Incident Response Planning Best Practices
by Robert Bond
The Critical Steps to Incident Response Planning
Almost a third of US businesses were breached last year according to an HSB survey of 403 senior executives in the U.S., conducted by Zogby Analytics. HSB, a leading provider of cyber insurance for businesses and consumers suggested that with an increasing amount of both personal and business data available online, the risk of exposure will increase in proportion. The financial impact of a data breach reported in the survey was considerable as well: 27 percent of the victim organizations spent between $5,000 and $50,000 to respond to the breach and 30 percent spent between $50,000 and $100,000.
The survey also revealed that 51% of the executives thought their IT security staff “lacked a plan” to deal with the breach, 41% didn’t have the required knowledge to handle the breach adequately and 38% lacked the resources.
Ponemon Institute shocked the cybersecurity industry back in 2014 when they published a survey of 567 executives, of whom 43% suggested they had experienced a data breach or perhaps a security incident if you examine the details in the survey, in the prior 12 months. While security incidents and data breaches are apples and oranges, the trend and any back of the napkin analysis paints a fairly grim picture – the number of organizations that are damaged significantly from a cyber-attack is growing at a rapid pace.
The Ponemon survey also revealed that 68% of respondents felt unprepared to respond to a data breach and 30% of respondents felt their data breach response plan was flat-out ineffective.
Clearly, the response to security incidents has not improved in proportion to the sophistication of the attacks as well as the number of attacks. We will address the incident response best practice steps that organizations need to have in place to be successful in responding to breaches quickly and effectively.
Secure Your Operation
Team of Experts
Gather a team of experts to put together the comprehensive data breach response plan. This plan should take into consideration the size of the business as well as the nature of the business. The response team should include forensics, legal, information security, information technology, operations, human resources, communications, investor relations, and management.
A security contact and resource manager are critical internal resources as the security contact will own the incident response plan and knowledge of the systems and resource manager will understand the business impact of any system downtime or other business issues.
Data forensics team
Organizations should consider hiring or outsourcing a digital forensic specialist that will be able to determine the scope and source of a breach. A digital forensic specialist will be able to gather forensic images from systems that were affected by the breach to process and analyze evidence for an internal investigation or law enforcement.
The specialists are often able to find the source of the breach, how the malware moved through the organization, and what damage the attack caused. Further, digital forensic specialists are also able to assist in updating incident response plans and revising policies to help prevent any future breaches.
Companies should consider hiring legal teams with privacy and data security experience. These teams can advise your company on compliance legislation such as PCI-DSS and GDPR as well as federal and state laws that may affect their company in the case of a data breach.
Secure the organizational environment
Areas of the organization touched by the breach must be re-secured. Access codes, user names and passwords as well as any physical barriers should be changed and re-secured. Consult your forensic team and law enforcement to ensure the organizational environment has been made safe and secure.
Prevent any additional data loss
Ensure that all affected systems are quarantined, and the malware is isolated to known victim systems. That said, do not turn off any affected machines until your digital forensic expert informs you that it is okay to do so. Immediately update credentials and passwords of authorized personnel. This will prevent future data loss if the hacker has accessed credentials.
Remove Sensitive Data from Unsecure Systems
Your company’s webpage
Data breaches may involve personal information improperly posted on the company’s website. If this is the case, remove all personal information immediately. Search engines such as Google and Bing consistently crawl websites and archive information which may be published during a search. You must contact the search engine to ensure they don’t archive information.
If your company has been involved in a breach you must search all organizational websites including Sharepoint or other intranet resources to make sure your company’s information has not been saved or published improperly.
Interview individuals who uncovered the breach
Interview all those involved with the discovery of the breach, make sure the entire staff knows where to forward information that may help with the investigation. Just like any good investigator, you must document every aspect of the investigation and keep a chain of custody for any evidence that is uncovered.
Do not destroy any evidence
At the outset of the investigation you presumably do not know what happened or what is important and specifically what evidence may be important to the investigation. Therefore, do not destroy any evidence as it may ultimately lead to insights concerning the details of the attack and key takeaways to prevent the next attack.
Work with service providers
Investigate the personal information service providers can access, decide if the company needs to change access privileges. Also, you must ensure your service provider is taking all the necessary steps to ensure other breaches do not occur. Your service provider may have taken steps to fix vulnerabilities, you must verify the vulnerabilities have been fixed.
