Posted on

Data Breach!  Now what?

Your network security team has just informed you that a critical system was breached and that customer or other sensitive data was compromised. How should you respond?

Ideally you already have a Data Breach or other Security Incident Policy and Procedure to guide you through this process. If not, the following high level steps should get you through the incident. As part of going through the Determination, Remediation, and Root Cause Analysis processes you and your team should take comprehensive notes that can be used to develop Security Incident Policy and Procedure document(s) to be used in the event of future incidents.

Determination:

Have your network security team coordinate with the server team, accounting and other relevant groups, (the list will be different based on the type of data compromised) to determine the type of data compromised, the systems affected, the source of the compromise and how the compromise happened.

System & Data Tasks:

Identify the compromised system(s)

What was compromised? Accounting information; Customer Identifiable Data; Trade Secrets or other Intellectual Property; Privileged User Accounts; Corporate Social Media Accounts or some other type of system?

Isolate the compromised system(s)

If possible, isolate the affected system(s) from the rest of your network. Yes this can be painful and potentially expensive, but to risk additional compromise from an already compromised system is foolish.

Remedy the compromise

This could be anything from changing passwords or updating security patches up to and including rebuilding the system from scratch and then restoring data from a known non-compromised backup.

Root Cause Analysis (RCA)

Compile a report with the “5W’s + H” of the situation. That’s the Who, What, Where, When, Why & How.

Yes it sounds like the board game Clue; Mr. White killed Mr. Green in the Library last night with a Candlestick because Mrs. Peacock gave him a USB stick that infected the network and caused the CEO to issue a press release.

The goal of the RCA is not to point fingers but to provide an opportunity to ensure that the compromise does not happen again.

Management Tasks:

Based on the severity of the breach there are many options for response. If the breach did not impact any customer or business critical data there may not be a need for a public response. If the breach did compromise customer or business critical data, then a public response is probably warranted.

Depending on the severity of the breach and the size of your enterprise, you may want to work with a Public Relations firm or other external resources. Whether the response is an internal email, public press release or full press conference the company should take responsibility, ensure those concerned that the problem is being (or has been) addressed and that steps are being taken to ensure it does not happen again.

Post Remediation:

In the event that the incident was unintentionally caused by an employee or other trusted person, have all staff re-take your IT Security Training course. If you don’t have one, there are online options that cover the basics and will help staff evaluate potential threats from a more critical point of view. Building an on premise training course is also an option that many consultancies would be able to help put in place.

If the event was malicious, you may need to update various systems, change passwords of specific users and potentially rebuild certain servers or desktop computers. Follow the advice of your IT Team & Trusted IT Contractors, if they recommend rebuilding, then by all means rebuild the box(es). In certain cases it is much better to be safe than sorry.

In all cases the administrator level accounts used by your IT staff should have their passwords changed. In almost all cases, the passwords for all Service Accounts should be changed. In most cases, all user passwords should be updated. In some cases all user account passwords should be updated.

An Ounce of Prevention:

Given the number of variables and the importance of having a Security Incident Policy along with proper Response Procedures, it would be prudent to get outside help to help develop those Policies and Procedures before there is an incident. This will ultimately save you time, money and frustration if/when you have a data breach.

-- this post originally appeared on LinkedIn --
Posted on

“To Pay or Not to Pay” – Ransomware on the Rise

What should you do if you become a victim of ransomware like Cryptolocker, Locky or Jigsaw? Do you pay the criminal who has infected your system? Will you pay via prepaid credit card or bitcoin? Do you know how to use Bitcoin?

There are options to paying the extortion fee.

I’m sure you have read or seen on the news about the California hospital system that paid a ransom to gain access back to their data. But did you know there is also a Baltimore area hospital, a Houston benefits firm, at least 2 Massachusetts police departments, and a Chicago area police department that have all paid ransoms for access to their files? This demonstrates that it is not just large organizations who are falling victim to ransomware. Many smaller organizations, both public and private, have had their systems compromised by various versions as well.

Continue reading ““To Pay or Not to Pay” – Ransomware on the Rise”

Posted on

Hurricane Warning: keep your business running

Hurricanes 2006-2015
Hurricane Landfalls in the United States 2006 – 2015

It’s that time of year when the National Weather Service reminds us that Hurricane Season is fast approaching. Hurricane Season officially begins June 1 and ends November 30. For half the year, hurricanes are front of mind for many business and IT professionals.

Some think that a Business Continuity Plan is only for large business with hundreds or thousands of employees; not true, every business needs a plan, even sole proprietors.

Continue reading “Hurricane Warning: keep your business running”