Brian Pennington

A blog about Cyber Security & Compliance


Incident Planning

What to do in the case of a cyber security related emergency

In the event you have a cyber security related emergency, there are some simple, immediate steps you can take to help get the situation under control and preserve evidence for investigation.  Most incidents can be classified as a malware compromise, a data compromise, or computer misuse.  Each of these types of incidents require immediate action to help reduce impact and loss. 

Follow these steps

  1. If the system is on, leave it on. Turning it off will destroy information that is stored in volatile memory that is critical to evaluating the state of the system.
  2. Preserve logs. Any logs you have at that time should be archived offline for use in further investigation.
  3. If possible, do not make any system changes once the event has been classified as an incident. Typically, changes you may be tempted to make immediately could destroy evidence key to identifying the source of the compromise or action.
  4. Isolate the system from the network, but do not disconnect it from its upstream switch. Sophisticated malware can sense changes in system state and change its behaviour or remove itself when changes are detected. 

These simple steps are crucial.  The information that could be destroyed through improper or over aggressive recovery techniques may make the difference between cleaning up malware on a single system versus an enterprise wide system rebuild and data restoration project.

Courtesy of Coalfire Systems Inc.


Top 10 Tips for Cyber Resilience in businesses

The dramatic increase in both the sophistication and frequency of cyber risks and attacks on businesses has profoundly changed the security threat landscape. Gone are the benign days of the Anna Kournikova virus or the “I Love You” bug. Today cyber risks and threats can lead to breaches of sensitive data, harming consumers, businesses and governments of all sizes. But there is a way to stay ahead of these risks by crafting an effective security strategy, and being cyber resilient.

Cyber resilience is not just about installing point products into your IT environment but rather it is about understanding a broader set of business and technical challenges. These include understanding the risks in an increasingly connected cyber world and in particular the risks facing an organisation with rapidly evolving technologies such as mobile, cloud, virtual, big data, and social; as well as increasing dependence on the Internet to conduct business.

Many businesses currently don’t have holistic IT security practices and technologies in place to deal with all of these new challenges. Breaches can and will happen. How businesses prepare for a breach is just as important as how they respond to one. Organisations should consider the following measures to mitigate the risk of an attack and become cyber resilient:

  1. Make security personal to your business – understand your business and how security can be built into your IT practices
  2. Baseline your security regularly – analyse your state of readiness, so that you can interpret the symptoms that can lead to a security incident
  3. Get executive and board engagement – cyber resilience starts at the top of the organisation
  4. Have a plan – security incidents happen every day. Develop a plan that addresses how businesses identify the important incidents and ensure they remain up and running no matter what
  5. Education – from board to new hire, it’s essential that everyone understands that they are responsible and accountable. All employees need to know what part they play in the bigger picture
  6. Do the basics well – leverage government and industry guidelines. This includes aspects such as patching and good user-level access management
  7. Plan for today and scale for the future – for example, BYOD is here to stay. Don’t just apply quick fixes; align your IT to a longer-term strategy
  8. Start small, but think big – Information protection is a long-term project, but organisations need to start where they will add the most business value and then expand where there is further, long-term value. For example, the supply chain and how an organisation interacts with its wider network of vendors and partners. The key is to think big but have a maturity plan, which must be linked to strategic business value and growth
  9. Be accountable – understand what the regulatory, legislative and peer-to-peer controls are that the business needs to adhere to. Make sure there is a clearly defined owner for each of these and an executive sponsor
  10. Don’t wait for it to happen – test your processes, procedures and people regularly. Make sure the business has clearly defined lifecycles that reflect changes in business strategy, technology use and culture. Make sure the strategy is current and effective for the business and the risks.

For an organisation to be cyber resilient there needs to be in place a strategy that adapts to the ever changing cyber security landscape. This strategy should not only make your organisation cyber resilient but it should be designed to make security your competitive advantage.

Written by Brenton Smith, Managing Director & VP Pacific at Symantec and original posted here.

Create a free website or blog at

Up ↑

%d bloggers like this: