[BreachExchange] Data Breach 911: Six Steps to Take After a Data Compromise

Audrey McNeil audrey at riskbasedsecurity.com
Wed Apr 25 21:13:58 EDT 2018


https://www.channele2e.com/influencers/data-breach-911-six-steps-take-data-
compromise/


Uh-oh. It’s the worst nightmare imaginable for system administrators and
security professionals, and now it’s happened to you: a data breach.

The risk of damage—to your company’s finances and its reputation—is high.
But before you spiral into full-blown panic, take a deep breath and think
about the best way to approach the situation. History has proven that how a
company responds to a data breach, both internally and externally, is
critical to minimizing fallout.

Here are six tasks to kick into gear as soon as a compromise is discovered:

1. Identify and react. Discover which machines are affected, and take them
offline immediately. This will halt any communication still ongoing with
those responsible for the data breach. Avoid shutting machines down, as
well as running antivirus scans and utilities, to preserve forensic
evidence. Determine the compromised systems and the origin of attack, so
you can strengthen the attack vector moving forward.

2. Change passwords and pull audit logs. Data breaches are often the result
of stolen passwords and credentials. Audit logs will help scope the scale
of the incident and determine if the breach is complete or still ongoing.
Change all passwords, online credentials and password Q&A for any online
account affected. Remind users to choose a strong password with special
characters and numbers, and never use one password for all online accounts.

3. Assess the damage. What exactly was stolen and how sensitive was the
information? Email addresses alone are innocuous, whereas credit card
information and SSNs are more damaging and can spur negative financial
impacts. Review logs to find out what information was accessed or stolen
and which accounts and machines where compromised. Refer to IDS logs to
learn which systems were affected, what method of attack was used, and the
duration of the breach.

4. Communicate internally. Get in touch with corporate legal counsel to
determine if further action—such as alerting law enforcement—is warranted
or necessary. Human Resources, Customer Service, and Public Relations all
need to begin anticipating questions and formulating public responses.

5. Communicate publicly. The way a company handles (or is perceived to
handle) a data breach is almost as important as preventing the next
compromise incident. A forthright approach is almost always best. Outline
what information was affected and what the company plans to do in the
future to prevent such occurrences from happening again. Similar to an
incident response team, form a special group to assist with emails, phone
calls and online inquiries from the public.

6. Prepare and practice. Ideally, you’ve already done this by the time a
breach occurs, but if not, get started right away. Create a data breach
response policy and an incident response team. Clearly define the scope of
roles and responsibilities for team members, and make this written
documentation easily available within the organization. Mock up a data
breach to practice your team’s response. Every hour that passes is
critical. Practicing your response will speed the time to containment,
remediation and review. It’s worth repeating: Have a plan and practice it.

No one wants to contend with a data breach—especially in this era, when so
much personal and financial information is used online daily. However,
companies have an obligation to their customers, employees and shareholders
to do their due diligence and protect data effectively. Be sure you’re
implementing the right security solutions to prevent would-be attackers
from accessing your systems and networks. At the same time, be prepared to
respond swiftly and smartly should the unthinkable ever occur.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180425/2e55f861/attachment.html>


More information about the BreachExchange mailing list