Attacks/Breaches

7/27/2015
01:36 PM
Stephen Treglia
Stephen Treglia
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The First 24 Hours In The Wake Of A Data Breach

There is a direct correlation between how quickly an organization can identify and contain a data breach and the financial consequences that may result.

If your organization experienced a data breach, would you be prepared?

In this situation you need to act quickly to not only meet various compliance regulations, but also to limit the scope of the damage caused by the breach. In a recent Ponemon Institute report, the average per-record cost of a data breach increased by 12 percent over the past year. The report also demonstrated a direct correlation between how quickly an organization can identify and contain data breach incidents and financial consequences.

What should an effective data breach response plan look like? The plan should be well-defined, concise and rehearsed. Much like a fire drill, all employees of your organization should be aware of the procedures and how to act almost instinctively. And, while levels of urgency will depend on the severity and scale of the breach, there are standard operating procedures to follow during those crucial first 24 hours.

Diagnose the Situation
Businesses need to swiftly and accurately diagnose the severity of a breach. Has a corporate device been stolen? Has your server been hacked? Have you been hit by a distributed denial of service (DDoS) attack? Once the threat has been properly identified, you should enact automated controls: for instance, in the case of a stolen laptop, a company would activate any underlying embedded technology solution to either remotely delete the data, track the stolen device, or cut its connection to the corporate network.

Assign Roles
This is the stage where roles need to be assigned amongst your team to address legal and containment issues. Your organization must also appoint somebody with sound communication skills and with thorough knowledge of the problem to interact with the relevant stakeholders.

Document the analysis & investigation
Documentation is everything, and you must make sure that you have all of the facts at hand. Depending on the type of data that has been compromised, your customers and the authorities will want the full picture.  Evidence has to be properly collected and logged; not only for these reasons, but so the root of the cause can be properly identified and prevented from happening again. Once established, you should ensure that you have several people in the organization who can liaise with anyone who may be concerned about the breach including business partners, customers, or any third parties.

Review your response
Once the threat has been identified, contained, and analyzed, you can get your system back up and running (once you are certain that it is safe to do so). It is at this point that you need to review your response and existing policy to establish what was handled well, and how it can be improved for the future.    

Learn from your experience
You’ve made it through the first 24 hours, but more work needs to be done. Threats to your data do not remain static. They are in a constant state of flux and require your business to stay ahead. Here are three suggestions for applying what you’ve learned from the experience to improve your existing procedures:

  1. Assess where you are – and aren’t -- in compliance with any and all relevant governing regulatory bodies.
  2. Implement a regular, robust security audit. Typically, these are done quarterly, however you should regularly audit your data security measures.
  3. Educate your staff. Employees can often be the weakest link in the organization, so awareness of what is expected and what the risks are should be regularly enforced

At the end of the day, you will never achieve a position where you are completely immune from a data breach. However, you can ensure, through policy and practice, that your business is ready to respond in an appropriate fashion to contain the attack.

As Legal Counsel and HIPAA Compliance Officer to the Investigations Section and Recovery Services Department of Absolute Software, Stephen Treglia oversees the worldwide department staff of more than 40 investigators and data analysts. Stephen recently concluded a 30-year ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PivotalWriting
50%
50%
PivotalWriting,
User Rank: Apprentice
6/24/2016 | 2:22:20 PM
Seems that this post has been copied
It appears that a substantial amount of this post's content has been used in a post at information-age[dot]com/technology/security/123460074/step-step-guide-first-24-hours-data-breach
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4035
PUBLISHED: 2019-03-22
IBM Content Navigator 3.0CD could allow attackers to direct web traffic to a malicious site. If attackers make a fake IBM Content Navigator site, they can send a link to ICN users to send request to their Edit client directly. Then Edit client will download documents from the fake ICN website. IBM X...
CVE-2019-4052
PUBLISHED: 2019-03-22
IBM API Connect 2018.1 and 2018.4.1.2 apis can be leveraged by unauthenticated users to discover login ids of registered users. IBM X-Force ID: 156544.
CVE-2019-9648
PUBLISHED: 2019-03-22
An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a \..\..\ substring, allowing an attacker to enumerate file existence based on the returned information.
CVE-2019-9923
PUBLISHED: 2019-03-22
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
CVE-2019-9924
PUBLISHED: 2019-03-22
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.