More

    Six Steps for Dealing with a High-Level Data Breach

    Sue PorembaThe Department of Energy was hacked. Again. It is the second time this year that the DOE was the victim of a breach. The breach took place in, and it is believed that the personally identifiable information (PII) of 14,000 present and former employees was potentially compromised.

    Defense contractor Northrop Grumman recently announced that it, too, suffered a similar breach.

    In both cases, because of the type of information affected, the hackers may have been doing little more than data mining for valuable-on-the-black-market PII. Or it could be the hackers were looking for more, like the ability to access data involving the critical infrastructure or national security stored on the organizations’ networks. We don’t know, and we won’t know, as Anthony DiBello, strategic partnerships manager, Guidance Software, pointed out to Sue Marquette Poremba in an email, without a complete forensic analysis of the compromised systems. He went on to say:

    When incidents like this happen, people are very eager to get their systems and machines back online and working. This may cause serious loss to the forensic artifacts and the evidence to determine exactly what happened.

    After a breach, DiBello added, an organization should take the time to learn what happened, and leverage the lessons learned to improve their systems. Otherwise, they may leave themselves vulnerable to another, similar attack. So DiBello provided the following tips on how to best manage breaches like this.

    Six Steps for Dealing with a High-Level Data Breach - slide 1

    Click through for six steps organizations should take when faced with a data breach, as identified by Anthony DiBello, strategic partnerships manager, Guidance Software.

    Six Steps for Dealing with a High-Level Data Breach - slide 2

    Formally confirm and communicate an incident has occurred.

    Free download: Guide to Malware Incident Prevention and Handling for Desktops and Laptops

    Six Steps for Dealing with a High-Level Data Breach - slide 3

    Disconnect affected systems from the network to prevent the spread of malware or other risks to other machines, and enable capture and preservation of relevant information related to investigating the incident’s cause.

    Free download: Cybersecurity Questions for CEOs

    Six Steps for Dealing with a High-Level Data Breach - slide 4

    Gather system memory, running processes, open ports from all affected systems, as well as network traffic logs.

    Free download: Computer Forensics Overview

    Six Steps for Dealing with a High-Level Data Breach - slide 5

    Take a full disk image of affected machines to preserve evidence.

    Free download: System Integrity Best Practices

    Six Steps for Dealing with a High-Level Data Breach - slide 6

    Clean and repair affected systems to return them to their original state. Use new hardware or use existing hardware if budget is constrained.

    Free download: Managing the Configuration of Information Systems with a Focus on Security

    Six Steps for Dealing with a High-Level Data Breach - slide 7

    Using your forensic tool of choice, look at the artifacts and seek to determine the nature of the breach/exfiltration, how it was carried out, and tools/software used to perform the breach/exfiltration.

    Free download: Computer Forensics Overview

    Six Steps for Dealing with a High-Level Data Breach - slide 8

    Notify all affected parties and report on facts as they come available. Your process will depend on the industry and nature of the breach/exfiltration.

    Free download: Guide for Conducting Risk Assessments

    Sue Poremba
    Sue Poremba
    Sue Poremba is freelance writer based on Central PA. She's been writing about cybersecurity and technology trends since 2008.

    Latest Articles