|Incident Control and Response|
Security precautions are necessary to minimize the probability that unauthorized third parties will compromise your corporate data. However, no security precaution -- from the most sophisticated technologies to the best security practices -- can make a network 100% secure. There is always a small possibility that a potential attacker will be able to compromise even the most secure systems. Therefore, no security design is complete without a plan dictating how to recover from a security breach.
Prometheus Global's Incident Control and Recovery (ICR) service offers your organization the skills and experience for dealing with the unfortunate and potentially devastating situation of a security breach. Because of the nature of computer attacks, it is essential that once an attack is detected, the reaction must be both swift and cautious. It must be swift in order to minimize the time (and thus, opportunity) an attacker has to wreak havoc. It must be cautious because not only could a hasty recovery destroy evidence that could be used to prosecute the attackers or prevent future incidents, but also an attacker may install counter-measures designed to cause extensive damage if any attempt is made to interfere with the attack. Prometheus Global's security engineers have extensive experience in handling the aftermath of security breaches. Since an attack can happen at any time, we can be available to your organization on a constant basis.
As its name implies, an ICR necessarily involves two steps: Control and Recovery. The first step of an ICR is always to control the attack. An ICR begins with a process in which control of the violated systems is taken away from the attacker. Like fighting a forest fire, gaining control of an attack may involve action on several fronts, but is always a methodical and directed process of examination, action and evaluation. After control is regained, the recovery phase begins. During the recovery phase, the damage caused by the attack is assessed. Once the extent of the damage is determined, our engineers work to return the violated systems to the pre-attack state.
Two additional steps may follow an ICR. More often than not, returning the system to its pre-attack state may not be appropriate, as doing so may expose your organization to the same vulnerability that resulted in the original attack. In this instance, the vulnerability that resulted in the attack should be repaired. The restoration may be as simple as patching a piece of software, or it may require extensive architectural changes to your systems. In the latter case, it may be necessary for Prometheus Global to perform a Security Design Review (SDR) before proceeding.
Another possible step that may follow an ICR is collection of forensic information. Forensic information may be useful either for corporate records or for prosecution of the individual or individuals responsible for the attack. Prometheus Global has extensive experience working with Law Enforcement and is able to provide expert legal testimony.
In 2005, there were nearly 500,000 documented attacks on web servers (Source: zone-h.org). If you have an internet-facing application or system, it is not a question of 'if' you will be attacked; it is a question of 'when.' Being able to control and respond to an intrusion is not only a powerful tool for managing risk, it could make all the difference.