Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/27/2015
01:36 PM
Stephen Treglia
Stephen Treglia
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The First 24 Hours In The Wake Of A Data Breach

There is a direct correlation between how quickly an organization can identify and contain a data breach and the financial consequences that may result.

If your organization experienced a data breach, would you be prepared?

In this situation you need to act quickly to not only meet various compliance regulations, but also to limit the scope of the damage caused by the breach. In a recent Ponemon Institute report, the average per-record cost of a data breach increased by 12 percent over the past year. The report also demonstrated a direct correlation between how quickly an organization can identify and contain data breach incidents and financial consequences.

What should an effective data breach response plan look like? The plan should be well-defined, concise and rehearsed. Much like a fire drill, all employees of your organization should be aware of the procedures and how to act almost instinctively. And, while levels of urgency will depend on the severity and scale of the breach, there are standard operating procedures to follow during those crucial first 24 hours.

Diagnose the Situation
Businesses need to swiftly and accurately diagnose the severity of a breach. Has a corporate device been stolen? Has your server been hacked? Have you been hit by a distributed denial of service (DDoS) attack? Once the threat has been properly identified, you should enact automated controls: for instance, in the case of a stolen laptop, a company would activate any underlying embedded technology solution to either remotely delete the data, track the stolen device, or cut its connection to the corporate network.

Assign Roles
This is the stage where roles need to be assigned amongst your team to address legal and containment issues. Your organization must also appoint somebody with sound communication skills and with thorough knowledge of the problem to interact with the relevant stakeholders.

Document the analysis & investigation
Documentation is everything, and you must make sure that you have all of the facts at hand. Depending on the type of data that has been compromised, your customers and the authorities will want the full picture.  Evidence has to be properly collected and logged; not only for these reasons, but so the root of the cause can be properly identified and prevented from happening again. Once established, you should ensure that you have several people in the organization who can liaise with anyone who may be concerned about the breach including business partners, customers, or any third parties.

Review your response
Once the threat has been identified, contained, and analyzed, you can get your system back up and running (once you are certain that it is safe to do so). It is at this point that you need to review your response and existing policy to establish what was handled well, and how it can be improved for the future.    

Learn from your experience
You’ve made it through the first 24 hours, but more work needs to be done. Threats to your data do not remain static. They are in a constant state of flux and require your business to stay ahead. Here are three suggestions for applying what you’ve learned from the experience to improve your existing procedures:

  1. Assess where you are – and aren’t -- in compliance with any and all relevant governing regulatory bodies.
  2. Implement a regular, robust security audit. Typically, these are done quarterly, however you should regularly audit your data security measures.
  3. Educate your staff. Employees can often be the weakest link in the organization, so awareness of what is expected and what the risks are should be regularly enforced

At the end of the day, you will never achieve a position where you are completely immune from a data breach. However, you can ensure, through policy and practice, that your business is ready to respond in an appropriate fashion to contain the attack.

As Legal Counsel and HIPAA Compliance Officer to the Investigations Section and Recovery Services Department of Absolute Software, Stephen Treglia oversees the worldwide department staff of more than 40 investigators and data analysts. Stephen recently concluded a 30-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PivotalWriting
50%
50%
PivotalWriting,
User Rank: Apprentice
6/24/2016 | 2:22:20 PM
Seems that this post has been copied
It appears that a substantial amount of this post's content has been used in a post at information-age[dot]com/technology/security/123460074/step-step-guide-first-24-hours-data-breach
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...