Got Antivirus? Next Step: IRP

Leverage An IRP to Protect Your Assets

IRP announcer

Congratulations for your proactive focus on protecting yourself against cyber threats! You've already taken the first steps by joining us to learn about and discuss cybersecurity.

With fundamental awareness and by taking the simplest steps you'll be major strides ahead of most. Just recognizing that obscurity is not security, and that hackers are happy to infect and use ANY computer they can find is huge.

But today's focus is on what happens when you recognize something fishy seems to be going on in your system. How do you react? What are your first steps, and how do you control the damage that occurs when symptoms turn into a full-fledged infection?

Let's begin with the understanding that—in terms of risk—operating a computer system is much like driving a car on a busy road. I'm sure we're all aware that being distracted behind the wheel greatly increases our chances of a crash. Whether tuning the radio or texting, taking our eyes off the road isn't good for safety.

So what's the opposite of distracted driving? It's defensive driving. Defensive driving is anticipating what could happen next and being ready for it. If that car in front of you hits the brakes suddenly, you'll be much less likely to rear-end it if you're anticipating their stop.

The same sort of preparedness in your computer system operation can save you hours of grief and BIG money when things go south. Seconds count!

Being prepared for the appearance of symptoms of hacking starts with preparation of an Incident Response Plan (IRP). Once completed, it's important to refresh your memory on the IRP every six months or at least annually.

A good IRP anticipates seven categories of activities:

  1. Preparation and Planning
  2. Detection and Analysis
  3. Containment and Mitigation
  4. Eradication and Recovery
  5. Post-Incident Analysis
  6. Communication and Collaboration
  7. Continuous Improvement

Of course, these parts of an IRP change in size commensurate with the number of people and systems it protects. Preparation of an IRP for a large organization can involve cross-functional teams of people and end up consisting of multiple volumes of information, whereas an IRP for an entrepreneur can be as short as a few pages. Individuals may have just one summary page of instructions they tack up on their bulletin board.

Regardless of size of the official IRP, having a concise one- or two-page set of instructions means you can act quickly to control the impact of a malware attack.

Don't forget—it's important to print out the IRP because an incident can often bring down computer systems from which you'd ordinarily read!

When It Happens

In simplest terms, isolation of the threat should be your primary concern. Disconnect the affected computer from your network immediately.

The next step depends on whether you're interested in forensic analysis of the issue—determining the source and nature of the infection—or not. For individuals and small businesses, this is normally less of a concern simply because the funds to hire a forensic specialist aren't there. In this case, the next step would be to simply do an orderly shut down of the computer, followed by taking whatever steps are possible to reinstate normal operation with recovered files. This is where a good backup can make all the difference.

Isolating the affected computer from the rest of the network can prevent the spread of malware and greatly reduce the effort required to return to normal.

More about preparing an IRP in coming articles.