Best practices to prepare for a data breach
You need to have a current incident response plan that is ready to go if your organization ever gets breached.
When it comes to making an incident response plan, it can get a little overwhelming. In this white paper, you will learn about incident response plan basics, how to best develop and implement your incident response plan, and what should be included in your incident response plan.
INCIDENT RESPONSE PLAN BASICS
WHY HAVE AN INCIDENT RESPONSE PLAN?
Unfortunately, nearly every organization will experience system attacks, with some of these attacks breaching organization’s security.
If breached, you may only be liable for a few of the following fines, or you could be expected to pay even more than listed below. It depends on a number of factors. Along with possible legal fines, federal/municipal fines, increased monthly card processing fees, you may have to pay for the following:
DATA BREACH FINES
Merchant processor compromise fine
$5,000 – $50,000
Card brand compromise fees
$5,000 – $500,000
$12,000 – $100,000
Onsite QSA assessments following the breach
$20,000 – $100,000
Free credit monitoring for affected individuals
$10 – $30/card
Card re-issuance penalties
$3 – $10 per card
Breach notification costs
TOTAL POSSIBLE COST:
$50,000 – $773,000+
A well-executed incident response plan can minimize breach impact, reduce fines, decrease negative press, and help you get back to business more quickly. In an ideal world and if you’re following PCI DSS requirements, you should already have an incident response plan prepared and employees trained to quickly deal with a data breach situation.
But if there is no plan, employees scramble to figure out what they’re supposed to do, and that’s when big mistakes can occur. For example, if employees wipe a system without first creating images of the compromised systems, this can prevent you from learning what happened and what you can do to avoid re-infection.
Set your incident response plan into motion immediately after learning of a suspected data breach.
THE PHASES OF AN INCIDENT RESPONSE PLAN
An incident response plan should be set up to address a suspected data breach in a series of phases with specific needs to be addressed. The incident response phases are:
- Phase 1: Prepare
- Phase 2: Identify
- Phase 3: Contain
- Phase 4: Eradicate
- Phase 5: Recover
- Phase 6: Review
PHASE 1: PREPARE
Preparation often takes the most effort in your incident response planning, but it’s by far the most crucial phase to protect your organization. This phase includes the following steps:
- Ensure your employees receive proper training regarding their incident response roles and responsibilities
- Develop and regularly conduct tabletop exercises (i.e., incident response drill scenarios) to evaluate your incident response plan
- Ensure that all aspects of your incident response plan (e.g., training, hardware and software resources) are approved and funded in advance
PHASE 2: IDENTIFY
Identification (or detection) is the process where you determine whether you’ve actually been breached by looking for deviations from normal operations and activities.
An organization normally learns they’ve been breached in one of four ways:
- The breach is discovered internally (e.g., review of intrusion detection system logs, alerting systems, system anomalies, or anti-virus scan malware alerts)
- Your bank informs you if a possible breach based on reports of customer credit card fraud
- Law enforcement discovers the breach while investigating the sale of stolen card information
- A customer complains to you because your organization was the last place they used their card before it began racking up fraudulent charges.
PHASE 3: CONTAIN
When an organization becomes aware of a possible breach, it’s understandable to want to fix it immediately. However, without taking the proper steps and involving the right people, you can inadvertently destroy valuable forensic data. Forensic investigators use this data to determine how and when the breach occurred, as well as devising a plan to prevent similar future attacks.
When you discover a breach, remember:
- Don’t panic
- Don’t make hasty decisions
- Don’t wipe and re-install your systems (yet)
PHASE 4: ERADICATE
After containing the incident, you need to find and eliminate policies, procedures, or technology that led to the breach. This means all malware should be securely removed, systems should again be hardened and patched, and updates should be applied.
Whether you or a third party do this, you need to be thorough. If any trace of malware or security issues remain in your systems, you may still be losing sensitive data, with your liability increasing.
PHASE 5: RECOVER
Recovering from a data breach is the process of restoring and returning affected systems and devices back into your business environment. During this time, it’s important to get your systems and business operations up and running again without the fear of another breach.
After the cause of the breach has been identified and eradicated, you need to ensure all systems have been hardened, patched, replaced, and tested before you consider re-introducing the previously compromised systems back into your production environment.
