First aid after an IT security incident

Jan 18, 2022

Prevention is one of the most important building blocks for the right behavior after an IT security incident.

As with first aid for rescuing people, it is important that simple rules are established. They should be comprehensible to every user. The first effects of a cyber attack are usually noticed by employees who do not have in-depth PC knowledge. If they draw the right conclusions and take important immediate measures, valuable time can be saved. Therefore, formulating rules for an IT security incident in companies should be a matter of course. So should regular instruction of all employees.

What is an IT security incident?

There are numerous definitions of an IT security incident. The paraphrase used by the German Federal Office for Information Security (BSI) in its building block on basic business protection is: "A security incident is defined as an existing or threatened deviation from the defined security level of the institution's assets that was brought about by human error, technical errors, force majeure or intentional action."

Admittedly, this definition is very broad. For example, a known security vulnerability in the company server that has not yet been fixed could already be covered by this. On the other hand, it must be related to the specific individual case. If a server contains personal data of customers or employees, it would be better to temporarily disconnect it from the Internet because of the known vulnerability. But vulnerable standalone PCs also pose a security risk. This is a particularly serious problem if the PC is used to control sensitive systems, for example in a company's production or as an interface to medical equipment. Incidentally, the loss of data media must also be checked for corresponding relevance. If these contain unencrypted company data, data protection regulations may be affected.

What types of security incidents are there?

First and foremost, of course, are damaging events that can be traced back to cybercrime. However, accidental misconduct of own employees or force majeure are also conceivable triggers for an IT security incident. A rough categorization can be as follows:

- Sabotage: This refers to the intentional disruption of IT assets. This can be implemented in different ways and pursue different goals. A well-known example is the so-called distributed denial of service attack (DDoS), which puts a server out of operation by overloading it with requests. The aim is often to blackmail the affected company. Political or other economic interests can also be behind such an attack. Ultimately, every unspecific virus discovery in the company network falls into this category.

- Data modification: This refers to the deliberate modification or rendering unusable of files or content. The most common variant is the use of encryption Trojans in corporate networks. After encrypting important files, criminals offer to decrypt them for a high ransom. In some cases, such attacks are combined with the theft of data. This serves as an additional threat of publication if the company's managers refuse to pay.

- Data theft: This includes the outflow of internal data through malware, the theft of data carriers or unauthorized access by employees. It follows that unauthorized access to sensitive documents by in-house employees may qualify as a security incident. Possible targets are industrial espionage or blackmail. Publication in hacker circles to generate some kind of popularity from this has also been observed in the past.

- Loss: In particular, mobile devices such as laptops, smartphones and external data carriers can be lost or go missing due to theft. It is true that thieves are often more concerned with the hardware. Nevertheless, it must be checked whether sensitive data was stored on it and whether it was sufficiently protected in advance, for example by encryption. Accordingly, burglaries in company buildings in which hardware was stolen are also security-critical.

- External influences: Natural disasters or cases of damage such as fire and water ingress can impair security. For example, if monitoring systems are disabled as a result or unauthorized persons gain access to sensitive areas. This is particularly relevant for companies that are classified as critical infrastructures (CRITIS). These include utilities, banks and medical laboratories.

It is important for every company to determine in advance which events are to be classified as IT security incidents. It must be clear to every employee which incidents are subject to mandatory reporting.

What to do in the event of an IT security incident?

The BSI provides companies with concrete instructions for the correct behavior after an IT security incident. These include checklists and also emergency cards that can be left at workstations. The selection of the package of measures depends on the structures of an institution in each individual case. However, it should at least include the following points:

1. Immediate measures: Hectic and panic are not good advisors. Therefore, the first thing to do is to prevent the damage from spreading and, if possible, to maintain the current status of devices. In the event of a device loss, the only thing left to do is a planned search of the surrounding area. If, on the other hand, a virus is suspected, all network connections must be disconnected immediately. Prioritize the next steps in advance. If further damage is to be prevented as a priority, devices must be switched off. However, this can make it difficult or impossible to find traces at a later stage. If an appropriate cleanup is necessary, at least the IT department should back up memory and, if necessary, log files before shutting down.

2. Reporting obligations: These begin with reporting to superiors in a predetermined order. In addition, companies must think about reporting obligations under the General Data Protection Regulation (GDPR) to the responsible supervisory authority (usually state data protection commissioner). In addition, the involvement of law enforcement authorities should be examined. If cyber insurance exists, it must be notified promptly.

3. Crisis team: A crisis team should be formed as quickly as possible. If necessary, contact details for the next hours and days must be exchanged. In addition, it is advisable to discuss the further procedure in this circle and to fix it in writing.

4. IT forensics: If the extent of the damage is appropriate, forensic investigation by external service providers or law enforcement agencies may be useful. This must be done promptly, if only because systems can usually only be restored after forensic measures have been completed. If it is not reasonable for a company to call in external forensic experts, it is perfectly possible to have some tasks performed by the company's own IT department. These include taking physical hard disk images and creating memory dumps. Log files of all kinds are also useful. However, documentation is essential for later exploitation. It must always be comprehensible by whom which measures were taken and with which means this was done.

5. Recovery: For the company, the recovery of systems is usually the most urgent task. It is essential to proceed in a planned manner so that newly set-up computers do not accidentally come into contact with infected devices. It therefore makes sense to set up a new network in parallel with only "clean" computers, i.e. computers that have been securely deleted and restored beforehand. Copying files from infected computers is critical. If possible, this should only be done after consultation with experts and via lock PCs set up for this purpose.

6. Public relations: Apart from the legal reporting requirements, it is important to ensure that the external presentation of a security incident is consistent. Customers may learn of the incident anyway through unavailability of services. In addition, affected parties must be notified after the leak of personal data. Considering that quite a few well-known companies and organizations have been affected by cyberattacks in the past, including universities and a specialist IT publisher, shame is not appropriate anyway. If it is somehow justifiable, a company should therefore be as transparent as possible with the public about an IT security incident. Of course, this also applies to internal company communications.

Preparedness for emergencies

Just as every company with its own fleet of vehicles must expect that there will be a traffic accident involving one of its vehicles, an IT security incident will occur in almost every IT infrastructure. If everyone knows what to do in an emergency, this does not have to end in disaster. A well thought-out concept can help. The right backup strategy can additionally defuse such situations. Another good way is to regularly check your own IT security concept with a penetration test.

Blog

12 days ago

Economic Considerations of an SCR System in a Natural Gas Power Plant, Considering Current Standards, Incentives, and CO2 Certificates

Economic Benefits and Environmental Impact: SCR Systems in Natural Gas Power Plants in Line with Current Emission Standards and CO2 Certificates

12 days ago

Cost Comparison: CAPEX, OPEX, and ROI for New Environmental Standards in Coal Mining in Germany vs. Other Countries (With Equal Standards and Consideration of Current Subsidies)

Optimizing Coal Mining for the Future: Comparing Costs, Environmental Standards, and Government Incentives in Germany and Beyond

12 days ago

How to Make Coal Power Plants Cleaner: Technologies, Costs, and Profitability for a Sustainable Future

Transforming Coal Power: Cleaner Energy Through Advanced Technologies and Strategic Investments