Information for IT staff: The 12 most important measures in the event of cyber incidents

The Alliance for Cybersecurity has published a 1-page leaflet with the 12 most important points for dealing with a cybersecurity incident. It is mainly aimed at IT managers in small and medium-sized enterprises, but is also helpful for IT coordinators in the organizational units of TU Braunschweig.

Please always inform the CIO of TU Braunschweig and the Gauss IT Center at informationssicherheit@tu-braunschweig.de or via the IT Service Desk at (0531-391-) 55555 in the event of cyber security incidents.

Download the leaflet: www.allianz-fuer-cybersicherheit.de/ACS/DE/Angebote/IT-Notfallkarte/TOP-12-Massnahmen/top12massnahmen_node.html

Here is the content:

Coping with a cyber attack is always individual and measures must be adapted to the circumstances of the IT infrastructure on site, the type of attack and the objectives of the organization. The measures implied in the 12 points formulated as questions serve as an impulse and support for individual management. The document is aimed at IT managers and administrators, primarily in small and medium-sized companies.

Have initial assessments of the incident been carried out to determine whether it is a cyber attack or merely a technical defect?


Have you continuously coordinated and documented your measures and communicated them to all relevant persons and responsible parties?

Have system logs, log files, notes, photos of screen contents, data carriers and other digital information been forensically secured?

Have you always focused on the business processes that are particularly time-critical and therefore require priority protection?

Have affected systems been disconnected from the network?
Have Internet connections to the affected systems been disconnected?
Have all unauthorized accesses been prevented?

Have backups been stopped and protected from possible further impact?

Have measures been taken to determine the full extent of the spread? Have all attacked systems been identified?

Have the vulnerabilities in systems or (business) processes exploited in the cyber attack been addressed and remedied through relevant measures?

Were the police or relevant authorities (data protection, reporting obligations, etc.) notified after coordination?

Have the access authorizations and authentication methods for affected (business and possibly private) accounts been checked (e.g. new passwords, 2FA)?

Will the network continue to be monitored after the incident to detect possible new anomalies?

Have the affected data and systems been restored or rebuilt?

Erstens

Have initial assessments of the incident been carried out to determine whether it is a cyber-attack or simply a technical fault?

Zweitens

Have you continuously coordinated and documented your measures and communicated them to all relevant persons and managers?

Drittens

Have system logs, log files, notes, photos of screen contents, data carriers and other digital information been forensically backed up?

Viertens

Have you always focused on the business processes that are particularly time-critical and therefore require priority protection?

Fünftens

Have affected systems been disconnected from the network?
Have Internet connections to the affected systems been disconnected?
Have all unauthorized accesses been prevented?

Sechstens

Have backups been stopped and protected from possible further impact?

Siebtens

Have measures been taken to determine the full extent of the spread? Have all attacked systems been identified?

Achtens

Have the vulnerabilities in systems or (business) processes exploited in the cyber attack been addressed and remedied by relevant measures?

Neuntens

Were the police or relevant authorities (data protection, reporting obligations, etc.) notified after consultation?

Zehntens

Have the access authorizations and authentication methods for affected (business and possibly private) accounts been checked (e.g. new passwords, 2FA)?

Elftens

Will the network continue to be monitored after the incident to detect possible anomalies?

Zwölftens

Have the affected data and systems been restored or rebuilt?