Henrik Dolle - Fotolia
No matter how much effort you put into your network security plan, something as simple as a system update could introduce a vulnerability that hackers can exploit. You do your best, but a breach can still happen. Should that occur, be prepared with a network security checklist and breach response plan.
The nature of the breach and your business should dictate the scope and contents of your response plan. While each data breach can be unique, some others have a basic commonality, so take that historical context into account before building your plan.
After a breach, your network security checklist should include a variety of goals that can involve multiple internal and external organizations. You may want to consider having a "plan of plans," where each lower-level plan focuses on a different aspect of the breach. By taking a granular approach, you might be able to respond more quickly. Let's examine some of the different responses you might take.
Follow this four-step process
Tactical response. First, you need to figure out how to stop the breach from causing further damage. If the breach is focused, such as a compromised admin password, then changing passwords could stop the problem. Consider, though, what to do if the breach is more widespread or, in a worst-case scenario, if you know the system is compromised but not how or where. Might you have to take some or all of your systems offline until you can determine the source of the breach?
Before a breach happens, discuss possible breaches and their appropriate response levels. Your network security team should identify the actions it can take immediately that don't require prior approval. For example, security administrators should be able to turn off all guest networks in your office immediately. Such networks are typically a courtesy rather than a business necessity, and it's possible the breach emanated -- or is actively in progress -- from an unmanaged guest device.
You might want to disable important but unessential resources temporarily to try to isolate the breach or, at a minimum, reduce the number of internal applications or devices the hacker can target. This approach will vary significantly across businesses, but you want to have this analysis and plan in place long before a breach.
Forensic response. The breach, by definition, is a crime. And, for law enforcement and insurance reasons, you need to preserve evidence. Thus, you should have a forensic plan as part of your network security checklist.
Consider at least two scenarios: First, the breach is still in progress; second, the breach has been stopped. In the former, you want to ensure you are generating evidence; in the latter, you want to ensure evidence is preserved.
Audit logging is available in almost every IT system. Typically, the default setting will track important events. But, to prevent the logging software from generating massive amounts of data, it won't record all detailed events. For a breach in progress, however, you may want more detailed information.
In your post-breach plan, you should document which systems have detailed logging options and how to enable them in real time. Hunting around for a tutorial on audit logging is not something you want to do when a breach occurs.
If the breach has been stopped, you need to obtain whatever logs you and investigators would need to analyze after the fact. Some system logs have size limitations, and, when full, just write over existing data. Like a flight recording in an aircraft, these logs are only interested in the most recent activity.
All too often, breaches are not discovered immediately. In such cases, a log that rewrites too quickly might obliterate key data. Check key system logs to determine how long they will keep a historical record. Some systems will keep a permanent history by generating archive files periodically.
Storage is cheap, so you might consider changing settings on any wraparound logs to give you a longer period to review network behavior.
Legal and government notification. A breach can have significant legal and compliance implications. Thus, your network security checklist must include provisions detailing how the appropriate authorities are notified. In most companies, this would involve the legal department, which would notify and interact with law enforcement and government compliance agencies.
It helps to be proactive. If, say, you have data that falls under HIPAA, make sure you coordinate your response plan with the legal department so you understand the specific steps needed to satisfy demands made by relevant enforcement agencies.
Be aware, too, that, even if your company is based in the U.S., you might have European Union GDPR obligations to meet if you handle eurozone data.
Look outside to get breach response help. Opinions and recommendations abound on how to respond to breaches -- with a great deal of information publicly available. Take advantage of these resources when compiling your network security checklist. Travelers Insurance, Experian and many others have information on their websites that provide their insights. Use all these resources, taking bits from each that apply to your environments and needs.
Finally, check to see if your company is one of the growing number of businesses with a cyberinsurance policy. While such policies can help your company recover from any financial loss, they can also affect your breach response strategy -- and not always positively. That's because a cyberinsurance company might dictate how you respond to breaches and require significant real-time interaction with your team as events unfold.