The Alliance for Cyber Security has published a 1-page leaflet with the 12 most important points for dealing with a cyber security incident. It is mainly aimed at IT managers in small and medium-sized enterprises, but is also helpful for IT coordinators in the organisational units of TU Braunschweig.
In case of cyber security incidents, please always inform the CISO of the TU Braunschweig and the Gauss IT Centre at informationssicherheit@tu-braunschweig.de or via the IT Service Desk at (0531-391-) 55555.
Download the leaflet: https://www.allianz-fuer-cybersicherheit.de/ACS/DE/Angebote/IT-Notfallkarte/TOP-12-Massnahmen/top12massnahmen_node.html
Here is the content:
Dealing with a cyber attack is always individual and measures must be adapted to the circumstances of the IT infrastructure on site, the type of attack and the objectives of the organisation. The measures implied in the 12 points formulated as questions serve as impetus and assistance for individual coping. The document is aimed at IT managers and administrators, primarily in small and medium-sized enterprises.
Have initial assessments of the incident been carried out to determine whether it is a cyber-attack or merely a technical fault?
Have you continuously coordinated, documented and communicated your measures to all relevant persons and responsible persons?
Have system logs, log files, notes, photos of screen contents, data media and other digital information been forensically secured?
Have you always focused on the business processes that are particularly time-critical and therefore have priority for protection?
Have affected systems been disconnected from the network?
Have internet connections to the affected systems been disconnected?
Have all unauthorised accesses been prevented?
Have backups been stopped and protected from possible further interference?
Have measures been taken to determine the full extent of the spread? Have all attacked systems been identified?
Were the vulnerabilities in systems or (business) processes exploited during the cyber attack addressed and remedied through relevant measures?
Have the police or relevant authorities (data protection, reporting requirements, etc.) been notified after consultation?
Have the access authorisations and authentication methods for affected (business and possibly private) accounts been checked (e.g. new passwords, 2FA)?
Will the network continue to be monitored after the incident to detect possible renewed anomalies?
Have the affected data and systems been restored or rebuilt?