Incident Response Plan

1. Preparation
   • We have multiple layers of defense.
     • All traffic goes though Cloudflare.com. We use their WAF running OWASP rules to prevent SQL attacks as well as blocking DDoS attacks, aggressive bots, and filtering any potential malicious requests.
     • Our servers are continuously updated with the latest security patches and updates. We do monthly PCI scans to look for any weak code or protocols that needs to be updated.
     • Our hosting company has a Perimeter firewall and Prevention Systems (IPS) and Intrusion Detection Systems (IDS) with deep packet inspection for known malicious attack patterns that provides intrusion prevention, detection, and reporting.
     • Anti-virus software that will detect and remove malware and viruses. Virus definitions are continuously updated.
     • All non-used ports on the server are blocked.
        
   • Our Incident Response Team consists of 3 members.
     1. Our Web Developer - he is the initial point-of-contact and is available by phone 24 hours a day. Our web developer who will review the Windows logs, IIS logs, and Fusion Reactor logs to determine if a breach has occurred.
     2. Our Hosting company - they have a 24/7 security teams that monitors our servers. They will also assist in investigating and mitigating any data breach.
     3. The owner of A la mode, inc who will coordinate the official response and notify 3rd party vendors if needed.
         
2. Identification
   • Detection
     • Monitor our servers - we may receive alerts of suspicious traffic from our monitoring software or from our hosting company. This may include:
       • Alerts from our hosting company about unusual firewall activity or server with unusually high usage.
       • Alerts from Fusion Reactor (Tomcat monitoring software) about unusual traffic patterns.
       • Alerts from anti-virus software.
     • Review logs - traffic logs are periodically examined manually to look for unusual patterns.
     • Customer or Employee Comments - if a customer or staff member notices something unusual about our data they can send in an email. Anything related to problems with the website will be forwarded to the web developer.
        
   • Determine if there was a data breach - Our web developer working with the 24/7 security team at our hosting company will review the logs and determine if somone penetrated our server. We will then try to determine the extent and severity of the breach.
      
   • Collect Evidence - we'll take a snapshot of the server in order to preserve it exactly as it is. All backups will be preserved regardless of normal rotation and deletion. All logs will be downloaded and reviewed including Fusion Reactor and Windows system logs. Everything will be retained for 90 days minimum.
      
   • Documentation - we'll take notes on everything we found. Who discovered the breach, what was discovered, when was it discovered, and has anything been done to the server. The date/time on the all the logs will be recorded as well.
      
   • Notification - the owner of A la mode, inc will notify Amazon via email at 3p-security@amazon.com about the breach within 24 hours.
      
3. Containment
   • Attack - if the site is being attacked we can block or restrict access with Cloudflare or through the local firewall.
   • Isolate - we can remove a server from the network, restrict user accounts, restrict access to only local users if necessary.
   
    
4. Eradication
   • Virus - if a server is infected it can be cleaned or replaced.
   • Code - if there was security hole in the code then it will be re-written and re-tested.
   • Software - if a particular piece of software was compromised then it will be updated or replaced.
      
5. Review

   Withing two weeks from the end of the incident, we'll perform a retrospective of the incident. We'll prepare complete documentation of the incident, investigate the incident further, understand what was done to contain it and whether anything in the incident response process could be improved.