KEY STEPS FOLLOWING A DATA BREACH

Transcription

1 KEY STEPS FOLLOWING A DATA BREACH

2 Introduction This document provides key recommended steps to be taken following the discovery of a data breach. The document does not constitute an exhaustive guideline, and should not replace obtaining legal advice with respect to the required steps and regulatory measures, but rather a suggested check-list of steps that should be considered within the process of dealing with a data breach. What is Data Breach? A data breach is any instance in which there is an unauthorized release or access of personal information or other information not suitable for public release. This definition applies regardless of whether your organization stores and manages its data directly or through a contractor, such as a cloud service provider. Data breaches can take many forms including: hackers gaining access to data through a malicious attack; lost, stolen, or temporary misplaced equipment (e.g., laptops, mobile phones, portable thumb drives, etc.); employee negligence (e.g., leaving a password list in a publicly accessible location, technical staff misconfiguring a security service or device, etc.); and policy or system failure (e.g., a policy that doesn t require multiple overlapping security measures-if backup security measures are absent, failure of a single protective system can leave data vulnerable). Initial Steps: First 24 Hours»» Record the date and time when the breach was discovered, as well as the current date and time when response efforts begin.»» Define chain of command within the organization and scope of specific authorities with respect to the management of the incident.»» Alert and activate everyone within the organization who is in charge on managing the incident.»» Establish a privileged and specific reporting and communication channel.»» Stop additional data loss by isolating the impacted system and services. This can prevent the attack from expanding and possibly completing its mission. The isolation will also prepare the system for forensic analysis.»» Document everything you do and everyone you talk to in regard to the breach: Who discovered it, who reported it, to whom was it reported, who else knows about it, what type of breach occurred, what was stolen, how was it stolen, what systems are affected, etc.»» Interview those involved in discovering the breach and anyone else who may know about it.»» Review protocols regarding distributing information about the breach for everyone involved in this stage.»» Assess priorities and risks based on what you know about the breach (e.g. the number of suspected people affected, type of information compromised, etc.). Make sure these decisions are made by the appropriate managers.»» Engage a forensics firm to begin an in-depth investigation. It is critical to identify the scope and root cause of an incident and take immediate steps to prevent it from causing further damage by conducting digital forensics analysis and preserving evidence.»» Engage a legal counsel who is specializes in data breach incidents and determine your legal, contractual and insurance notification obligations.»» Preserve all affected system log files including firewall, VPN, mail, network, client, web server and intrusion detection system logs. These logs are critical for assessing the origins of the attack, its duration and the volume of data infiltrated during the breach.»» Warn employees of social engineering attempts. The breach is often only the beginning of a stream of fraudulent social activities, such as phishing s, impersonation schemes, etc. Be aware for any suspicious queries from third parties, such as customers and contractors, which could be related to the data breached (e.g., customer service approach concerning passwords or private data, phishing attempts). 2

3 Additional Key Steps Fix the issue that caused the breach and prevent further possible damages, including: Identify specific customer accounts, systems or records that may have been subject to the breached and implement special monitoring of such. Confirm that anti-virus, DLP, personal firewalls, and other agent-based tools are configured correctly and are not being remotely turned off by malicious actors across the Internet. Locate outdated services or unpatched systems (such as outdated web servers). Attackers can gain access to the affected systems without needing to know any authentication credentials. Put clean machines in place of affected ones. Change all of your passwords and use different passwords for different accounts and services. Use sophisticated passwords. Work with Forensics: Determine if any countermeasures, such as encryption, were enabled when the compromise occurred. Gather system memory, running processes, open ports from all affected systems, as well as network traffic log. You should also analyze backup, preserved or reconstructed data sources. Monitor hacker forums, web crawlers, hacker communities, dark net, deep web, file sharing portals, key logger dumps, and malware logs to find information regarding cyber-attacks against the company, claims pertaining to leaked data from it and offers to sell stolen data belongs to it. Align compromised data with customer names and addresses for notification. Comply with legal obligations: Revisit regulations governing your industry and the type of data lost (e.g., is this data considered "private data" or "sensitive data"? is your service subject to specific regulatory framework?). Determine after consulting your lawyer if the data breach should be notified, in which way, to whom and when. The countdown starts the moment a breach is discovered, but the notification may be delayed in some cases, based on the type of data which was breached, encryption protections and status of the investigation. Obtain a legal document that analyzes the data that has been breached and concludes the legal implications regarding the breach. Report to upper management: Compile timely breach reports on a daily basis for upper management. The first report should include all of the facts about the breach as well as the steps and resources needed to resolve it. Create an overview of priorities and progress, as well as updated problems and risks. Keep in mind that damages that are caused by data breach incidents often become visible after several days or even weeks. Make the executives aware of any upcoming business initiatives that may interfere or clash with the response efforts. 3

