13.1 Damage Control and Assessment

	Being ready for attacks on one’s system is an important and integral part of a system’s security.
	Organizations tend to realize this once an attack has already taken place and the process of limiting the damage caused by this attack suddenly becomes a top priority.
	However, how ready are these organizations to handle a security attack? If they have not prioritized the practice of damage control in their security policy and have not regularly practiced damage control procedures then they will not be ready for attacks in terms of handling them, limiting the damage caused by them and also assessing such attacks.
	To be ready to effectively respond and contain the damage of security attacks, organizations have to regularly practice damage control procedures and make sure all its staff clearly understand these procedures and are comfortable in carrying them out.
	For organizations to successfully respond and tackle security attacks, they need to carry out the following steps:

Reduce quantity and strength of attacks

	Even with all of the security safeguards that are put in place, organizations/information systems will never be 100% safe from security attacks.
	That is reality and it has to be accepted. Due to this, organizations install safeguards for the purpose of reducing the number of attacks and also aim to weaken these attacks.

13.1 Damage Control and Assessment

To achieve this, organizations should do the following:

Top management personnel in an organization have to understand and be convinced of the importance of security policies and damage control.

			This is vital as the backing of management is needed for security policies and procedures to be thoroughly imposed on and implemented by all organization personnel.
			These security policies and procedures have to be made clear enough for all personnel to understand and correctly follow and implement.

The organization as a whole (not just the information system) has to be regularly assessed by a security specialist for vulnerabilities and weaknesses that can be exposed by threats/attacks.

			As well as checking for weaknesses, an organization’s computer devices have to also be regularly checked to make sure the latest software versions are installed and are correctly used by staff.
			This needs to happen at a regular basis, not just once in a lifetime.

		Computer security training schemes have to be made available to staff (experienced and non-experienced in computer security).
		Staff (in all levels of the organization) have to be regularly reminded of their responsibilities and restrictions when it comes to computer use and computer security.

In addition to this, staff have to also be informed of the consequences of computer misuse and the possibility of prosecution if any violation occurs.

13.1 Damage Control and Assessment

Keeping an eye on network traffic and system performance as well as keeping track of logs is important for analysis and evaluation purposes.

Carrying out regular back-ups by authorized personnel as well as performing system recovery procedures on a regular basis.

Creation of the Computer Security Incident Response Team (CSIRT)

	Many organizations now-a-days respond to security attacks and threats in an un-organized and un-planned way (mostly carried out by system and network administrators) which makes the handling of incidents less effective and more time consuming; resulting in the increase of the damage that is caused by security attacks taking place.
	The increase in the number of security attacks taking place and the increase of severity of such attacks has resulted in the decrease of time that organizations have to tackle and contain these attacks.
	Due to this, a CSIRT becomes a much needed and a much more effective alternative to the un-organized approach that can no longer effectively deal with security incidents
	A CSIRT is a focused team of individuals that are specialized and fully trained in the tackling of security threats and attacks.

13.1 Damage Control and Assessment

	Each member of the team has certain responsibilities and duties that he/she need to carry out in the event of a security attack taking place.
	This team needs to be carefully selected and put together to achieve a planned and well thought out response to security attacks.
	The CSIRT consists of the following roles:

CSIRT Team Leader –“The Boss”. The team leader is responsible for the actions and activities of the CSIRT.

CSIRT Incident Lead – When an incident takes place, the incident lead is the team member that is assigned to lead the response in tackling this incident.

He/she derive the plan and the steps that need to be taken to contain and minimize the damage of the attack.

As well as this, the incident lead is assigned the ownership of that particular security incident (incident lead = owner of incident) and any external communication is directed at the incident lead.

In other words, the incident lead is the sole representative of the entire CSIRT.

CSIRT Associate Members – Alongside the CSIRT team, there will be other members that come from different departments in an organization that specialize in security incidents related to their particular department.

13.1 Damage Control and Assessment

They can either be involved in the core CSIRT team or act as ‘entry points’ for the actual CSIRT team to use to get in touch with other personnel at the departments who might be more qualified/experienced/specialized in handling security incidents.

