As soon as you become aware that a security breach has occurred, technical personnel and senior business decision makers must work together to decide on the most practical and effective containment plan.
The objective of a containment plan is to return to normal functionality as quickly as possible whilst enabling analysis of the attack and making plans for remediation.
It’s essential that you work quickly to contain the damage being done by the cyber attack. Viruses can quickly spread to other networks and devices within your organisation and even beyond.
If a data breach has occurred containment activity should focus on determining the extent of the compromise and preserving the confidentiality and integrity of sensitive data that has not yet been stolen or disclosed.
Ways in which a cyber security incident can be contained include:
- Blocking (and logging) of unauthorised access.
- Blocking malware sources (e.g. email addresses and websites).
- Closing particular ports and mail servers.
- Changing system administrator passwords where compromise is suspected.
- Relocating website home pages.
- Isolating systems.