Reaction to Security Incidents

February 2017
It is essential to identify an organization's security needs in order to roll out measures that will enable the organization to avoid a disaster such as an intrusion, equipment failure or even water damage. Nevertheless, it is impossible to totally avoid all risks and every company must expect to experience a disaster.

In this type of scenario, reaction speed is vital because a compromise means that the company's entire information system is in danger. Moreover, when the compromise causes service to not function properly, a lengthy interruption can be synonymous with financial losses. Finally, in the case of a website being defaced (modification of pages), the company's entire reputation is at stake.

Reaction Phase

The reaction phase is generally the most overlooked phase in IT security projects. This phase consists in anticipating events and planning the measures to be taken in case of a problem.

In the case of an intrusion, for example, the systems administrator could react in one of the following ways:

  • Obtain the hacker's address and counterattack
  • Turn off the machine's electrical supply
  • Remove the machine from the network
  • Reinstall the system

The problem is that each one of these actions can be potentially more damaging (notably in terms of costs) than the intrusion itself. If the operation of the compromised machine is vital to the working order of the information system or in the case of an online sales website, a lengthy service interruption can be catastrophic.

Moreover, in this type of case it is important to establish proof in case there is a judicial enquiry. Otherwise, if the compromised machine was used as a rebound for another attack, the company runs the risk of being held responsible.

Implementing a disaster recovery plan can enable an organization to keep the disaster from worsening and ensure that all the measures devised to establish proof are correctly applied.

In addition, a correctly developed disaster plan defines the responsabilities of every individual and avoids orders and counter orders, which waste precious time.


Returning the compromised system to working order must be described in detail in the recovery plan and must take the following elements into account:

  • Dating the intrusion: knowing the approximate date the machine was compromised allows the organization to evaluate the level of intrusion risk for the rest of the network and the degree to which the machine was compromised
  • Confining the compromise: taking the necessary measures so that the compromise does not spread
  • Backup strategy: if the company has a backup strategy, it is recommended to verify the changes made to the compromised system's data against data that is supposed to be reliable. If the data are infected with a virus or a Trojan horse, restoring them may contribute to spreading the damage further
  • Establishing proof: for legal reasons it is necessary to save the corrupted system's log files in order to be able to use them in a judicial enquiry
  • Setting up a replacement site: instead of reinstating the compromised system, it is wiser to develop and activate when necessary a replacement site that allows service to continue

Practising the Disaster Plan

In the same way the fire drills are essential for verifying a fire escape plan, practising the disaster plan allows an organization to confirm that the plan works and make sure that all players know what to do.


Reacción ante incidentes de seguridad
Reacción ante incidentes de seguridad
Réaction aux incidents de sécurité
Réaction aux incidents de sécurité
Reazione agli incidenti di sicurezza
Reazione agli incidenti di sicurezza
Reacção aos incidentes de segurança
Reacção aos incidentes de segurança
This document, titled "Reaction to Security Incidents," is available under the Creative Commons license. Any copy, reuse, or modification of the content should be sufficiently credited to CCM (