PHASE 6: REVIEW
After the forensic investigation, meet with all incident response team members and discuss what you’ve learned from the data breach, reviewing the events in preparation for the next attack.
This is where you will analyze everything about the breach. Determine what worked well and what didn’t in your response plan. Then revise your incident response plan.
HOW TO DEVELOP AND IMPLEMENT YOUR INCIDENT RESPONSE PLAN
You can’t afford to be unprepared for a data breach’s aftermath. It’s up to you to control the situation and protect your brand in the wake of a data breach’s potentially devastating effect on your reputation.
Developing and implementing an incident response plan will help your business handle a data breach quickly and efficiently while minimizing the damage.
STEP 1: IDENTIFY AND PRIORITIZE ASSETS
Start off by identifying and documenting where your organizations keeps its crucial data assets. You need to assess what would cause your organization to suffer heavy losses if it were stolen or damaged.
After identifying critical assets, prioritize them according to importance and highest risk, quantifying your asset values. This will help justify your security budget and show executives what needs to be protected and why it’s essential to do so.
STEP 2: IDENTIFY POTENTIAL RISKS
Determine what risks and attacks are the greatest current threats against your systems. Keep in mind that these will be different for every organization.
For organizations that process data online, improper coding could be their biggest risk. For a brick-and-mortar organization that offers WiFi for their customers, their biggest risk may be Internet access. Other organizations may place a higher focus on ensuring physical security, while others may focus on securing their remote access applications.
Here are examples of a few possible risks:
- External or removable media: executed from removable media (e.g., flash drive, CD)
- Attrition: employs brute force methods (e.g., DDoS, password cracking)
- Web: executed from a site or web-based app (e.g., drive-by download)
- Email security: executed via email message or attachment (e.g., malware)
- Impersonation: replacement of something benign with something malicious (e.g., SCL injection attacks, rogue wireless access points)
- Loss or theft: loss of computing device or media (e.g., laptop, smartphone)
Top failed vulnerabilities discovered by SecurityMetrics vulnerability scans:
- TLS Version 1.0 Protocol Detection: Exists if the remote service accepts connections using TLS 1.0 encryption
- SSL Certificate with Wrong Hostname: Happens when a SSL certificate for the tested service is for a different host
- Web Application Potentially Vulnerable to Clickjacking: Occurs if a remote web server does not set an X-Frame-Options response header in all content responses
- SSL RC4 Cipher Suites Supported (i.e., Bar Mitzvah Attack): exists when the RC4 encryption algorithm is used in SSL/TLS transmission
- SSL Self-Signed Certificate: Occurs when organizations use an identity certificate that they create, sign, and certify rather than a trusted certificate authority (CA)
STEP 3: ESTABLISH PROCEDURES
If you don’t have established procedures to follow, a panicked employee may make detrimental security blunders that could damage your organization. Your data breach policies and procedures should include:
- A baseline of normal activity to help identify breaches
- How to identify and contain a breach
- How to record information on the breach
- Notification and communications plan
- Defense approach
- Employee training
Over time, you might need to adjust your policies according to your organization’s needs. Some organizations might require a more robust notification and communications plan, while others might need help from outside resources. However, all organizations need to focus on employee training (e.g., your security policies and procedures).
STEP 4: SET UP A RESPONSE TEAM
You need to organize an incident response team that coordinates your organization’s actions after discovering a data breach. Your team’s goal should be to coordinate resources during a security incident to minimize impact and restore operations as quickly as possible.
Some of the necessary team roles are:
- Team leader
- Lead investigator
- Communications leader
- C-suite representative
- IT director
- Public relations
- Documentations and timeline leader
- Human resources
- Legal representative
- Breach response experts
Make sure your response team covers all aspects of your organization, and that they understand their particular roles in the plan. Each will bring a unique perspective to the table with a specific responsibility
to manage the crisis.
STEP 5: SELL THE PLAN
Your incident response team won’t be effective without proper support and resources to follow your plan.
Security is not a bottom-up process. Management at the highest level (e.g., CEO, VP, CTO) must understand that security policies–like your incident response plan–must be implemented from the top and be pushed down. This is true for organizations from mom and pop shops to enterprise organizations.
For enterprise organizations, executive members need to be on board with your incident response team. For smaller organizations, management needs to be fine with additional funding and resources dedicated to incident response.
