In IT security, the question of when a system is considered “compromised” is less a technical issue and more a decision based on a risk assessment. This requires careful consideration and the most accurate possible determination of the actual initial situation and therefore goes far beyond simply reading off KPIs.
What needs to be done?
- Gathering facts: First of all, all available information must be collected and analyzed. Depending on the affected system, this includes log files, network analyses and system investigations. This data can provide information about possible anomalies or irregularities that may indicate a possible compromise.
- Evaluation of indicators: Detected anomalies and irregularities must then be evaluated in their respective context. Not every incident is security-relevant, and not every security-relevant incident automatically means a compromise. It should be determined whether the indicators match known patterns of cyber attacks or security breaches. In this context, the experience of the IT operations team is crucial. This is because investigations of this kind can only be carried out in a meaningful way if the relevant technical expertise is available. Otherwise, the involvement of an experienced forensics service provider should be considered.
- Risk assessment: The potential risk of a compromise is then weighed up against the possible impact. This assessment takes into account both the probability of an actual compromise and the possible consequences for the affected business processes.
- Decision-making: Based on the risk assessment, a decision must ultimately be made as to whether or not a system should be considered “at risk ”compromised. This decision not only takes into account the results of the specific incident, but must also be aligned with the organization’s risk acceptance criteria.
The decision to consider a system compromised is by no means trivial. If, for example, a central directory service is affected, this can have far-reaching consequences for an organization due to its high dependency on central business processes.
The situation would be different, for example, if only a single user client had been compromised. It is therefore crucial to create as complete a picture as possible of the actual situation.
In practice, this will not always be possible. The final outcome will rarely be a question of certainty, but rather a risk-based management decision. This process should not be (completely) delegated to IT operations.
The potential impact on business processes must be made known to the management level. And ultimately, they must decide how to proceed based on the options presented.