Skip to main content

Staying on Course in The Aftermath of a Security Breach

By: Fortunato Guarino, Solution Consultant, EMEA and Cybercrime & Data Protection Advisor, Guidance Software 

It’s the news that every security team fears, yet, the fact is that any business can – and will – be the victim of a data breach at some point, many more than once. This is a particular concern for businesses in the Middle East – according to a March 2016 report by PwC[1], 85% of respondents to the survey believe that businesses in the Middle East are more likely to suffer from a cyber-attack compared to the rest of the world (global average of 79%). Worse still are the monetary losses, with 56% of Middle East respondents reporting losses greater than $500,000 compared to 33% globally.

Despite this reality, there is little guidance available for most companies on what to do in the immediate aftermath of a breach. Critical decisions need to be made immediately after a breach is discovered to assess its scale and scope. This will determine the most effective next course of action, from which resources to mobilize, to which chains of command need to be activated and what evidence needs to be collected. When, what and how to share information with law enforcement and other external authorities is also critical to help prevent further damage and help reduce future attacks. 

With preparation in advance, organisations can ensure that, when the worst happens, they can respond quickly to protect themselves, their customers and their stakeholders.   

Implement a Tested Incident Response 

Being adequately prepared to deal with a cyberattack can significantly reduce the cost of a breach. However, having a plan in place and testing that response process to ensure that it works, are two different things. That’s why a critical part of the preparation process is to stress test the robustness of the response process.  Many organisations may think that they have sound policies in place but have not drilled these in a test scenario. The processes - for knowing which systems to shut down or who owns which assets and processes - need to be mapped and thoroughly practiced.  In the pressure of a real incident, confusion can waste valuable time, so test the plan, review it regularly, and test it again.

Assess the Impact

The starting point after an attack is determining the extent of the damage, the type of data that has been targeted and any specific endpoints affected. The scene of the digital crime then needs to be preserved correctly:  any system or device which has been impacted should be swiftly identified, with forensic images made as soon as possible. Without this, any forensic investigations can be seriously impeded. These digital forensics provide the information needed to identify the risks, determine the next course of action and then take steps to prevent it from happening again.  

Organisations should collect any relevant network logs, suspect communications and files. To maintain authenticity and a chain of custody, access to any preserved materials should be restricted to prevent any compromise of evidence. Preserving digital evidence can also assist law enforcement agencies to identify and prosecute the perpetrators.

Prevent Additional Damage

In the immediate aftermath, organisations need to take steps to prevent further exfiltration of data; intrusions often continue past the initial detection. If data is found to be leaking from the network, steps need to be taken to close it down quickly. Depending on the types of attack, they may need to re-route network traffic or isolate parts of the compromised network to prevent further damage. Any systems suspected of being compromised should not be used to communicate information about an incident. 

Keeping a detailed record of response activities is important in both recovery and further threat prevention. The incident response team should keep information on the systems, services and data affected by the incident, and any changes made to systems and devices during the incident response.      

Working with the Police and Crime Agencies   

In many instances, there is a reluctance for organisations to share information with law enforcement agencies, often for fear of reputational issues at stake in disclosing security incidents.

However, reporting an incident to the police can often provide insights into an attack that minimises further harm. Law enforcement has a significant role to play which goes beyond the remit of private organisations; they can gather evidence, prosecute and bring down cybercrime infrastructures, recover stolen data, and cut off their revenue streams.  

This is the most effective way of policing cybercrime; we need to get better at reporting crimes and pooling information. It is this collective intelligence that can build a more accurate picture of the nature and scope of threats, its long term impact and how to allocate resources most effectively.  

Th bottom line is that we can’t predict when or where the next incident will occur and as such, the ‘assumption of compromise’ now must inform key decisions on how security resources are allocated. What every organisation can do is take control of the processes to minimise damage, preserve digital evidence and aid quick recover. With improved information sharing, the industry, as a whole, stands to benefit in identifying and closing down crime syndicates. 

Popular posts from this blog

Radisson Blu Hotel, Dubai Improves Guest Wi-Fi Coverage and Performance with Aruba Wireless Solutions

Radisson Blu Hotel, in Al Sufouh at Dubai Media City has recently deployed wireless infrastructure from Aruba, a Hewlett Packard Enterprise Company, to deliver secure, seamless, high-speed, wireless internet connectivity across its hotel rooms, suites and public areas. The implementation has resulted in improvement in rating of Wi-Fi services and drastic reduction in volume of IT help desk calls, besides the fact that the design of the Access Points (APs) blends seamlessly with the hotel aesthetics and AP management, monitoring and troubleshooting has become centralized and simplified. launches “Smart Living Store”

How would it be if you could stream online videos or browse websites on your TV? How about a device that could measure your level of activity throughout the day? How would it be if a device helps keep your home secure? With the Smart Living Store you can find out! announces the launch of “Smart Living Store” - a dedicated store aimed at providing customers the one stop shop for all smart devices across various product categories.

Pi DATACENTERS Achieves Uptime Institute Tier IV Design Certification

Pi DATACENTERS, India, an enterprise class datacenter and Cloud service provider based at Amaravati, the new capital region of Andhra Pradesh, today announced that the company has been awarded Uptime Institute Tier IV Design Certification, achieving the highest standards for infrastructure, functionality and capacity as demonstrated on the design documents. To earn a Tier Certification of Design Documents, a facility is evaluated on mechanical, electrical, structural and site elements, and certified facilities also receive expert recommendations to enhance Operational Stability over the long-term.
“We are pleased to award Pi DATACENTERS with the Uptime Institute Tier IV Design Certification,” said John Duffin, Managing Director, South Asia, Uptime Institute. “Achieving a Tier IV Fault Tolerant Design Certification illustrates that the facility meets the highest standards for infrastructure functionality and capacity as demonstrated on the design documents. This ensures that plans are…