When presenting your incident response plan, focus on how your plan will benefit your organization (e.g., financial and brand benefits). For example, if you experience a data breach and poorly manage the incident, your company’s reputation will likely receive irreparable brand damage.
The better your goals are presented, the easier it will be to obtain necessary funding to create, practice and execute your incident response plan.
STEP 6: TRAIN YOUR STAFF
Just having an incident response plan isn’t enough. Employees need to be properly trained on your incident response plan and know what they’re expected to do after a data breach.
Employees also need to understand their role in maintaining company security. To help them, employees should know how to identify attacks such as phishing emails, spear phishing attacks, and social engineering efforts.
Test your employees through tabletop exercises (i.e., simulated, real-world situation led by a facilitator). While tabletop exercises require time and money, they play a vital role in your staff’s preparation for a data breach. These tabletop exercises help familiarize your employees with their particular incident response roles by testing them through a potential hacking scenario.
After testing your employees, you can identify and address weaknesses in the incident response plan and help everyone involved see where they can improve, with no actual risk to your organization’s assets.
The regular routine of work makes it easy for employees to forget crucial security information learned during trainings.
TO INCLUDE IN AN INCIDENT RESPONSE PLAN
Creating an incident response plan can seem overwhelming. To help, develop your incident response plan in smaller, manageable procedures.
While every organization will need varying policies, training, and documents, there are a few itemized response lists that most organizations need to include in their incident response plans, such as:
- Emergency contact/communications list
- System backup and recovery processes list
- Forensic analysis list
- Jumpbag list
- Security policy review list
EMERGENCY CONTACT/COMMUNICATIONS LIST
Proper communication is critical to successfully managing a data breach, which is why you need to document a thorough emergency contact/communications list. This list should contain information about: who to contact, how to reach these contacts, when it’s the appropriate time to reach out, and what you need to say.
In this list, you should document everyone that needs to be contacted in the event of a data breach, such as the following individuals:
- Response team
- Executive team
- Legal team
- Forensics company
- Public relations
- Affected individuals
- Law enforcement
- Merchant processor
You need to determine how and when notifications will be made. Several states have legislated mandatory time frames that dictate when an organization must make notifications to potentially affected cardholders (and law enforcement). You should be aware of the laws in your state and have instructions in your incident response plan that outline how you will make mandated notifications.
Your incident response team should craft specific statements that target the various audiences, including a holding statement, press release, customer statement, and internal/employee statement. For example, you should have pre-prepared emails and talking points ready to go after a data breach.
Your statements should address questions like:
- Which locations are affected by the breach?
- How was it discovered?
- Is any other personal data at risk?
- How will it affect customers and the community?
- What services or assistance (if any) will you provide your customers?
- When will you be back up and running, and what will you do to prevent this from happening again?
Identify in advance the person within your organization (perhaps your inside legal counsel, newly hired breach management firm, C-level executive, etc.) that is responsible for ensuring the notifications are made timely and fulfill your state’s specific requirements. Your public response to the data breach will be judged heavily, so think this through.
SYSTEM BACKUP AND RECOVERY PROCESSES LIST
Your system backup and recovery processes list will help you deal with the technical aspects of a data breach. Here are some things that should be included:
- Process for disconnecting from the Internet (e.g., who is responsible to decide whether or not you disconnect)
- System configuration diagrams that include information like device descriptions, IP addresses, and OS information
- Process for switching to redundant systems and preserving evidence
- Process for preserving evidence (e.g., logs, timestamps)
- Practices to test the full system backup and system recovery
- Steps to test and verify that any compromised systems are clean and fully functional
This list helps you preserve any compromised data, quickly handle a data breach, and preserve your systems through backups. By creating and implementing this list, your organization can lessen further data loss and help you to return to normal operations as quickly as possible.
FORENSICS ANALYSIS LIST
A forensics analysis list is for organizations that use in-house forensic investigations resources. Your forensic team will need to know where to look for irregular behavior and have access to system security and event logs. You might need multiple lists based on your different operating systems and functionalities (e.g., server, database).
Your forensic team may need the following tools:
- Data acquisition tools
- Clean/wiped USB hard drives
- Cabling for all connections they could experience in your environment
- Other forensic analysis tools (e.g., EnCase, FTK, X-Ways)
However, if your organization doesn’t have access to an experienced computer forensic examiner in-house, you will want to consider hiring a forensics firm, first vetting them with in advance with pre-completed agreements. This vetting process helps ensure you get an experienced forensic investigator when you need it.
