Data breaches are an unavoidable part of doing business today. The evolving threat landscape has forced many information security professionals to adjust their thinking from ‘if I get breached’ to ‘when I get breached’.
How well or badly your organisation ends up after a data breach will come down to how prepared you were with actionable, well-documented strategies and procedures. Here are five steps you can take before a breach occurs.
Know exactly where your data is
Knowing where your data is critical in formulating a logical investigation plan. This will help any investigation team triage an incident and rapidly reduce the amount of data they have to look at.
If your confidential data suddenly showed up on Pastebin and you knew it lived on server X, it would be logical to assume server X was involved in the breach and should be included in the scope of the investigation.
> See also: Testing, testing – 4 simple IT security mistakes that leave a business vulnerable
If your data showed up on Pastebin and you had no idea which system that data came from, you would need to start adding zeros to your incident response team’s contract. They’re going to be there a while.
Understand the importance of logging files
Performing an investigation without log files is like following a set of footprints in a blizzard. Without logs, there’s no evidence of initial intruder access into the target environment, lateral movement from the point of entry and exfiltration of the harvested data.
You may be able to examine the last few hours or days of the incident, but nothing beyond what is stored locally. This is a big problem, since most breaches occur months before evidence of their existence surfaces. By that time, the logs required to identify what took place and when are long gone.
Understand breach disclosure responsibilities
Disclosure is almost always necessary – and your legal obligations are getting stricter. Needless to say, you need to get a good lawyer who understands cybersecurity legislation.
Your legal counsel should fully understand not only which disclosure laws apply to your organisation and lay out a strategy regarding how you will comply with them if and when a breach is discovered, but also if you have any customer or partner contractual obligations.
You’ll also need to ensure the key decision makers in your business understand their responsibilities under the appropriate legislation.
Develop and test an incident response plan
Organisations that have a plan can identify, contain and eradicate threats exponentially better than those without one. Engaging an external consulting firm to generate a computer security incident response plan (CSIRP) is very important.
Their knowledge can help you to build a comprehensive plan and help you avoid some of the common mistakes other organisations have made.
Creating a CSIRP is the first step in preparing your organisation for a breach, but you don’t want the first time you test your incident response plan to be when an incident occurs. Testing your CSIRP will help you to identify which sections of the plan are strong and work as intended, and which sections are lacking and need modification.
Perform goal-oriented penetration testing
A penetration test gauges an organisation’s ability to withstand a cyber-attack. The test determines, given a set of configurations, the degree to which an intruder can gain access to a target environment, move around, access company sensitive data and move it from a system controlled by you (the victim), to a system controlled by an attacker.
> See also: The 7 most dangerous myths of software security
Pentesting can also evaluate your organisation’s ability to detect and respond to an attack. Organisations that engage in realistic, goal-oriented penetration testing are much better positioned to defend against attacks than those that don’t perform this type of realistic pentesting or simply tick boxes on a compliance list.
Get in the fight
Despite the vast sums of money that organisations spend on defensive hardware, software and regulatory compliance, data breaches continue to occur. Organisations must start to operate under the assumption that they have already been breached or that they are actively being targeted.
We’re fighting an active enemy who has taken a lot of ground in this fight. Unless we see an industry-wide change in security strategies, things are going to get a whole lot worse. But it’s far too soon to give up, so get in the fight!
Sourced from Chris Pogue, Nuix