Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/27/2015
01:36 PM
Stephen Treglia
Stephen Treglia
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The First 24 Hours In The Wake Of A Data Breach

There is a direct correlation between how quickly an organization can identify and contain a data breach and the financial consequences that may result.

If your organization experienced a data breach, would you be prepared?

In this situation you need to act quickly to not only meet various compliance regulations, but also to limit the scope of the damage caused by the breach. In a recent Ponemon Institute report, the average per-record cost of a data breach increased by 12 percent over the past year. The report also demonstrated a direct correlation between how quickly an organization can identify and contain data breach incidents and financial consequences.

What should an effective data breach response plan look like? The plan should be well-defined, concise and rehearsed. Much like a fire drill, all employees of your organization should be aware of the procedures and how to act almost instinctively. And, while levels of urgency will depend on the severity and scale of the breach, there are standard operating procedures to follow during those crucial first 24 hours.

Diagnose the Situation
Businesses need to swiftly and accurately diagnose the severity of a breach. Has a corporate device been stolen? Has your server been hacked? Have you been hit by a distributed denial of service (DDoS) attack? Once the threat has been properly identified, you should enact automated controls: for instance, in the case of a stolen laptop, a company would activate any underlying embedded technology solution to either remotely delete the data, track the stolen device, or cut its connection to the corporate network.

Assign Roles
This is the stage where roles need to be assigned amongst your team to address legal and containment issues. Your organization must also appoint somebody with sound communication skills and with thorough knowledge of the problem to interact with the relevant stakeholders.

Document the analysis & investigation
Documentation is everything, and you must make sure that you have all of the facts at hand. Depending on the type of data that has been compromised, your customers and the authorities will want the full picture.  Evidence has to be properly collected and logged; not only for these reasons, but so the root of the cause can be properly identified and prevented from happening again. Once established, you should ensure that you have several people in the organization who can liaise with anyone who may be concerned about the breach including business partners, customers, or any third parties.

Review your response
Once the threat has been identified, contained, and analyzed, you can get your system back up and running (once you are certain that it is safe to do so). It is at this point that you need to review your response and existing policy to establish what was handled well, and how it can be improved for the future.    

Learn from your experience
You’ve made it through the first 24 hours, but more work needs to be done. Threats to your data do not remain static. They are in a constant state of flux and require your business to stay ahead. Here are three suggestions for applying what you’ve learned from the experience to improve your existing procedures:

  1. Assess where you are – and aren’t -- in compliance with any and all relevant governing regulatory bodies.
  2. Implement a regular, robust security audit. Typically, these are done quarterly, however you should regularly audit your data security measures.
  3. Educate your staff. Employees can often be the weakest link in the organization, so awareness of what is expected and what the risks are should be regularly enforced

At the end of the day, you will never achieve a position where you are completely immune from a data breach. However, you can ensure, through policy and practice, that your business is ready to respond in an appropriate fashion to contain the attack.

As Legal Counsel and HIPAA Compliance Officer to the Investigations Section and Recovery Services Department of Absolute Software, Stephen Treglia oversees the worldwide department staff of more than 40 investigators and data analysts. Stephen recently concluded a 30-year ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PivotalWriting
50%
50%
PivotalWriting,
User Rank: Apprentice
6/24/2016 | 2:22:20 PM
Seems that this post has been copied
It appears that a substantial amount of this post's content has been used in a post at information-age[dot]com/technology/security/123460074/step-step-guide-first-24-hours-data-breach
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...