Wednesday, April 2, 2014

Incident Response - 7 Tips on what you could do when you have an Incident



Here, the author refers to the Buffer site hack but, offers a few tips on incident response


According to the article:- 

For most incidents, the initial response should be some flavor of the following steps:

  1. Understand, as quickly as possible, that you have an incident, and communicate this to internal and external shareholders. Obviously the decision about exactly who are the stakeholders is highly variable, depending on an incredibly long list of considerations – I wouldn't recommend everyone go public – in many cases that is exactly what not to do. But if the cat is out of the bag (that is, say, if a half-million of your customers are now advertising diet pills in their social media timelines), this decision may have been made for you.
  2. Understand, as quickly as possible, the initial scope of the incident (much of what you learn and assume in these early hours will be wrong, but you should work hard to get the most complete sense of what is happening and what systems are affected — you'll be coming back to this step repeatedly).
  3. Once you have a scope, devise a plan to, in this order, stop the bleeding, secure what you have, and re-assess the scope and breadth of the incident.
  4. Develop an understanding of your available resources as mapped to the plan you've just made, determine the Deltas between what you have and what you need. This requires a brutally honest self-assessment, and almost certainly must be something you've considered in advance; you can develop this awareness after the fact, but you're increasing exponentially the cost of the incident response — put another way, every dollar you spend doing this work in advance is worth $5 when the defecation hits the ventilation.
  5. Work with partners to fill the gaps between what you have and what you need. Rapidly.
  6. Repeat the last four steps until you feel you have positive control.
  7. Continue to communicate what you know, when you know it, to appropriate and appropriately growing groups of stakeholders. Don't make promises you can't keep or statements not based on fact, but don't shut up until you have facts if stakeholders are visibly or audibly nervous. "We have had a security incident that we understand has affected ____________, and with our staff and partners we are working quickly to determine the extent of the damage and we will report back regularly with progress," is much better than not saying anything and allowing speculation to fester.



The link below has more information:-

http://www.csoonline.com/article/2134108/emergency-preparedness/incident-response-matters.html

No comments:

Post a Comment