Categories: Security

How to respond to a data breach

The number of cyber attacks is increased in an impressive way, cyber criminals, hacktivists, independent and state-sponsored hackers are daily operating in cyberspace conducting more or less dangerous offensive. Everyone is exposed to concrete risks of cyber attacks, internet users, private business and government offices, that’s why is fundamental to have a clear idea on how to response to an incident and which are the steps to be taken to secure compromised infrastructure and related damages. Consider first of all that a prompt response to a data breach is crucial, time factor is essential for the propagation of effects of the incidents, within any company must be in place an incident response team that must define and share the incident response procedure monitoring of the overall operations in case of incidents. The procedures must be shared with personnel within the company created the proper level of awareness to promptly respond to a data breach. Corey Nachreiner, Director of Security Strategy at WatchGuard proposed his response procedure that I desire to share with you reviewing them with my personal opinion and considering it very useful for victims of cyber attacks:

Analysis of the breach –  this is probably one of the most important phase, in this phase are triggered all response practices to mitigate the adverse event. In this phase the company tries to classify the event evaluating the impact on its infrastructures and start all necessary activities to secure company and related data. In this phase company representatives also start the investigation that could be also supported by external consultants such as digital forensics experts. It’s necessary to identify exactly the flaws exploited by attackers and fix them as soon as possible.

Report to the authorities and sharing of data related to data breach – Depending on the level of data breach occurred it is necessary to report the fact to authorities to permit to prompt start investigations. In many cases the exposure of sensitive data or client’s personal information must be public disclose to avoid further damage, disclosure strategy must be concerned with company top management and all the team involved in the investigation, included law enforcement. Nachreiner remarked that some authorities may have a threshold on the size of breach that they are willing to look into.

Communicate the breach – All internal components of the company must be informed and must follow instructions provided by incident policy response.

Patch the discovered holes – Once identifies the flaws exploited by attackers it is necessary to fix them, an efficient patch management process is vital, the applied patch must fix the bug and avoid integration problems. During this phase other vulnerabilities may be uncovered and must be fixed with same priority of the flaws that caused the incident avoiding the attackers could benefit of their knowledge in successive attacks.

Recover from backups – In case internal systems have been compromised it is necessary to restore a working a secure situation recovering the systems from a backup in order to reduce the amount of information lost from the breach. Of course a backup policy must be adopted by the company and periodically the internal security team must backup data and test the restore procedure to avoid surprises in case of attacks.

Review authentication and authorization – After a data breach is necessary to assess all authentication and authorization processes. Must be analyzed all authentication processes analyzing the resources exposed,  for example in case of data breach simplest action to do is to reset all passwords related to the systems compromised. In this phase limit access to the system to strictly necessary personnel and investigators.

Run an audit – Run a full system security audit to verify the absence of other flaws occurred as a result of the breach or already existing, also this phase could be executed by external professionals.

Update software patches – Patch all software and OSs present in the organization according corporate patch management processes. It is suggested to test the patches in a test environment before deploying them in production.

Install missing security and visibility controls – Review total company IT architecture identifying and installing missing security controls and layers of defense. Consider the proposed steps as minimal actions to include in an incident response procedure to trigger once a data breach occurred … In any case, prevention is better than cure! Pierluigi Paganini

(Security Affairs – Security)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

8 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

12 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

18 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

21 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

1 day ago

This website uses cookies.