Security breaches happen -- what then?

Security breaches will happen. The only way to manage it is to expect it and to plan for it. From investigating the breach to reporting to law enforcement, here are some pointers to take with you when an intrusion occurs.
Written by Martin Goslar, Contributor
Network security means more than setting up a firewall and installing anti-virus software. These days, network security using just those protections simply doesn't cut it; a variety of other threats, compliments of the Web, demand additional defenses. Look out for hostile code, rogue Java applets, script kiddie attacks -- you name it.

So along with the daily hassles of IT network operations and part-time security responsibilities, security breaches will happen. Plan on them. Any major breaches involving customer financials or data theft, for example, warrant action beyond determining how the hacker(s) found the hole and finding a patch to close the gap.

Systematic response is critical

Once a security breach has been identified, the methods of those responsible for internal reaction is critical -- not just to identify and patch the unauthorized entry points, but to identify the perpetrator(s), establish the extent of the damage, determine what was accessed, and notify customers and appropriate agencies, if needed. The following steps will help you maintain control when dealing with major incidents, and when addressing necessary follow-up:

  1. Be sure to assign an IT staff member the lead responsibility of investigating the breach. S/he must document the "who, what, when, where, how, and why" in detail for the record and for external organizations that may be involved later.

  2. Notify managers who may be impacted by aspects of the incident (e.g., data corruption, file destruction, employee workstation infection). Emphasize that incident information is confidential and is to be shared only with those who have a need to know.

  3. Contain the attack or breach, if necessary, by taking servers or workstations that have been compromised offline. Don't use these machines to resolve the breach. Avoid normal shutdown or reboot procedures; disconnect the power source instead.

  4. Be sure to make backups of affected systems using new storage media before investigating the breach.

  5. Identify and document the extent of intrusion impact before installing patches and backups.

Intrusion information gathered during the process of internal investigation and recovery may be the basis of support for your accusations in court. When substantial damage or sensitive data theft has occurred, be sure to contact legal counsel regarding referring incident information to law enforcement.

Law enforcement referral

There are several options available to your firm in case a major network incident has been uncovered that has resulted in potential significant losses. Beyond legal counsel, several organizations are available to assist in major intrusion resolution. The CERT Coordination Center offers useful incident recovery and reporting procedures. The Computer Crime and Intellectual Property Section of the Department of Justice provides specific agency reporting guidelines for Internet-related crime.

An important caveat: be cautious about reporting network or Internet intrusions to local law enforcement agencies. Check them out before incidents occur. Well-trained computer forensic investigators are still scarce at the local and state level.

As added assurance, considering obtaining insurance against damage from viruses, hackers, unauthorized access, and recovery-related expenses.

Dr. Goslar is principal analyst and founder of E-PHD, LLC, a security industry research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.

Editorial standards