Your jumpbag list is for grab-and-go responses (i.e., when you need to respond to a breach quickly). This list should include overall responses and actions employees need to take immediately after a breach. Your list will keep your plan organized and prevents mistakes caused by panic.
Some things to include in your jumpbag list are:
- Incident handler’s journal to document the incident (e.g., who, what, where, when, why)
- Incident response team contact list
- USB hard drives and write-blockers
- USB multi-hub
- Flashlight, pens, notebooks
- All of your documented lists
- USB and/or DVD-ROM containing bootable versions of your OS
- Computer and network tool kit
- Hard duplicators with write-block capabilities
- Forensic tools and software (if using in-house forensic investigations resources)
SECURITY POLICY REVIEW LIST
Your security policy review list deals with your response to a breach and its aftermath. This list helps you analyze the breach, helping you know what you can learn and change afterwards.
Your security policy review list should include documentation of the following things:
- When the breach was detected, by whom and what method
- Scope of the incident/affected systems
- Data that was put at-risk
- How the breach was contained and eradicated
- Work performed or changes made to systems during recovery
- Areas where the response plan was effective
- Areas that need improvement (e.g., which security controls failed, improvements to security awareness programs)
You should look at where your security controls failed, and how to improve them. The purpose of this list is to document the entire incident, what was done, what worked, what didn’t, and what was learned.
An incident response plan is only useful if it is properly established and followed by employees. To help staff, regularly test their reactions through real-life simulations or what’s known as tabletop exercises. Tabletop exercises allow employees to learn about and practice their incident response roles when nothing is at stake, which can help you discover gaps in your incident response plan (e.g., communication issues).
TYPES OF TABLETOP EXERCISES
In a discussion-based table exercise, you and your staff discuss response roles in hypothetical situations.
A discussion-based tabletop exercise is a great starting point because it doesn’t require extensive preparation or resources, while still testing your team’s response to real-life scenarios without risk to your organization. However, this exercise can’t fully test your incident response plan or your team’s response roles.
In a simulation exercise, your team tests their incident responses through a live walk-through test that has been highly choreographed and planned.
This exercise allows participants to experience how events actually happen, helping your team better understand their roles. However, simulation exercises can require a lot of time to plan and coordinate, while still not fully testing your team’s capabilities.
In parallel testing, your incident response team actually tests their incident response roles in a test environment.
Parallel testing is the most realistic simulation possible and provides your team with the best feedback about their roles. However, parallel testing is more expensive and requires more time planning than other exercise because you need to simulate an actual production environment (e.g., systems, networks).
Before conducting a tabletop exercise, determine your organization’s needs by asking:
- Has your incident response team received training about their roles and responsibilities?
- When did you last conduct a tabletop exercise?
- Has there been any recent organizational changes that might affect your incident response plan?
- Has there been any recent guidance or legislation that might impact your response plan?
Next, design your tabletop exercise around an incident response plan topic or section that you want tested. Identify any desired learning objectives or outcomes. From there, create and coordinate with your tabletop exercise staff (e.g., facilitator, participants, and data collector) to schedule your tabletop exercise.
When designing your tabletop exercise, prepare the following exercise information:
- A facilitator guide that documents your exercise’s purpose, scope, objective, and scenario, including a list of questions to address your exercise’s objectives.
- A participant briefing that includes the exercise agenda and logistics information
- A participant guide that includes the same information as the facilitator guide, except it either doesn’t include any of the questions or includes a shorter list of questions designed to prepare participants
- An after action report that documents the evaluations, observations, and lessons learned from your tabletop exercise staff
After conducting a tabletop exercise, set up a debrief meeting to discuss response successes and weaknesses. Your team’s input will help you know where and how to make necessary revisions to your incident response plan and training processes.
If you don’t already have an incident response plan, making one should be a top priority. Next, regularly practice and review your plan. Without regular tabletop exercises and simulation trainings, your staff may make poor decisions which may make beach impact worse.
A data breach can be an organization’s most stressful situation it handles, but it doesn’t have to be the end of your organization. By following your incident response plan, you can avoid significant brand damage.
It’s important to discover the breach quickly, identify where it’s coming from, and pinpoint what it has affected.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.