ProCircular Information Security Experts Corner

Real-Life Lessons Learned About Security Incident Handling

Posted by Aaron R. Warner on Jun 28, 2018 8:28:00 AM
Find me on:

Secure

Just like one small crack in your foundation can lead to structural issues down the road, one small crack in your cybersecurity program can expose you to much greater risks later.

 What do you do if you think you’ve been hacked, phished, or somehow compromised? For answers, you’ll want to hang onto this blog – print it, bookmark it, and share it with your team. When it comes to security incident handling and response, we’ve gathered the lessons learned by those who’ve had to call us for support during a breach.

Straight from the mouths of people who’ve been there, here’s what they wish they would’ve known earlier – and what they wish they’d have done ahead of time.

1. Provide Better Training
Many wish they had done a better job of security awareness training. Employees serve as your first line of defense, and educating them on how to identify a breach can help identify potential problems early.

There are many ways to incorporate security awareness training into your workplace, whether it’s through a monthly lunch-and-learn exercise, regular email updates about new threats, or web-based training. Providing them with the “right to say no” to people asking for credentials or information can be just as valuable as the million-dollar hardware solutions that reside in the server room.

2. Employ Strong Multi-Factor Authentication
Passwords have shortcomings, and are only as strong as the user makes them. Many in the industry would tell you that passwords alone are dead – they’re easy to guess with modern technology and, with just one piece of information, an attacker can compromise your entire system.

Multi-factor authentication adds another layer of protection by combining something the user knows (like a password) with something the user has that’s specific to him/her (like a fingerprint or a code sent to a specific phone).

This makes it easier to verify that the person accessing the system is who they say they are, ensuring that an attacker can’t access sensitive data. In many cases, where breaches occur as a result of an unauthorized user guessing/accessing a password, multi-factor authentication could have prevented it.

3. Perform System Checks/Assessments
Because systems and infrastructure change over time, regular assessments can ensure that your cybersecurity measures are still protecting your organization (and that “new cracks” in the foundation haven’t appeared). Many breaches we’ve responded to could’ve been prevented by identifying well-known weaknesses that would have been detected in run-of-the-mill scanning.

4. Practice Good Data Hygiene
In order to protect your data, you have to first know what data exists (and its value). Once you have your arms around that information, you can preserve what you need and safely get rid of what you don’t.

Duplicate or forgotten data can give bad actors additional access points into your network. If you’ve forgotten that it exists, it may take a long time to realize that it has been compromised.

Discard information you no longer need. Just like your duplicate or forgotten data, holding onto outdated records expands your data footprint and provides more opportunity for unauthorized access.

5. Build Relationships Early
When a breach occurs, security incident handling will be much smoother if you already know what to do and who to call.

The last thing you want to worry about when you discover a potential problem is trying to find someone who can help (and wondering whether law enforcement or the FBI need to be contacted). Establishing a relationship with a cybersecurity services firm ahead of time means that you’ll know exactly what to do when an issue arises. They’ll already be familiar with you, your organization, your network, and your cybersecurity posture, giving them a head start.

Also, consider conducting tabletop exercises to simulate real-world situations, practice your existing security incident handling processes, and identify potential plan weaknesses.

6. A Breach is a Crime Scene
Preserving evidence is important once a cyber crime has been committed. It may be the only way to validate that the problem has been resolved.

If, for example, you discover the computer being used to conduct a breach, your first reaction may be to turn it off. Don’t! This instantly signals to hackers that the game is up, and they’re likely to begin covering their tracks by destroying data. There’s a good chance that they’ve been in the network for months. Taking another day or two to snapshot the systems and get a picture of what’s happening probably won’t make any difference in terms of the size of the breach.

Instead, you’ll have a good record of what’s happened that may be useful to law enforcement, your insurance firm, and the people tasked with preventing the breach from happening again.

As the bad guys step up their game, you can up yours as well. Stay one step ahead of potential threats by partnering with ProCircular. We offer a variety of services and solutions to meet your needs, budget, and timelines. And if you’re looking for a way to streamline your cybersecurity, our ReadySecure Essentials subscription service may be just what you need. Contact us with any questions – we’re happy to help! 

 

Topics: security incident handling, security incident response