How to effectively respond to a data breach
Published Oct 29, 2018 12:00 am
By Mon Nunez
Breaches in IT security are daily occurrences worldwide, with only just the most brazen or careless ones getting the attention of the affected organization - much less the public. This is not surprising since organizations rarely have properly trained and dedicated people to defend an IT infrastructure - a system that grows more complicated by the year against attackers who focus on nothing else but to compromise an organization’s barriers.
With this, modern organizations are now starting to accept that the question is not “if” they will be breached, but rather “what should I do when I am breached?” Likewise, IT security professionals have shifted their focus to not only securing the infrastructure, but also ensuring that their organization has enough “eyes” and “ears” throughout the network so that a breach can be handled by IT departments without running blind in the dark.
Acceptance of the fact that a data breach is a possibility at any given time is not enough, as this compromise may cause severe damage to a company’s reputation, which may lead to a huge loss for the business. You also need to know what makes an effective response to a corporate data breach, or any serious security incident for that matter. To do this, let me introduce you to:
The Six Phases of Incident Response and Their Basic Activities
1.First phase is Preparation. This should be done before a breach occurs. Preparation is the critical step which determines whether or not your organization will be able to handle a data breach correctly. Ideally, your organization should have an escalation protocol in place, which clearly identifies who should be in the know, who the point person of an investigation is, and who in the upper management would be responsible for handling this type of incidents. In the Philippines, it is also vital to be able to assess at what point should you notify the National Privacy Commission (NPC) when Personal Identifiable Information (PII) are involved, and when you should contact law enforcement.
For external assistance, the most important roles usually fall under a Technical Expert, a Lawyer, and a Crisis PR Specialist. Having those points of contact in place and knowing how to reach them are important and should be part of your organization’s data breach protocol.
2.Second phase is Identification.You need to be able to identify, validate, and collect evidences to have a working idea on the scope of the breach and be able to act on it accordingly.
3.The next phase called Containment is when you try to isolate the scope of compromise while preventing it from spreading. This includes isolating compromised or suspicious machines to prevent further spread of the attack within your organization. This is done while ensuring proper collection and handling of network, memory and disk information so they would not be unnecessarily modified, or worse, deleted.
4. The fourth phase would be Eradication. After collecting evidences, figuring out the entry point, identifying the scope of damage, and containing the systems, the affected machines will now be reverted back to a known safe state. If this is not possible, you will need to do a full reinstall.
5. Either way, these would all have to be patched and monitored for any re-intrusion attempts in the fifth phase - Monitoring and Recovery.
6. The last phase is aptly called “Lessons Learned”. Blame would be a waste of energy at this point. Your efforts will be better utilized in recounting and evaluating all activities and events that transpired, and in improving your current system and data breach protocols. That way, you’ll be more confident that your organization will be less vulnerable in the next attack.
Remember, for each of the six phases, your organization should always have a procedure or escalation protocol in place which clearly identifies who should be involved, who should know, what to do, and when to seek out external help.
This reminder is brought to you by Information Security Officers Group (ISOG), in celebration of Cybersecurity awareness month, I AM SECURE 2018.
---
About the author
Raymond “Mon” Nuñez is a member of ISOG and provides security consulting with a special focus to financial services, government systems, and telecommunications industries, while teaching Computer and Network Security for graduate students in the University of the Philippines, Diliman. He is currently taking his PhD in Computer Science in UP Diliman.
Mon and his teammate Siege on the much coveted Black Badge at DEF CON 24 in Las Vegas for winning the CTP Contest. Aside from bragging rights, they now enjoy free for life access to the yearly DEF CON. As a form of entertainment, Mon regularly takes certifications such as CISA, CISM, GSEC, GNFA, GXPN, GWAPT, GCIH, GCDA, GMON, and GASF.
Breaches in IT security are daily occurrences worldwide, with only just the most brazen or careless ones getting the attention of the affected organization - much less the public. This is not surprising since organizations rarely have properly trained and dedicated people to defend an IT infrastructure - a system that grows more complicated by the year against attackers who focus on nothing else but to compromise an organization’s barriers.
With this, modern organizations are now starting to accept that the question is not “if” they will be breached, but rather “what should I do when I am breached?” Likewise, IT security professionals have shifted their focus to not only securing the infrastructure, but also ensuring that their organization has enough “eyes” and “ears” throughout the network so that a breach can be handled by IT departments without running blind in the dark.
Acceptance of the fact that a data breach is a possibility at any given time is not enough, as this compromise may cause severe damage to a company’s reputation, which may lead to a huge loss for the business. You also need to know what makes an effective response to a corporate data breach, or any serious security incident for that matter. To do this, let me introduce you to:
The Six Phases of Incident Response and Their Basic Activities
1.First phase is Preparation. This should be done before a breach occurs. Preparation is the critical step which determines whether or not your organization will be able to handle a data breach correctly. Ideally, your organization should have an escalation protocol in place, which clearly identifies who should be in the know, who the point person of an investigation is, and who in the upper management would be responsible for handling this type of incidents. In the Philippines, it is also vital to be able to assess at what point should you notify the National Privacy Commission (NPC) when Personal Identifiable Information (PII) are involved, and when you should contact law enforcement.
For external assistance, the most important roles usually fall under a Technical Expert, a Lawyer, and a Crisis PR Specialist. Having those points of contact in place and knowing how to reach them are important and should be part of your organization’s data breach protocol.
2.Second phase is Identification.You need to be able to identify, validate, and collect evidences to have a working idea on the scope of the breach and be able to act on it accordingly.
3.The next phase called Containment is when you try to isolate the scope of compromise while preventing it from spreading. This includes isolating compromised or suspicious machines to prevent further spread of the attack within your organization. This is done while ensuring proper collection and handling of network, memory and disk information so they would not be unnecessarily modified, or worse, deleted.
4. The fourth phase would be Eradication. After collecting evidences, figuring out the entry point, identifying the scope of damage, and containing the systems, the affected machines will now be reverted back to a known safe state. If this is not possible, you will need to do a full reinstall.
5. Either way, these would all have to be patched and monitored for any re-intrusion attempts in the fifth phase - Monitoring and Recovery.
6. The last phase is aptly called “Lessons Learned”. Blame would be a waste of energy at this point. Your efforts will be better utilized in recounting and evaluating all activities and events that transpired, and in improving your current system and data breach protocols. That way, you’ll be more confident that your organization will be less vulnerable in the next attack.
Remember, for each of the six phases, your organization should always have a procedure or escalation protocol in place which clearly identifies who should be involved, who should know, what to do, and when to seek out external help.
This reminder is brought to you by Information Security Officers Group (ISOG), in celebration of Cybersecurity awareness month, I AM SECURE 2018.
---
About the author
Raymond “Mon” Nuñez is a member of ISOG and provides security consulting with a special focus to financial services, government systems, and telecommunications industries, while teaching Computer and Network Security for graduate students in the University of the Philippines, Diliman. He is currently taking his PhD in Computer Science in UP Diliman.
Mon and his teammate Siege on the much coveted Black Badge at DEF CON 24 in Las Vegas for winning the CTP Contest. Aside from bragging rights, they now enjoy free for life access to the yearly DEF CON. As a form of entertainment, Mon regularly takes certifications such as CISA, CISM, GSEC, GNFA, GXPN, GWAPT, GCIH, GCDA, GMON, and GASF.