Check your network segmentation
When your network was set up, it is likely it was segmented to ensure that if a breach occurred in one server or at a site it would not lead to a breach on other servers or at other sites. A digital forensics expert will be able to analyze if you’re plan was effective in containing the breach. Your forensics expert will be able to identify what changes need to be made, so this can be done immediately.
Work with a forensics expert
Analyze all backups and any preserved data. In addition, review relevant logs; the forensics expert will be able to determine who had access to data at the time of the breach. Also, the forensics expert will be able to identify who is supposed to have access to sensitive data, whether access is necessary, they will also be to restrict access if access is not necessary. Compromised information will also need to be verified; how many people have been affected and if these people need to be contacted. After receiving the forensics report act quickly.
Create a plan to reach all affected parties including customers, investors, partners, stockholders, and all employees. Never make the mistake of providing inaccurate or misleading information about the breach, Misleading information or gaps in communication may delay all those involved from taking the proper steps to protect themselves and their information.
Understand that in our current environment people will ask questions concerning how your organization responded to the security breach and whether or not your IT security leaders followed incident response best practices. Answer all their questions as clearly as possible. Post your answers on the company website. Contacting all parties affected by the security breach and being proactive can limit frustration thus saving your company time and money.
As soon as your company experiences it a data breach, law enforcement, businesses your company is associated with, and all affected individuals must be notified immediately.
Legal requirements must be determined
Canada as well as all 50 States in the US, Puerto Rico, the District of Columbia, and the Virgin Islands have enacted laws that require notification of security breaches. Depending on the information involved there are different laws and regulations that apply. Check state and federal laws for specific requirements for your business.
Notify Appropriate Individuals and Organizations
Notify law enforcement
If a breach takes place notify your local law-enforcement agency immediately. Report that a breach has taken place and the potential for identity theft.
Electronic health information
Check the company to see if it’s covered by health breach notification. If it is you must notify FTC and, in some cases, the media. FTC’s Health Breach Notification Rule explains all the information you will need to comply.
Also, check if the HIPAA Breach Notification Rule applies. If this rule applies you must notify the secretary of the US Department of Health and Human Services.
Notify Affected Businesses
Accounts may have been accessed and information may have been stolen. Information like credit card numbers and bank account numbers may have been compromised. If this is the case, do not leave the accounts open for further fraudulent activities; notify the institution and put safeguards in place for each account. Also, the institution will likely be able to monitor for fraud.
If the company collects and stores personal information that affects other businesses, notify them of the breach. If Social Security numbers have been taken contact credit bureaus immediately. If the breach involves large groups, notify credit bureaus of the breach including those below.
Equifax: equifax.com 1-800-525-6285
Experian: Experian.com 1-800-397-3742
TransUnion: transunion.com 1-800-680-7289
The quicker you notify individuals their information has been breached, the quicker the individual can take steps to ensure their information is not used in a fraudulent manner. Deciding who to notify is critical as many touchpoints are time sensitive. Criminals who have stolen Social Security numbers and names will be able to use that information to open new accounts and commit identity theft. If notified early victims can take proper steps to limit these activities.
Assign a person within your company to be responsible for releasing information
Give this person all the information about the breach, the companies response, and how customers should respond. Use the company’s website and establish toll-free numbers to communicate with customers and send out letters to the affected individuals.
When answering questions
Include, how the breach took place, all the information that was compromised, how the hackers have used the information, all actions taken by the company to fix the situation, any actions the company is taking to protect individual, how to reach organizations that can help remedy the situation. Urge customers to take steps to protect their information and to monitor financial activities such as credit card purchases and new account generation.
In Conclusion – You Aren’t Alone
In conclusion, always remember that the company is a victim and based on the HSB and Ponemon surveys, you are not alone; even organizations with multi-million dollar IT security budgets are hacked consistently. However, if a breach does occur and the most fundamental incident response best practices are not followed to stop the breach and protect the company’s customers, organizations are far more likely to experience extensive damage and may be held responsible legally.
Finally, please remember that we’re here to help. Whether you need incident response assistance or you need digital forensic help with investigating an incident or breach our folks are certainly happy when they can provide support.
August 13, 2019
September 5, 2019