[BreachExchange] What to Do If Your Company Had a Security Breach
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Jul 17 20:45:39 EDT 2017
https://turbofuture.com/internet/How-a-Company-Should-Handle-a-Cyber-Attack
It is better to err on the side of caution, especially when it comes to
security matters. Assume that a security breach will happen at some point
in the future and prepare yourself for this eventuality. Having an
emergency plan will help you save precious time; acting quickly is crucial
to do effective damage control. Commission the breach investigation to an
external company, as you may lack the resources to handle the case
properly. If a breach was caused by one of your employees, an internal
investigation could result in a conflict of interests.
Response to a security breach will differ in each case, as every company is
different. However, there are some general guidelines you should follow. A
typical reaction to a cyber event consists of five stages: initiation,
forensic evidence capture, web and behavioral analytics, risk impact
analysis, and reporting to internal and external constituent groups.
1. Initiation
Start off by forming a breach management team that should consist of the
following roles and responsibilities:
- Legal counsel. Internal if the person has experience dealing with
breaches or external if the internal legal officer doesn’t have the
necessary qualifications.
- Executive sponsor
- Internal security
- Internal IT infrastructure
- Human resources. The human should revise the cyber awareness program and
intervene if the breach was caused by one of the employees.
- Corporate communications. They will shape a message to the media.
- Privacy or regulatory compliance
- Risk management
At this stage, you should establish communication standards, protocols, and
encryption for oral and written communication. Appoint a person responsible
for communication with external advisers or consultants (typically, it will
be the legal officer), and with the audit and risk committee of the board
of directors. Establish a frequency and method of communicating progress –
at the early stage meetings should take place two times a day. Take care to
disclose the news about the breach to the smallest possible number of
people in case any of the employees was at fault. The time for informing
employees will come later.
<img src="https://usercontent1.hubstatic.com/13447984_f520.jpg"
data-ratio="0.66666666666667" alt="" style="display: block; width: 520px;
height: auto !important;">
2. Forensic Evidence Capture
Breach detection sometimes takes years. Confirm that a breach has taken
place. Determine what kinds of information were compromised – personally
identifying information (health, credit card, and financial information),
employee family information, intellectual property, trade secrets, business
proprietary information (alliance partners, customers, third-party vendors,
investors). Determine if the breach is terminated or if it’s still taking
place. Change passwords throughout the company in order to prevent further
information leakage. Determine if the information was encrypted and what
kind of encryption was used. Isolate and image any hard drives, so that an
independent professional can examine them. If this is not the first breach
the company is experiencing, look at the history of breaches to try and
find any parallels. If this is the first security breach, look for similar
cases on the Internet.
<img src="https://usercontent2.hubstatic.com/13447983_f520.jpg"
data-ratio="0.653125" alt="" style="display: block; width: 520px; height:
auto !important;">
3. Web and Behavioral Analytics
Analyze the IP addresses in the environment and classify them into three
categories: authorized and benign, unauthorized and toxic, and authorized
but toxic. Determine if the breach came from the inside or outside – if
from the outside, what was its source? Determine the method of the breach,
and look for any malware programs in the system. Did the breach involve a
physical intrusion? Is there any physical threat to employees?
4. Risk Impact Analysis
Verify what kind of data was affected, checking both electronic and paper
formats. If any information pertaining to personally identifiable
information, personal health information, intellectual property and trade
secrets, critical infrastructure, defense information was leaked, make sure
you notify law enforcement about the event. In addition, ask your legal
counsel for advice regarding internal reporting requirements – you may need
to notify at-risk corporate customers and partners, regulators, and board
members. Establish appropriate notification protocols and a notification
strategy.
5. Reporting to Internal and External Constituent Groups
Adjust your reporting strategies for different audiences – remember that a
technical report may cause confusion and misunderstanding among
non-technical audiences, such as the board of directors. Instead of
technical language, use the language of business and risk. The executive
report should contain: an introduction (general risk conditions and
trends), a description of the breached company (in case the audience
doesn’t know it), a description of the intrusion event, the date of
intrusion, a description of at-risk data, an analysis of preliminary
mitigating measures, conclusions and recommendations (this part is crucial
to convince customers that the company is committed to manage well risk
impact), and a technical summary.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170717/170bf10c/attachment.html>
More information about the BreachExchange
mailing list