.
  • Data theft: Data is removed from the system.
  • Denial of service (DoS): Legitimate access to the system is denied.

Sometimes an event will span multiple categories. For example, Web site defacement involves elevation of privileges and data alteration.

Essential action

Different events require different responses. However, you should follow these seven steps for every incident.

Step 1: Log everything
Your documentation doesn't have to be fancy. It can be a Word document with screen shots or notes on a blackboard. The goal is to capture detailed information without destroying or contaminating potential evidence. Before you take further action, verify that you have an incident.

Step 2: Make appropriate calls
Depending on the severity of the incident, the first call might be to your service provider or it might be to an internal legal department to start a chain of custody for evidence. For each type of incident, develop of flow chart detailing whom to contact.

Step 3: Contain the incident
Concentrate on limiting the extent of the damage to your network. Determine whether the incident is still in progress and should be monitored or if actions should be taken to stop the activity.

Step 4: Identify the point(s) of failure
Discover how the incident occurred and determine what you should do to ensure the same event isn't repeated.

Step 5: Solve the problem and repair the damage
Implement the solution you've determined is necessary to ensure that the security event doesn't reoccur. This might be as simple as applying an operating system patch or adding a new rule to a firewall or router.

After you've plugged the security hole, repair any damage caused by the incident.

Step 6: Increase monitoring
Once a compromised system is restored to operation, continue to monitor for back doors and repeat attempts. Make sure that the cause of the incident has been removed and the system is functioning normally.

Step 7: Learn from the incident
Success yields a persistent hacker. Discover exactly what occurred, how it occurred, and what is necessary to ensure it doesn't happen again.

Final thoughts

Incident handling isn't a reactionary exercise; it's a logical progression down a predetermined path. Plan well, and handling a network security incident will become a routine administrative task, rather than a cause for panic.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox