It's easy to get caught up in data breaches, particularly the kinds that draw the attention of the government and industry regulators. While there are dozens of things that can be done to prevent a data breach, you may not have time to look back after the deed has been done.
The next best thing you can do is "hope" your incident response plan guides you through the maze and helps your business recover. While you may have a well-documented incident response plan, there are still some things you want to avoid after a security incident occurs.
The last thing you want to do after a breach is try to save money and do it all yourself. Too many people believe they can recover from data breaches without outside assistance, be it from an independent consultant, law enforcement or a forensic investigator. Here are the most common post-breach missteps I've witnessed in recent years:
Assuming the original breach was cleared up. I've seen several scenarios whereby a malware infection was thought to have been contained to a select group of computers. Then, after awhile, the infection reared its ugly head an order of magnitude greater than the original outbreak was assumed to be.
Assuming you need to reset user account passwords on only the platform that was compromised. Unless you have strong evidence to the contrary, once someone gains access to one platform on your network you need to approach it as if access has been gained on other platforms as well. Do your homework and see what's taken place across the board. In addition to traditional user accounts, servers and workstations, there are other systems to be considered as well, including smartphones, Web-based email, websites, applications and wireless passphrases.
Assuming your existing level of log retention is sufficient for long-term cleanup. Thirty days or 10 MBs' worth of log files may have been enough before, but it might not get you through the next phase where you need to monitor your systems more closely. Furthermore, you don't want to overwrite any log files that can help you with future investigations or prosecution.
Assuming you'll need only forensics tools to wade through the muck. I've found a good vulnerability scanner to be one of the best tools for uncovering what led to a breach in the first place.
Assuming you don't need to change the management process for firewalls, databases or patch management for applications or operating systems. Gaps in one or both of these areas are often enablers of data breaches in the first place. The same goes for your security standards, policies and user awareness program.
Last, but certainly not least, is an issue that can contribute to post-breach problems more than anything else: Assuming that your computer security incident response team (you do have one, right?) can stand on its own without good leadership.
A common issue I come across is the lack of communication among IT, forensics and security staffs and management. I've seen too many situations where everyone assumes someone else is doing the things that need to be done when, in fact, they're being ignored altogether. This is not good for incident response and not good for business.
The consequences of data breaches are different for every organization, but one thing is for sure: If you go about forensics and incident response the wrong way after an issue arises, it's guaranteed to make things worse.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored and co-authored seven books on information security, including The Practical Guide to HIPAA Privacy and Security Complianceand the newly updated Hacking For Dummies, 3rd Edition. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Beaver can be reached at www.principlelogic.com.