Previously, we discussed a disaster classification system and what might happen if someone launched an unsupported rumour about hacking your company's data.
What happens if the threat becomes real? In these instances, there may be no actual data loss, but such an attack can be a disaster all the same.
Once an attack is launched against your organisation there are two things that must be done in every case. The first is to deal with the attack itself, the second is to deal with the aftermath. First things first, no matter what causes the attack or what type of attack it is, it's necessary to stop it from getting any further than it already has, which will require fast action.
Virus attacks, intruders and other types of Level 2 disasters are extremely difficult to deal with. Generally, you can prepare for them only by implementing proper security measures and by using penetration-testing tools, but when these disasters strike, it is — by their very nature — via the method you least expect.
For virus attacks, immediate quarantine is necessary both for the infected files and for the infected server systems themselves. Failure to move quickly to stop the spread of the infection can lead to more and more damage as the minutes tick by. This may mean suspending email service, locking out file servers or other actions that interrupt production for your end-users, but in the end it will mean that you will save the remainder of your data from the same fate as that which is already under attack.
For network intrusions, not only do you have to quarantine the affected systems, but you have to find the security hole that the intruder used. This must be done quickly and a patch must be found immediately to make sure others don't come in the same way. With intruders, since the attack was against your systems specifically, you may also want to attempt to find out who the intruder is, if you have the time and proper equipment to do so.
After you have dealt with the original attack, your next steps are to salvage as much data as you can and take preventive measures to make sure the same attack doesn't occur again. This could mean anything from running antivirus tools to performing extensive analyses to see what data was viewed by an intruder.
Document everything methodically and completely, as insurance carriers and your company's management will be looking for this information in the aftermath. Testing with variations of the same attack, changing virus protection schemes and other strategies can help to make sure you don't fall prey to a simple change in the same method someone used to attack you once already.
Level 2 disasters often don't cause downtime all on their own. However, the aftermath of dealing with them can cut off vital systems in order to save the rest of your organisation. The decisions on how you will react will absolutely impact your end-users and therefore must be part of your disaster recovery planning well before the attack actually strikes your enterprise.
