Target. Home Depot. LinkedIn. Neiman Marcus.
All giants of corporate America. All victims in recent years of massive data breaches.
Besides the fact that in these and other high-profile cases millions of accounts and payment-card details were compromised, what we’ve learned about data breaches is that they can happen to any business, at any time. Worse, the average time it takes to spot a breach is approximately 200 days, which gives bad actors a lot of time to cause a lot of trouble.
This is why, upon discovery of a breach, speed is of the essence. Responding within the first 48 hours can have a huge impact on how much damage is wrought upon your systems, as well as on how effective your data recovery efforts will ultimately become. That said, investigating data breaches is a very meticulous process, with computer forensics methodically assessing point-of-sale (POS) terminals, servers, network equipment, firewall logs, and databases.
The following steps will help you build a data-breach recovery plan.
Isolate the affected machine from your network to prepare your system for analysis. System isolation is beneficial in two ways: in addition to preventing infection and corruption of neighboring systems, this enables proper authorities like security experts and law enforcement agencies to perform appropriate measures that may help identify the attacker and the infection vector. With the affected machine in quarantine, perform a high-level risk assessment of your IT environment and identify vulnerable areas.
You’ll have to get to the heart of the issue by gathering pertinent information about the attack. Note: Assumptions will get you nowhere. Instead, ask these questions:
It’s critical to stay calm during your investigation in order not to lose sight of what’s important. (This is almost impossible to do, we know, but absolutely imperative.) Hasty reactions could lead to unsound judgments or miscalculations and make things even worse.
Some companies, to their detriment, choose not to disclose or announce a breach in a timely manner. This is a grave mistake because a failure to disclose reflects poorly both on your company’s values and its future prospects. Even if you think the hack will never “go public,” honesty and transparency are always the best policies here. Communicating forthrightly on such issues can and will build trust between your business and your clients.
Make it part of your plan to notify affected individuals and organizations, legal counsel, human resources, public relations, the board of directors—everyone who needs to be in the loop. You’ll also need a point person, someone to coordinate your communication, during your data breach recovery.
Your incident response team should work with system admins to ensure that all system-to-system communication remains functional. This step should include a rotation of credentials. At a server level, bring in experts who are capable of cleaning the affected system. As a measure of good faith, provide your customers access to credit monitoring services to help them recover from and fully appreciate the scope of the breach.
Believe it or not, some companies get breached repeatedly—because they never learn. In the aftermath of a breach, it’s best to identify any gaps in your incident response process. Look at existing processes that enabled the attacker to access your network in the first place.
Reviewing what you’ve learned and modifying your routine can help reduce the likelihood of getting breached again. Make sure to document the incident, your response and the countermeasures taken.
Businesses can’t expect traditional security to protect virtual machines and cloud platforms the same way it guards physical servers and endpoints. You’ll need a strategy that has advanced layers of protection such as comprehensive monitoring, agentless protection, encryption, and virtual patching.
Charles IT offers a wide range of comprehensive backup and disaster recovery solutions that are priced to fit your budget. Want to stay safe? We want to keep you that way. Call us today for your first assessment.