With cybercrime flourishing, it is becoming increasingly common for commercial organisations to experience security breaches such as unwanted intrusions to their networks and virus infections. Martin Baldock of Data Genetics International (DGI) offers some practical cyber defence suggestions.

The 2008 BERR/PwC security survey [1] found that 21% of organisations had suffered virus attacks and 13% experienced unauthorised network access during the previous 12 months.

"While it ought to be considered as poor practice if the company is the victim of hacking and remedial efforts must be brutal, handling the cyber attack correctly at the time of the incident is even more crucial," says Baldock.

Cyber attacks can either take the form of insider activity involving a breach of trust from employees, or external attempts to gain network access in order to harm the organisation. As an experienced forensic investigator, Baldock urges organisations that have suffered malicious security breaches to seek legal help as quickly as possible. "It is all too easy to start an investigation without considering the implications of what may or may not have been happening," he warns.

The following action plan is drawn from a longer article published on our sister site, Finance Week [2]:

Initial response

• Consider reputational damage and how this could be mitigated




• Identify appropriate investigation skills and staff




• Consider what legal action can be taken to prosecute and/or recover assets

First Response of Procedures (FRP)

• Seek assistance from trusted forensic IT people.




• Understand your IT infrastructure.




• Decide whether to monitor the situation or act immediately, then




• Seize compromised equipment at the scene and "freeze" its current set up.




• Determine the extent of the intrusion.

Investigate

• Secure other compromised machines




• Scan network for hidden viruses.




• Secure all network and firewall logs.




• Check and update anti-virus library files.




• Change passwords and review password policy.




• Review HR and computer usage policies.




• Interview users who have been affected.




• Consider using network monitoring tools if the attack affects more than one computer.

The initial user device affected by malware is usually where the entry point resides and should be the focus of the most detailed scrutiny. Network "sniffers" sit on the host system's network card and can be set to receive all the data that passes across the network for later review. Forensic investigators can then use the data to reconstruct network activity. Calling in professional help at the earliest instance gives you the best chance to preserve your data and catch the culprits, says Baldock.