4 Ongoing Future Steps to Prevent Data Breach Reoccurrence»» Establish and implement a written data breach response policy.»» Assemble an internal incident response team that is well-versed in privacy and security matters that can take the lead in handling the incident response should you experience another breach in the future. Internal incident response team should include representatives from IT, security, legal, compliance, communications and customer service and a member of the executive management team.»» Consider hiring pre-selected data breach resolution vendor in order to manage the cost of a data breach and choose protection products for individuals affected in the breach.»» Continuously monitor for personal information and other sensitive data leakage and loss.»» Review your information system(s) and data and identify where personal information and other sensitive information resides. Establish a comprehensive vulnerability management program that will help the company to understand its security posture, while minimizing risk where possible. This will include attacking your own network regularly (external penetration test) to find holes in the security posture.»» Encrypt private and sensitive data, especially the credit card numbers and debit card PINs. Whenever data is encrypted, it reduces the potential value of the data for the attacker.»» Effective vulnerability scanners need to be in place in order to locate the vulnerabilities, and give steps on how to remediate them.»» Train personnel in cyber awareness and data breach response, including: safely taking infected machines offline; avoiding phishing scams; identifying suspicious movements, etc. Employee education related to social engineering and frauds (i.e., spear-phishing campaigns) must be ongoing and consistent.»» Refresh authentication for employee access to data, systems and servers. Clear authentication management should be in place to thwart the impact of an employee's credentials that are compromised.»» Consider cyber and data breach insurance. Cyber insurance can help respond to and minimize the damage of a data breach or cyber-attack. 4

5 HFN Cyber Team Practice HFN's Cyber team has extensive knowledge and experience in advising companies in the complex regulatory areas surrounding Cyber-related services and risks. HFN s lawyers work in dedicated teams possessing vital regulatory skills to provide specialist Cyber-related advice in the following areas: compliance, regulatory and commercial matters; strategic and regulatory review of implementation of regulatory framework applicable to various financial, communication and critical resources companies; and assisting companies with preparing and implementing procedures for Cyber-related incidents. The department has expertise in: Compliance and strategic advice to companies developing Cyber security products and services with regards to compliance and regulatory issues concerning the product Compliance monitoring and checkups - review procedures and products of partners and partnerships, assist in monitoring the activity and providing advice on decreasing the applicable risks and responsibilities Legal advice and practical guidelines addressing Cyber incidents, including: internal procedures, regulatory and corporate approvals, incident management Legal advice and practical guidelines addressing applicable standards, policies and legislation that may apply to various financial, communication, security, data and critical resources companies Drafting, reviewing and updating all applicable legal documentation Drafting and reviewing agreements with third parties, including licensing agreements Advice on export and import limitations, security and homeland-security aspects Assistance with investment promotions, filing for Chief Scientist grants Advising on cyber insurance and financial structuring Advising on all related IP issues HFN Cyber team is led by lawyers with unique practical and regulatory expertise in the Cyber field, including Dr. Nimrod Kozlovsky, Ariel Yosefi, Daniel Reisiner and Dr. Avishay Klein. HFN Cyber Team Contacts Ariel Yosefi, Partner Tel: +(972) Fax: +(972) [email protected] Dr. Nimrod Kozlovsky, Senior Advisor Tel: +(972) Fax: +(972) [email protected] 5

6 Asia House, 4 Weizmann St., Tel-Aviv , Israel Tel: (972) Fax: (972) [email protected] Blog: unfolding.co.il