Security Breach Planning and Response
The below is an excerpt from the article by Robert Risk, Seth Danberry, Rob Kleeger and Ryan Cooper appeared in the May/June 2016 issue of New Jersey CPA magazine. Read the full article.
Thieves are everywhere these days. You read about data security breaches every day from Target, Home Depot, Anthem, Sony, to American Express. These are the big companies but did you know that 94% of all breaches occur in companies with fewer than 100 employees. So what are small and midsize companies to do? The answer to this question is assume you will be breached and plan for it. The worst thing you can do is not be proactive because from a reactive position you risk permanently damaging your company brand and setting your company up for lawsuits and compliance issues.
Security Breach Response
Although many business executives agree that data is among their most valuable assets, it often takes a breach—or, at least, an attempted breach—to convince executives to beef up data protection. As we’ve seen over the past few years, no one is safe from data security attempts.
Unfortunately, most organizations are not aware a breach has occurred until it’s too late. In a recent case, a small third party medical billing company who has additional staff outside the United States had migrated from a Microsoft 2003 Exchange environment to a newer Microsoft Exchange server environment. Within two weeks of that migration, a camera crew and well known investigative news reporter shows up at the company asking the CEO to provide a statement on how nearly one hundred thousand patient records have been publically available (i.e. PHI breach).
The incident response team was dispatched onsite that afternoon. They began the forensic preservation of the old server and the new servers, capturing various system log files, interviewed the clients manages IT services firm, the CEO, and began conducting an analysis within a few days.
In the end, it was discovered that the cause of the data breach was from the migration which had caused the FTP setting to default to an anonymous login, therefore it was publically facing and cached by Google’s bot. The IT firm had simply forgotten to “check the box” to close the publicly facing FTP port.
Getting hacked is never a good thing, especially when the result is stolen or compromised customer data, PII, or PHI. But how a company reacts to the attack can make all the difference in the long run. A prompt and effective reaction can minimize the damage or at least paint the organization in a fairly positive light with customers, business partners and the public at large.
The initial step is to keep calm, prioritize what is happening and what needs to be contained. Preserving evidence and identifying what has occurred is important, but the investigation can't begin until the scene is secured. Depending upon the incident (i.e. passive network intruder, malicious attack, rogue employee, etc.), the primary objective is to provide intelligence about the technical skill-set and the motivation of the attacker, along with immediate steps to remediate and protect critical assets. This includes initial damage assessment, initial vector of compromise, indicators of compromise, preservation of forensic artifacts, and further forensic analysis of information collected.
Often, a critical step is to identify the incident by reviewing errors, log files and other artifacts from firewalls, intrusion-detection systems, and other digital assets. Once the response team has identified the incidents, they will work on stabilizing or containment of the network to “Stop the bleeding”.
Forensic preservation is a very critical step, due to the potential legal notification and state data breach requirements, reputational risks, and possible litigation. The earliest stage of any investigation is the most important one to get right. In emergency medicine, there is a "golden hour" at the very outset, during which there is the highest likelihood that prompt expert response with a clear head and well thought out plan can make or break the best defensible position to support investigation or litigation needs.