[BreachExchange] First aid for your data and infrastructure: the immediate aftermath of a data breach

Fri Jul 21 14:28:12 EDT 2017

http://www.lexology.com/library/detail.aspx?g=e1521dd9-8924-47cb-b6c6-
054b6db57f90

Uh oh! Your IT manager tells you – after hours, of course, - that your
systems have been hacked. What now?

Just as is the case when someone is physically injured and substantial
medical attention will be needed to facilitate their full recovery, a good
deal of professional assistance will be needed to fully resume operations.
However, the best medical attention may go for naught if first responders
exacerbate the injury, and the best system restoration efforts are useless
if the immediate responses are not suitable. If first responders do not
properly stop bleeding and stabilize broken limbs, the best surgeon or
internist may have little to contribute.

At the same time you do the following, you will want to contact your
FisherBroyles lead to immediately assist with required notices and
avoidance of prejudicial statements.

An essential step to be taken prior to such situation arising is to compile
and share with the internal team tasked with dealing with the situation, a
full list of contact information for internal and external contacts,
including key vendor and insurance providers. Key internal contacts, apart
from IT management include senior members of legal, financial, sales and PR
groups. Such list should also include a schedule of key contracts.

Equally fundamental is to identify and engage with technical vendors,
forensic investigators and other experts, who are versed in such
situations, before they are needed so that they have adequate information
and incentive to jump in when needed. It is often desirable from a legal
standpoint to engage such persons through outside counsel, in order to
maintain the confidentiality of your discussions if litigation does occur.

Once this is done and key players are notified, we suggest the following,
when the time comes:

- If recommended by forensic and repair personnel, take appropriate
preliminary steps to mitigate spread of, and isolate, malicious code and
data encryption, amongst other events, while preserving operating systems
and key application software, which may or may not include, by way of
example only, removing the internet or other connections – but not power
connection - of all relevant devices.
- Advise all hands of problem and urgent need to avoid opening any
unfamiliar links or attachments.
- If practicable, tentatively identify impacted files, databases and
systems, emphasizing consumer data, and determine whether data has been
wrongfully accessed but is still present and accurate, has been corrupted
or is no longer present.
- Where disaster recovery plans exist and involve third party off-site
support, notify vendors of need to activate.
- Access back-up media or services.
- Do NOT publicly or privately apologize or accept responsibility. If
public statement is needed, it should be noncommittal – e.g ‘we are aware
of situation and conducting investigation’. Engage FisherBroyles to
determine applicable laws requiring consumer or other notices and remedial
steps and whether law enforcement should be notified.
- Notify cloud and SaaS vendors to determine if issue emanates there.
- Pull all insurance policies and other relevant documents, especially
cyber-liability and error/omission policies or endorsements, and notify
issuers of latter.
- To facilitate efforts of law enforcement or forensic investigators, do
NOT delete files of any kind. These steps are intended only to freeze the
situation and avoid additional harm or legally prejudicial statements or
actions

These steps are intended only to freeze the situation and avoid additional
harm or legally prejudicial statements or actions. They are most definitely
not a full prescription for remedial action. They must be augmented by
detailed involvement of technical personnel. However, such involvement will
be much more efficient and you will be back up much faster if the right
first aid steps are taken in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170721/4f275cba/attachment.html>