[BreachExchange] Five keys to preparing for a data breach

Fri Jun 17 16:25:08 EDT 2016

http://www.information-age.com/technology/security/123461615/five-keys-preparing-data-breach

Data breaches are an unavoidable part of doing business today. The evolving
threat landscape has forced many information security professionals to
adjust their thinking from ‘if I get breached’ to ‘when I get breached’.

How well or badly your organisation ends up after a data breach will come
down to how prepared you were with actionable, well-documented strategies
and procedures. Here are five steps you can take before a breach occurs.

Know exactly where your data is

Knowing where your data is critical in formulating a logical investigation
plan. This will help any investigation team triage an incident and rapidly
reduce the amount of data they have to look at.

If your confidential data suddenly showed up on Pastebin and you knew it
lived on server X, it would be logical to assume server X was involved in
the breach and should be included in the scope of the investigation.

If your data showed up on Pastebin and you had no idea which system that
data came from, you would need to start adding zeros to your incident
response team’s contract. They’re going to be there a while.

Understand the importance of logging files

Performing an investigation without log files is like following a set of
footprints in a blizzard. Without logs, there’s no evidence of initial
intruder access into the target environment, lateral movement from the
point of entry and exfiltration of the harvested data.

You may be able to examine the last few hours or days of the incident, but
nothing beyond what is stored locally. This is a big problem, since most
breaches occur months before evidence of their existence surfaces. By that
time, the logs required to identify what took place and when are long gone.

Understand breach disclosure responsibilities

Disclosure is almost always necessary – and your legal obligations are
getting stricter. Needless to say, you need to get a good lawyer who
understands cybersecurity legislation.

Your legal counsel should fully understand not only which disclosure laws
apply to your organisation and lay out a strategy regarding how you will
comply with them if and when a breach is discovered, but also if you have
any customer or partner contractual obligations.

You’ll also need to ensure the key decision makers in your business
understand their responsibilities under the appropriate legislation.

Develop and test an incident response plan

Organisations that have a plan can identify, contain and eradicate threats
exponentially better than those without one. Engaging an external
consulting firm to generate a computer security incident response plan
(CSIRP) is very important.

Their knowledge can help you to build a comprehensive plan and help you
avoid some of the common mistakes other organisations have made.

Creating a CSIRP is the first step in preparing your organisation for a
breach, but you don’t want the first time you test your incident response
plan to be when an incident occurs. Testing your CSIRP will help you to
identify which sections of the plan are strong and work as intended, and
which sections are lacking and need modification.

Perform goal-oriented penetration testing

A penetration test gauges an organisation’s ability to withstand a
cyber-attack. The test determines, given a set of configurations, the
degree to which an intruder can gain access to a target environment, move
around, access company sensitive data and move it from a system controlled
by you (the victim), to a system controlled by an attacker.

> See also: The 7 most dangerous myths of software security

Pentesting can also evaluate your organisation’s ability to detect and
respond to an attack. Organisations that engage in realistic, goal-oriented
penetration testing are much better positioned to defend against attacks
than those that don’t perform this type of realistic pentesting or simply
tick boxes on a compliance list.

Get in the fight

Despite the vast sums of money that organisations spend on defensive
hardware, software and regulatory compliance, data breaches continue to
occur. Organisations must start to operate under the assumption that they
have already been breached or that they are actively being targeted.

We’re fighting an active enemy who has taken a lot of ground in this fight.
Unless we see an industry-wide change in security strategies, things are
going to get a whole lot worse. But it’s far too soon to give up, so get in
the fight!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160617/e847dcf0/attachment.html>