We have long since passed an era when 100 percent prevention of security breaches was even remotely possible, especially when it only takes a single, seemingly harmless activity — such as an employee clicking a link, using an insecure Wi-Fi connection, or downloading a corrupted software update — to unleash a full-scale infection.
This, however, doesn’t mean your enterprise is helpless and vulnerable. On the contrary, you can dramatically improve your ability to avoid disaster and mitigate damage if you take the right actions. In this slideshow, Seculert outlines five critical steps for handling a security breach.
Seculert provides an integrated platform that identifies resident, active threats that have evaded existing perimeter defenses and breach detection systems.
Click through for steps you can take to dramatically improve your ability to avoid disaster and mitigate damage when dealing with a security breach.
Identify the attack
It’s important to identify which system, services and devices have been compromised. For example, corporate email, online customer login pages, shared drives, etc. Ask yourself, who is the target within your organization? Does it stem from a host on your network, or is it coming from outside your perimeter?
Don’t forget to gather information about the command and control servers that were used in the attack, e.g., IP addresses, domain names, etc.
Determine the type of attack, is it a data stealer, DDoS, remote access, etc.?
Is it targeted specifically for your company? Your industry? At a product or service you use? What was/is the agenda of the attack – economic, social, political, etc.?
Quarantine the damage
Prevent spreading the attack to others and causing further damage by isolating compromised endpoints and assets. You cannot take your network offline, because that would hurt business. Quarantine only the infected servers, computers and devices.
Tip: In quarantine, they can be examined, remedied and brought back online.
Now that the infection has been quarantined, it’s time to get out your rubber gloves. Compare pre-infection and post-infection backups. Start with the most critical systems first. Remember that a network breach is considered a crime, so try not to destroy valuable evidence.
Tip: Make safe, stable copies of any illegal content and store on an isolated system, preventing accidental re-infection. Consult with your corporate legal counsel and ensure that you have the most up to date and accurate advice.
Develop a communication plan
Legally, you may need to disclose the attack, if not publicly, then at least to those potentially affected, e.g., customers, partners or other stakeholders. Decide if sharing information at this point is a necessary public relations move. There are professionals who specialize in the field of network security breaches, e.g., PR communications professionals and lawyers.
Re-secure the network
Before putting any server, computer or device back online, check, double-check and triple-check. All compromised or potentially compromised passwords should be changed.
Tip: New passwords should incorporate best practices for strength and security. Check for configuration errors, download and install the latest security patches. Update network hardware security settings. Don’t forget the human factor. Educate all employees on how to play an active role in maintaining network security.