HomeFAQsIncident Handling

Incident Handling

We’ve suffered a major system crash and our server data has been deleted, can you recover it?
Very often it is possible to recover data, even from complex RAID systems, however using cheap tools downloaded from the internet will very often only recover few data files. These tools will have limited functionality and can be used if the data is not particularly valuable.

We think our computer network has been hacked – what should we do?
As far as possible, try to isolate the systems affected – don’t power them off, simply remove the network cable and call a digital investigations specialist. Start a proper investigation and until then minimise the spread of infection.

Is it possible to avoid any incidents?
In today’s world where we all connect to the internet in some way, it is impossible to have no risk.

What is the benefit of incident management?
All organisations will experience an information security incident.  By creating an effective incident management policy and defining processes, this will help to improve resilience, speed up business continuity and reduce the impact of the incident. Without a proper incident management policy and plan, the business will suffer delay in bouncing back to normal operations and cause serious financial losses.

What are the recommend steps to implement incident management?
According to the government’s 10 Steps to Cyber Security, you should follow these steps:
1) Have a clear incident response policy in place for the common possible incidents
2) Have a clear idea about the roles and responsibilities of each person in the company
3) Decide on the back up methods
4) Test the response plan frequently
5) Document information related to the incident and conduct a lessons learned review
6) Review your plan and improve accordingly

I’ve noticed a transaction/withdrawal on my online banking record that I did not perform; what should I do?
Contact your bank immediately and follow their instructions for reporting fraud. You may also wish to contact Action Fraud (see link) You may also reverse the transaction with the help of the bank.

What is a disaster recovery plan?
A disaster recovery plan is a documented set of procedures which outline how to respond to and recover the organisation in the event of a disaster. A good disaster recovery plan will include the goals and statement of the plan, details of personnel responsible for dealing and executing the plan, IT inventory and back up procedures and recovery procedures. The plan would help the business minimise disruption to the normal operations, damage to the assets, economic impact and enable smooth recovery.

We suspect one of our employees is copying confidential company data and passing it on to competitors – how can we find out what’s really going on?
This is a sensitive issue and must be handled correctly. Avoid letting your IT or Security departments have a ‘quick look’ at the suspects computer as it may result in their right’s violation. Do not jump into conclusions and appoint an investigator to conduct a proper investigation after consulting with legal consultants.

We’ve suffered a major systems crash and our server data has been deleted, can you recover it?
Very often it is possible to recover data, even from complex RAID systems, however using cheap tools downloaded from the internet will very often only recover few data files. These tools will have limited functionality and can be used if the data is not particularly valuable.

We suspect that our financial systems have been compromised but virus checks all come back clean. How can we be sure our systems remain secure?
Modern malware is designed to defeat anti-virus tools and may evade detection easily. It is advised to appoint a Network Investigations Specialist who will know where and what artefacts to look for to determine if a system has been compromised. The specialist will be able to uncover the malware, if the system is infected, through proper investigation methods.

We’ve had incidents in the past and want to make sure we’re better prepared to deal with them in the future – what can we do?
If you’ve had incidents in the past which damaged your security, you may benefit from Forensic Readiness Planning. Forensic Readiness Planning is a simple method to plan and prepare for incidents by reviewing and analysing security controls, policies and procedures.

The steps involve:
1) Establishing scenarios or events that would require digital evidence
2) Identifying the source of evidence required for each event
3) Determine evidence collection requirements
4) Establishing methods to collect and store evidence securely
5) Establishing chain of custody policy
6) Identify if the incident requires a formal investigation
7) Educate staff to handle evidence and the site without tampering
8) Establish a documenting procedure