You Have Just Discovered a Data Breach! What Now?


Posted on by Chetan Honnenahalli

Cybersecurity professionals are at the frontline of Application and Infrastructure Security. They put together their best defense against security threats. However, we see time and again that these defenses fall short. This is only natural as software technology evolves at an incredible speed and the defenses of yesterday can be broken in the very near future. With all the benefits and advancements AI brings with it, it also empowers bad actors. Having a solid plan in place to prevent further damage is more essential today than ever before. This blog describes the necessary steps to be taken by cybersecurity experts in the event of a data breach.

Assume the Worst

Skilled hackers cover their tracks well and do not leave traces of their attack. As a result, it is often hard to be sure how much of an organization’s data has been compromised. In such cases, it is best to assume that they managed to access more data than what is immediately obvious.

Give the Bad News Early

Even when a security team is 70% sure that a breach has occurred, communicate and socialize the information at the earliest possible time. This helps the other departments of the organization take preventative measures to stop the breach from spreading. For example, the database administration team can change the access information and secure data backups as soon as they learn of a breach.

Change the Locks

Erase the login passwords off the end users and set the account statuses to “Requires Password Reset” so that the next time the end users try to log in with their now compromised login credentials, they are forced to select a new password. This should also be applied to all passwords used to access various online tools within the organization and could be extended to changing the security certificates used for Single Sign-On (SSO) and SSL decryption. Immediately following this action, invalidate any active login sessions and force the users to login again.

Check the Monitors for Suspicious Activity

Scan the application and database logs for unusual activity. Such as, repeated access from a specific IP, increased rate of errors in application that run smoothly on a normal basis, increased resource utilization on components that normally run flat, increased financial transaction activity (in case of account takeovers).These actions should be done for at least a few weeks after the breach and alerts must be raised when anomalous behavior is detected so that reactive measures can be taken to prevent a repeat occurrence.

Engage Authorities

Government authorities such as the Cybersecurity and Infrastructure Security Agency (CISA) vow to “lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.” and are often equipped with the tools and the resources to prevent the spread of the impact from data breaches. Recruiting their support to deal with the crisis might be the next best move.

Conduct Postmortems

After all the steps described in this article have been taken, dive deep to uncover the leaks and prepare a list of actions to be taken to plug them. Identifying owners and timeline for each of these actions and tracking their prompt completion will ensure that a repeat occurrence will likely be prevented.

Conclusion

Planning for dealing with a data breach is as important as planning for preventing a breach. When a disaster strikes, an organization that has pre-planned and rehearsed the disaster recovery measures is always better equipped to deal with it. It is the cybersecurity experts’ responsibility to lead these efforts by simulating data breaches and practicing recovery steps beforehand so that the organization as a whole is prepared to put up a fight against the breach and protect its users from further exploitation.

 


Contributors
Chetan Honnenahalli

Software Engineer, Meta

Risk Management & Governance

Business Continuity and Disaster Recovery application security Pen Testing / Breach Simulation asset discovery & management data security hackers & threats risk management

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs