Incident response plans are crucial in an organization’s overall strategy for handling potential data breaches and incidents. An incident is defined as a security event that compromises the integrity, confidentiality or availability of an information asset. A breach is an incident that results in the confirmed disclosure (not just potential exposure) of data to an unauthorized party. No one is immune to incidents; in 2015, out of the 64,199 incidents included in the 2016 Verizon Data Breach Investigations Report, 74 percent occurred in companies with more than 1,001 employees. 1
According to the same report, approximately 78 percent of incidents were actually caused by miscellaneous employee errors, privilege misuse, physical theft/loss and denial of services. Data breaches by Web app attacks, POS intrusions, cyberespionage and payment card skimmers made up just 22 percent of the remaining incidents – 89 percent of those had a financial or espionage motive.
Establishing protocols in advance of a potential incident allows a data breach to be appropriately handled. Organizations can respond to incidents by monitoring their network for issues, investigating and remediating them. The appropriate people on the incident response team need to ask how to protect the data, how to classify it and what the organizational approach to data is.
Before an organization formulates an incident response plan to prepare for a data breach, consideration needs to be given to how data, both structured and unstructured, is accounted for as part of its overall data governance processes. Organizations need to consider how and where this data is stored, i.e., backup systems, servers, BYOD and workstations.
Data stored in the cloud can be unorganized. Questions need to be asked about the content of the data, who owns the data account if an individual leaves, and how the right person in the organization gains access to that data.
Evidence Preservation Is a Key Factor
A successful Incident Response (IR) plan involves everybody from the IT help desk to human resources, corporate counsel, security operations and legal counsel. Organizations without effective incident response plans tend to rush into an incident in an effort to preserve as much data and/or minimize the impact as much as possible. Such a strategy may often have unintended consequences affecting the integrity of the original data. Instead, organizations must have an established, well-defined strategy for responding to computer incidents.2
A plan should outline the location of data and how to protect and classify it. The plan will also determine which policies and procedures should be in place, as not all data is the same. When a breach occurs, the legal department is at the forefront of the incident, ensuring the capture of correct data to use later to potentially file criminal charges.
Data governance policies ensure the organization maintains custody and properly protects its data. It gives personal responsibility to each person in the organization, whether for personal files or financial records. At this point, IT can enforce incident response policies that have been established at the business level.
What Happens During a Data Breach?
IR plans need to be robust to address different categories within the organization. IR planning should be prioritized based on the types of risks the firm is most likely to face, in addition to those that have the potential for the greatest impact upon the firm, its relationships and its reputation. The first line of defense is the workers at the IT help desk. They can monitor suspicious activity before the rest of the organization’s employees or receive phone calls alerting them to issues.
Thoughtful, efficient incident response during a data breach is crucial, especially when it affects customers. An incident can prevent communication with clients, as is the case in denial of service attacks, in which a user or organization is deprived of the services of a resource they would normally expect to have. An incident response plan can help counter this kind of attack.
The main steps in incident response are:
Plan and prepare: IT should consider what’s next when it comes to defending against or responding to a data breach or cyberattack. Preparing for an incident has to be a part of daily work life, where there’s not only a good IR plan in place, but constant review and adjustment of that plan when new threats come to the forefront.
Detect and report: Signs of a possible data breach include accounts and passwords no longer working, the organization website containing unauthorized changes, and the system constantly crashing and rebooting. The help desk can report abnormal activity across the organization’s servers and processes. By educating employees within the organization about the need to report abnormal behavior within their systems, organizations can help thwart a breach. Protocols should advise reporting unusual activity before rebooting systems, which could proliferate a virus or network intrusion.
Assess and decide: When IT identifies suspicious emails with links, data breaches, denial of service attacks, and other suspicious or unauthorized network activity, the incident is reported. IT can then contain, eradicate and recover from the incident while analyzing it from a forensic perspective.
Post-incident activity: Organizations need to evaluate the lessons learned during an incident and how to retain the evidence. Removing the virus, reimaging the machine and returning it to the employee is not a best practice. While it seems to be good from a business sense, it’s not good from an IR protocol perspective. The problem may have been rectified, but was the root cause of the breach uncovered? Preserving information so that it can be analyzed further is a greater benefit to an organization.
The Continuous Cycle
An IR plan does not stop once it is developed. Following a breach, or even a perceived threat, organizations should initiate a review. An organization IR plan cycle includes:
- Preparation and establishment of accountability
- Detection and analysis
- Containment, removal and recovery
- Post-incident review
- Updating of the IR plan
It’s key to document everything that happened after an incident in order to learn and apply those lessons for future attacks.
1Verizon 2016 Data Breach Investigations Report
2Nicholas McLarty, CISSP, Texas A&M Transportation Institute, AccessData® User Summit keynote presentation