What next? How to prevent the consequences of a data breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123460480/what-next-how-prevent-consequences-data-breach

A lot is written these days about best practices for preventing data
breaches - practices such as keeping critical systems up to date with
patches, ensuring firewalls and AV scanners are updated with signature
files, educating employees about the risks of phishing attacks, and so on.

These guidelines often note that the odds of a data breach are high - and
they are. Pick your survey: anywhere from 43% to 76% of enterprises
suffered a data breach in 2014. Whatever the percentage, data breaches are
far too common.

Along with working to prevent a data breach, organisations should work to
develop incident response plans for what actions to take after a breach. If
data breaches are likely, then it makes sense to be able to act quickly and
effectively once a breach has occurred.

Ideally, an incident response plan should address all the relevant facets
of a breach, including technical requirements, regulatory responses, and
forensic analysis.

First, there is the technical matter of containing the breach and
preventing further data loss. IT engineers may need to isolate infected
systems, close certain network ports, or temporarily shut down vulnerable
services. Putting procedures in place ahead of time helps engineers to
perform these steps expeditiously.

Second, there is the matter of understanding how the breach occurred so
that IT systems can be reconfigured to detect and prevent a similar attack
from taking place. The enterprise may want to bring in a breach forensics
expert to help with this work.

Most likely, engineers will want to make copies of infected file systems
and preserve as much evidence as possible. Analysis from this phase may
need to be delivered to the organisation’s legal team and compliance
officers.

Third, there are corporate and regulatory reporting responsibilities to be
fulfilled. Affected stakeholders - which may include consumers - will need
to be notified. Depending on the nature of the enterprise’s industry,
regulatory organisations may need to be notified as well.

The company’s communications team may want to consider the types of
announcements it would need to make in the eventuality of certain types of
breaches. By having a crisis communications plan in place with responses
crafted ahead of time, the organisation is more likely to arrive at the
most judicious phrasing and the most effective communication in the
timeliest manner.

Ultimately, the organisation’s reputation may depend on honest and prompt
communication that gives any affected parties time to take relevant actions
to protect their personal information.

Finally, there’s the matter of applying lessons learned. This goes much
further than shutting down the affected systems, services, and ports.
Instead, the breach should be thoroughly examined so that existing
practices and systems can be improved. For example:

If the breach was the result of a lost or stolen mobile device, what steps
can be made to improve the security of these devices? In many industries,
mobile devices are a leading cause of data breaches.

For example, in healthcare, 68% of data breaches are due to lost or stolen
mobile devices storing unencrypted data. The organisation may want to
review its mobile security policies and practices.

If the breach was the result of a cyber attack, the organisation will want
to review how the hackers got in. Were systems insufficiently isolated?
Where intrusion detection alerts incorrectly dismissed as false positives?

Was malware from a phishing attack able to access internal content and
systems? Looking ahead, could AV scanning and the use of secure containers
for business content on mobile devices prevent a similar attack?

If the breach was the result of unpatched systems being exploited, the
organisation will want to assess the state of its patch installations. Are
critical systems up to date? Does the organisation have an effective plan
for keeping systems up to date?

If the breach was the result of data being carelessly shared on public
cloud services - a very common practice in a BYOD world - the IT
organisation may want to provide employees with more secure private-cloud
solutions, or they may decide to deploy a security solution that applies
security best practices - such as access controls, encryption, and logging
- to public cloud services that were designed for convenience, rather than
security.

As cyber security professionals and organisations who have suffered a
breach will tell you, a cyber attack is not a question of 'if' but rather
'when'. As a result, data security is ultimately a cycle in that lessons
learned after a breach can be applied to preventing the next one.

The best incident response plan minimises the repercussions of the current
breach and helps reduce the odds of another breach in the future.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!