1. Review Your Compliance Documents
In tightly regulated industries, organizations must document their compliance with government mandated security standards. If this applies, be sure you can demonstrate compliance in order to avoid fines and regulatory action.
2. Identify an Incident Response Team
Hopefully, you have a computer security incident response team ready to go. If not, assemble a team that, in addition to IT, may include: attorneys, C-suite executives, public relations, and a representative from each of the business lines affected; include HR if the breach involves employees. Having a team will reduce the chances of an erratic response.
3. Assess the Damage
Determine who and what is affected and the potential effect on your business. An external attack on your public website might not be a big deal if it's an informational site, but it can break your business if you're dependent on e-commerce. Also, an insider attack on the company's personnel database may have a different impact than a hacker's theft of a client database.
4. Notify Stakeholders
Who you tell and when you tell them can make a difference as to whether you're able to quickly find and fix the problem. If yours is a highly regulated industry, you'll need to call government officials immediately. If a crime may have been committed, law enforcement will be one of the first calls. If you are planning to bring in third-party consultants, such as security or computer forensic experts, bring them in as early as possible. Most states have specific deadlines--up to 30 days for disclosure--for informing customers and others who may be affected by the breach. This mean you'll have time to get the situation under control before the information becomes public.
5. Identify the Cause and Minimize the Damage
Many severe security problems appear mild at first. In fact, your IT staff may think it's just a nuisance and apply a routine fix. Initial signs may include an increase in overall traffic - especially an unusual amount of outbound activity and an increase in help desk requests. More overt signs include crashing Internet and intranet sites. In the extreme, nothing will work at all. Unless the breach is actively hurting your business, don't begin remediation until you fully understand the cause and its potential impact.
6. Document the Incident
Lack of documentation will not only make it difficult to rebuild your systems, it can also hurt your chances of successfully prosecuting an attacker. Throughout the assessment and remediation process, you should record everything, from how the incident was detected to what the members of the response team did.
If the attack came from outside the company and your security hardware and software is up to date, documentation will occur automatically through firewall log files, IDS/IPS/IDP systems, and other security information management tools. Your job will be much easier if the tools you have in place are sophisticated enough to record the intrusion; the ensuing infections or downloads; and the configuration changes that stopped the attack.
"The situation usually isn't as dire as people initially think it is," Theriault said. "Once you have a handle on the problem, it's time to start thinking about avoiding a similar situation in the future. Your clients might understand if it happens once, but they won't be as generous if it happens twice."
Copyright © Auerbach Publications 2010