After your organization has become the victim of a cyber attack, how do you fully recover?
The first activity is to make sure no further malware is present or unauthorized
Check your anti-virus software and any other network analysis devices, such as IDS/IPS. Update them as quickly as possible with appropriate software to minimize chances of a follow-up attack. If necessary, temporarily disable network ports, such as Port 80. This will block any data transmission for a period of time, such as over a weekend, so you can conduct proper assessments.
Learn more about responding to a cyber attack
McAfee report: Organizations lag in responding to cyber war
Protecting against malware in Windows 8
Improve security, thwart attacks
Try to determine where the malware entered the network. Disconnect workstations that could be compromised from the network, thoroughly clean them of any malware, and then restore damaged desktops and files using backups. Contact your Internet service provider as well as your network carriers to advise them of the breach and to enlist their assistance following the attack. Contact local law enforcement agencies to report the breach. If your security department has limited resources, you may wish to engage the services of a third-party security organization to assist you in investigating the problem.
Finally, recover your network and systems, test them for proper operation, clean and disinfect workstations and other network-attached devices, and launch stronger preventive measures. Document all the actions you perform for future audits.
It may be important to obtain legal advice in case of lawsuits that result from any damage created by a cyber attack, such as theft of customer information or damage to technology that makes it difficult or impossible to perform contracted activities, such as delivery of products or services in a specific time frame. Consider obtaining specialized insurance that could help offset future expenses and litigation from cyber attacks.
As a point of order, be sure to provide regular briefings to senior management, such as your CIO, COO and CEO, so they are aware of what is happening. If you use some sort of executive dashboard system, use that to keep management updated.
Analysis of the events associated with the breach comes next. Collect data from network logs and any other information (e.g., personal observations, software error reports) that describe what happened prior to the breach; what occurred during the breach; what was done to stop the breach and what happened following termination of the breach by security systems and software.
Parallel to the above network analysis is an assessment of what business information was lost, stolen, damaged or otherwise compromised. This can include customer records, intellectual property, databases, individual files, applications, financial data and government and regulatory reports.
Report this information as soon as possible to management so that the true financial, operational and reputational damage to the organization can be determined, as well as steps to repair that damage. Further, if any of the compromised systems and/or information involves clients, notify them as soon as possible of the breach, reassuring them that you have the resources to minimize any exposure. Check your state’s privacy laws to determine if you have a legal obligation to report customer data breaches. If your organization conducts business across state lines and even internationally, you must also comply with the laws of each state and country in which you operate.
Outputs of the completed operational assessment should include a detailed summary, over time, of what happened; actions taken by the network staff and how well they worked/didn’t work; proposed changes to operating policies and procedures to address future cyber threats; and proposed changes to security systems, appliances, software, and other measures to increase the robustness of the network perimeter.
Schedule a briefing to senior management to present findings and recommended actions to prevent a future cyber attack.
Some of the preventive measures may include more testing of network security systems on non-critical network segments to ensure that the preventive measures work as planned; increased education for all employees about the importance of network security and what they can do to help prevent future attacks; increased vigilance to identify and stop social engineering before it gets out of hand; more frequent password changing (e.g., every 30 days instead of 90-day cycles); and more frequent (e.g., monthly or bi-monthly) meetings with security system vendors to exchange cyber security information.
About this author: Paul Kirvan, CISA, FBCVI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter. He can be reached at firstname.lastname@example.org.
This was first published in April 2012