How do you respond to a Security Incident?

If you encounter a security incident, such as when your virus scanning software alerts you that your computer has been infected with a virus, you should follow these steps:

1. Keep calm! Disconnect your computer from the Internet and stop any further work with the machine, e.g. stop sending emails or typing a document.
   

2. Determine the type of problem and extent of the impact on your system. Try to identify the source or cause of the problem, such as the opening of a suspicious email.
   

3. Take notes; log down events clearly and tidily and write down all the facts, e.g. the date and time the incident occurred, what actually happened, who is related to the incident, etc.

4. Get advice from appropriate organisations if necessary
   

5. Use other communication channels to get help, such as making phone calls. Don't use the Internet as this may disperse the virus again.
   

6. Collect records of the incident if possible, e.g. system logs or error logs. If necessary, make a full backup of compromised computer or system as soon as you find it a real incident and store the backup in a secure place.
   

7. Contain the problem: conduct an impact assessment of the incident on your data and information to see if anything has already been damaged by or infected. Move critical data to other media (or other systems) which are separate from the compromised system or network. Shut down or isolate the compromised host or system temporarily to prevent further damage to other interconnected systems and to prevent the compromised system from being used to launch an attack on other connected systems.
   

8. Eliminate or mitigate the cause of the incident, e.g. eliminate all backdoor and malicious programs installed by attackers, apply patches or fixes to vulnerabilities found on the operating system or your software, correct any improper settings and update your passwords. In the case of a virus infection, inoculate the virus from all infected systems and media following the advice of your anti-virus software vendor.
   

9. Restore your computer or system to its normal operating state, e.g. re-install deleted/damaged files from trusted sources and use backups that are confirmed clean and updated before the incident occurred. Verify that the restoration operation was successful and that the computer is back to its normal operating condition.
   

10. Strengthen existing protection, such as updating anti-virus signatures, installing a personal firewall, removing all unwanted emails, reconfiguring your browser, disconnecting from the Internet when not required, and so on.
    

Prevention is always better than cure. Click here to learn more about protecting your information and data.