By Martin Quinn (Principal Consultant) 21 November 2014
You frantically try to understand how these bad guys got in, and then your thoughts turn to what did they access and take?
For many businesses, they don’t know where to start or what steps to take. But if your business acts quickly and follows these 3 steps, you may well recover quickly and end up having a more secure business as a result.
Step 1 – Identify and Contain
Naturally, the first step is to understand the nature of the breach.
- What happened?
- Where did it come from?
Whether it was from a dodgy phishing scam or dubious click on a social media site, the result was the same. So the first step is to identify the entry point and contain the malware. This can easily be done should your business have technology which logs and monitors for this type of activity. But if not, your best bet is to disconnect the device from your network, stop all network activity by turning off wireless, or disabling Ethernet ports. This way, the malware cannot phone home and you have isolated it from potentially infecting other devices and systems.
Step 2 – Eradication
Now, that you have identified the culprit, and stopped it from spreading, its time to clean it up. Malware can be a slippery sod, so the use of robust and up-to-date antivirus and malware protection may do the job, but malware can be cunning, embed itself into processes, hid within plain view and burrow deep into the core of your system. So, its prudent that you use secondary and tertiary products to reinforce your current solutions, tools such as Malwarebytes or Spyware seek and destroy for example.
Even if only one or a few devices appear to be infected, all devices should be scanned and cleaned. Additionally, the domain from which the malware originated must be identified and blocked to prevent future downloads and stop the malware from phoning home. Its good practice to assume that the credentials on the device have been compromised and the users (or better still all users) should change their passwords. This prevents the evil actor from visiting the scene of the crime later. (BTW, A password breach is an excellent opportunity to beef up password strength requirements).
Step 3 – Recovery and Lessons Learned
Next, organizations must work to discover exactly what damage may have been done due to the breach. Here’s where user and application activity monitoring solutions can come handy. If they’ve already been deployed, IT can comb through the logs to identify suspicious behaviour, for example; frequent logins, login attempts, logins at unusual times, and large or otherwise anomalous file downloads or data access. If you do not have a robust activity monitoring solution implemented, the task of rooting out what data has been stolen becomes much more difficult but provides an opportunity to educate on the value of such solutions in future.
If any sensitive or confidential data has been stolen or exposed due to the security breach, the organization should follow the guidance of its legal counsel as far as disclosure and further legal action.
Finally, security breaches almost always demonstrate a need for more user education. If the breach was due to malware, it is time to remind all employees of the dangers of media links and how to identify and avoid suspicious ones. On the other hand, If the breach was due to a phishing scam, employees may need a refresher course in online stranger danger. As mentioned above, account credential compromises also present an opportunity to beef up password strength requirements and to educate users on the importance of strong passwords.
Security breaches can be cause real damage and be very alarming, but they need not be the end of the world. By taking quick action, your business can rebound quickly and become safer than before. You only need learn from the mistakes.
Intact Security hopes to have assisted your business with these steps, if you have any questions or even some further tips, please contact us.
Relax. Your security is Intact.
Author: Intact Security