Data Breach Kit: Five Steps to Help You Survive the Inevitable

Fact: Information systems are porous. Most companies will, despite their best efforts, allow some level of data exposure during the next year. Are you ready? Learn the tools and processes you need in place now to control data-breach damage, perform digital forensics, and gather the evidence required to recover and reduce risk.

Data breaches are inevitable, and most companies will—despite their best efforts—suffer a breach in the coming year. Such breaches may compromise people's confidential or personal information and thus put an organization in noncompliance with various regulations, including HIPAA, the Payment Card Industry Data Security Standard, Visa member rules, or privacy laws with notification requirements now in effect in many states and countries.

Yet many organizations do not detect a breach until extensive damage has been done, or know how to proceed when they do suspect a breach. Accordingly, all companies—and especially those in regulated industries—need a data breach response plan, including a strategy for utilizing digital forensics to investigate breaches.

By planning ahead, organizations can spot breaches and react more quickly to contain the damage, gather evidence, and know who to notify. "With any kind of regulation, the faster you react, the more you can limit your exposure," says Michael Gavin, security strategist at Security Innovation. "If someone has broken into your database and it's HIPAA information, the more time they have to download records, the more the organization is at risk."

Five Steps to Contain Data Breaches

To control data-breach damage, pursue forensic investigations that hold up in court, and help prevent breaches from happening in the first place, experts recommend companies follow these five steps:

1. Spot the Breach

To stop data breaches, first know there's a breach. Otherwise, your company may end up like the TJX Companies, which didn't discover an ongoing breach resulting in the theft of 45.7 million credit card numbers until several years after it began. Cue regulatory actions, public outcry, and class-action lawsuits.

To detect breaches, IT departments must monitor network and system performance, disk usage, Internet activity, and any unusual access. Related tools include intrusion detection/prevention systems (IDS/IPS), network security monitoring tools, plus security event and log correlation and analysis tools. "Look to anything that has some sort of alerting mechanism on things that happen in your environment—anything suspicious or unusual," says Gavin.

Of course, many organizations already have such tools. "People say, we have IDS systems in place, and you say, great, when was the last time you actually looked at them? And you get the blank stare. When did you look at the logs on your Active Directory servers? Are you deleting users who are no longer with the company? Things of that nature," says Brian Gawne, who heads the forensics practice at CTG Information Security Solutions, which is a certified assessor for Visa.

In other words, to spot breaches, IT must now pay attention to "all the stuff that IT shops don't have a lot of time to do," he says.

2. Build Response Plans

Next, study the top information security threats facing your organization, and begin creating an incident response plan for each one, beginning with the greatest risks first. Each plan should detail who at the company can request a forensic investigation of a suspected security breach, and how that investigation should proceed.

In particular, each plan should address how you will:

  • Respond. Specify how to respond to the threat in question. For example, a credit card processor might block a denial of service attack yet keep all systems online. If a healthcare database storing HIPAA information is under attack, however, the plan may be to take it offline, pending an investigation.

  • Investigate. When defining goals for an investigation, companies typically want "to identify early on what's been exposed, what's the damage, how broad is it, how extensive, and what types of data did they actually get access to," says Gavin. Often, this involves rapid triage, and then testing assumptions based on initial research. "Things that you find, you need to just drill down and see how deep they go."

  • Notify. For each type of incident, know who to notify. Requirements vary based on regulations and business partners. For example, if a Visa member company suffers a security incident—defined by Visa as "deliberate electronic attacks" on "communications or information processing systems"—then it "must take immediate action to investigate the incident, limit the exposure of cardholder data, notify Visa, and report investigation findings," all within 10 days. Yet determining whether or not you will need to notify law enforcement agents of a breach or attack can be unclear. Thus, experts recommend getting to know agents at your local FBI and Secret Service branches now, so you'll know who to ask.

Also update your security policies so investigators can access any data or devices they need during an investigation. Gawne says related security policies typically specify that employees "have no right to privacy if using corporate-owned assets or … private ones in the enterprise," such as iPods.

3. Train Response Teams

For each security incident response plan, identify who's on the response team. While the exact mix will vary by plan, such teams often draw from human resources, legal counsel, financial managers, technical specialists, company leaders, and even public relations. Indeed, "if it's a breach, you may want them to be able to spin this," notes Gawne.

Train the teams—including executives—on the plans, and then regularly test and refine them. "Practice the plan," says Gavin. "Find out where it's weak and where it needs improvement."

Also train in-house IT personnel about how to respond to a suspected incident, and to always document changes they make to the IT environment, whether in response to a breach or not. "That's the biggest problem I come across—there were no notes taken," says Gawne. Such notes will dramatically speed an investigation, since they tell an investigator which changes to the IT environment were authorized and made purposefully, to help them then identify suspect activity.

4. Find Digital Forensics Experts

Digital investigations require forensic specialists who know proper techniques for seizing devices, properly imaging and analyzing them, as well as how to correctly document their efforts and transfer custody of evidence. In addition, they are typically certified to use the two primary tools for performing digital forensics: Guidance Software's Encase, and Access Data's Ultimate Forensics Toolkit (FTK).

Frequently attacked companies—especially high-technology companies and financial institutions—often have on-staff forensic investigators. Most other companies will look to consulting companies for help on an as-needed basis, and thus should plan ahead: identify digital forensic specialists you can call in an emergency, and consider working with them now to refine your security incident response plans.

Avoid making existing IT staff into amateur forensic investigators, simply because of the amount of knowledge needed to successfully extract and analyze data from a variety of devices—from PCs and Apple laptops to the latest smart phones and USB keys—while also maintaining its integrity.

5. React Quickly but Meticulously

With proper planning, a response team can and should react quickly to any suspected attack. "When you're dealing with a security breach, time is of the essence, because people will do some unintelligent things when everybody is scrambling to patch a hole in a system," says Gawne. "So the sooner we can get in, help control the problem, while maintaining the environment and controlling evidence, the better we're going to triage everything—figure out what's going on, forensically look at systems that may have been the point of access, and as you're doing this, help the client secure the network, get things under control, and stabilize the systems. We're not just going in there to catch the bad guy."

Once you've launched an investigation, be meticulous. "Conduct every investigation as if it will go to court," says Gavin. That way, investigators won't mishandle evidence if the investigation—or a counter-suit—does end up in court. Remember, minor breaches sometimes end up revealing major disasters.

Closure Not Guaranteed

By following the above steps, organizations can create fast-reaction plans to contain data breach damage. Yet what about going a step further, and catching the bad guys?

Unfortunately, closure is often an abstract concept. Even in cases of blatant security policy violation or fraud, many cases settle out of court. Others may be dismissed for lack of evidence or jurisdiction, or take years to resolve. Indeed, about five years ago and in a previous job, Gawne says he investigated the theft of 8 million credit card numbers and ultimately worked with both Visa and the Secret Service, which considered the crime a felony and began investigating. As of recently, he heard it's still an active investigation.