Examples of associate members could be IT Contacts (for individual departments), legal representatives, public relations officers and managers.

All members of the CSIRT team have to possess certain skills and abilities that they need to use to effectively tackle security incidents. Basic skills such as communication skills (written and oral), presentation skills, diplomacy skills, team skills (working as part of a team), ability to follow policies and procedures, problem solving, working under pressure and time management skills need to be present. As well as this, technical skills such as an understanding of security principles (vulnerabilities, the internet, network protocols, network applications and services, network security issues, malicious code, programming skills) are needed. In addition to these skills, incident handling skills (understanding/identifying intruder techniques, incident analysis and maintenance of incident records) are vital abilities.

Incident Response Plan

Creating an incident response plan is an important piece of documentation that needs to be produced by the CSIRT team, with the help of CSIRT associate members.

13.1 Damage Control and Assessment

	The objective of this plan is to clearly understand and evaluate the attack, reduce the damage and assess incident for future improvements.
	The incident response plan consists of the following steps:

Make initial assessment – The initial assessment of an attack has to be as accurate as possible as all of the response plan will be based on it.

Communicate the incident – Once an attack has been detected and an assessment of it has been taken, this has to be communicate to the rest of the CSIRT team, in particular the incident lead who in turn decides on who to contact externally to gather as much information about the attack as possible.

Only the parties concerned should be contacted and no one else, to prevent a sense of panic spreading across the organization or beyond.

Contain the damage and minimize the risk – By acting quickly and promptly, a serious attack that might have caused major damage could be reduced to one that causes very little damage.

13.1 Damage Control and Assessment

The following steps are recommended to be carried out:

				Protect human life and people’s safety
				Protect classified and sensitive data
				Protect other data, including proprietary, scientific and managerial data
				Protect hardware and software against attack
				Minimize disruption of computing resources

Identify the type and severity of the attack – If the initial assessment was wrong or not accurate enough, now is the time to alter it and make a final assessment.

			To identify the severity of the attack, one has to look at how the attack entered the organization or system and the intention of the attack.
			As well as this, the assets that have been damaged have to be recognized, as well as the extent of damage they have taken.

Protect evidence – If one attacks an organization, he/she will probably have legal action taken against them by the organization (if the individual is identified).

For the organization to do this, it needs evidence.

13.1 Damage Control and Assessment

Evidence of the damage caused need to be recorded and a back-up of the damaged system has to be carried out and used as evidence.

Notify external agencies if appropriate – After consulting the organization’s legal representatives, external parties have to be informed of the security incident.

			Parties could range from local/national law enforcement agencies, security experts, customers, suppliers and all stakeholders that are affected by the security incident.
			In some cases, the media has to be informed as well (through the organization’s public relations department).
			In most cases however, if it’s a high profile organization, the media will already have found out about the incident and it is very unadvisable to deny it.

Recover systems – To recover a damaged system, one has to use a saved, undamaged back-up that was carried out before the attack took place.

Firstly, the first point of entry of the attack has to be identified and a back-up that was carried before the entry is used.

Compile and organize incident documentation – All the way throughout this process, documentation has to be kept and updated by the CSIRT.

13.1 Damage Control and Assessment

			The attack, as well as the operations that were carried out to tackle it have to be documented as well as who and when these operations were carried out.
			This documentation has to be reviewed by managers and legal representatives and kept in a safe and secret place to be used for legal action later on.

Assess incident damage and cost – Direct and indirect costs have to be calculated. These include:

			Costs due to loss of competitive edge (if sensitive or proprietary information is leaked due to incident).
			Legal costs.
			Labor costs (CSIRT team and other parties involved).
			Costs of lost sales, replacement of hardware/software, decrease of staff productivity.
			Cost of loss of reputation and customer trust.

Review the response and update policies – After this process has taken place, one has to assess and evaluate its performance and determine what steps were performed successfully and what ones needed more work on.

This review is very important for future security incidents and will help in improving the incident response plan for future use.