Professional Documents
Culture Documents
A SUCCESSFUL INCIDENT
RESPONSE PLAN
Best practices to prepare for a data breach
© SecurityMetrics
HOW TO MAKE AND IMPLEMENT A SUCCESSFUL INCIDENT RESPONSE PLAN | 1
INTRODUCTION
You need to have a current incident response plan that is ready to go if
your organization ever gets breached.
PHASE 1 P R E PA R E
IDENTIFY
motion immediately
after learning of a
suspected data breach.
HOW TO MAKE AND IMPLEMENT A SUCCESSFUL INCIDENT RESPONSE PLAN | 4
PHASE 3: CONTAIN
When an organization becomes aware of a possible
breach, it’s understandable to want to fix it imme-
diately. However, without taking the proper steps
and involving the right people, you can inadvertently
destroy valuable forensic data. Forensic investigators
use this data to determine how and when the breach
occurred, as well as devising a plan to prevent similar
future attacks.
PHASE 4: ERADICATE
After containing the incident, you need to find and
eliminate policies, procedures, or technology that led to
the breach. This means all malware should be securely
removed, systems should again be hardened and
patched, and updates should be applied.
For organizations that process data online, improper Top failed vulnerabilities discovered by
coding could be their biggest risk. For a brick-and-mor-
SecurityMetrics vulnerability scans:
tar organization that offers WiFi for their customers,
their biggest risk may be Internet access. Other organi- • TLS Version 1.0 Protocol Detection: Exists if
zations may place a higher focus on ensuring physical the remote service accepts connections using
security, while others may focus on securing their TLS 1.0 encryption
remote access applications. • SSL Certificate with Wrong Hostname:
Happens when a SSL certificate for the tested
Here are examples of a few possible risks: service is for a different host
• External or removable media: executed from • Web Application Potentially Vulnerable to
removable media (e.g., flash drive, CD) Clickjacking: Occurs if a remote web server
• Attrition: employs brute force methods (e.g., does not set an X-Frame-Options response
DDoS, password cracking) header in all content responses
• Web: executed from a site or web-based app • SSL RC4 Cipher Suites Supported (i.e.,
(e.g., drive-by download) Bar Mitzvah Attack): exists when the RC4
encryption algorithm is used in SSL/TLS
• Email security: executed via email message or
transmission
attachment (e.g., malware)
• SSL Self-Signed Certificate: Occurs when
• Impersonation: replacement of something benign
organizations use an identity certificate that
with something malicious (e.g., SCL injection
they create, sign, and certify rather than a
attacks, rogue wireless access points)
trusted certificate authority (CA)
• Loss or theft: loss of computing device or media
(e.g., laptop, smartphone)
HOW TO MAKE AND IMPLEMENT A SUCCESSFUL INCIDENT RESPONSE PLAN | 9
WHAT TO INCLUDE IN AN
INCIDENT RESPONSE PLAN
Creating an incident response plan can seem overwhelming. To
help, develop your incident response plan in smaller, manageable
procedures.
EMERGENCY CONTACT/
COMMUNICATIONS LIST
Proper communication is critical to successfully man- Your incident response team should craft specific
aging a data breach, which is why you need to docu- statements that target the various audiences, including
ment a thorough emergency contact/communications a holding statement, press release, customer state-
list. This list should contain information about: who ment, and internal/employee statement. For example,
to contact, how to reach these contacts, when it’s the you should have pre-prepared emails and talking points
appropriate time to reach out, and what you need to say. ready to go after a data breach.
In this list, you should document everyone that needs Your statements should address questions like:
to be contacted in the event of a data breach, such as • Which locations are affected by the breach?
the following individuals:
• How was it discovered?
• Response team
• Is any other personal data at risk?
• Executive team
• How will it affect customers and the community?
• Legal team
• What services or assistance (if any) will you
• Forensics company provide your customers?
• Public relations • When will you be back up and running, and what
• Affected individuals will you do to prevent this from happening again?
• Law enforcement
Identify in advance the person within your organization
• Merchant processor
(perhaps your inside legal counsel, newly hired breach
management firm, C-level executive, etc.) that is
You need to determine how and when notifications will responsible for ensuring the notifications are made
be made. Several states have legislated mandatory time timely and fulfill your state’s specific requirements.
frames that dictate when an organization must make Your public response to the data breach will be judged
notifications to potentially affected cardholders (and law heavily, so think this through.
enforcement). You should be aware of the laws in your
state and have instructions in your incident response plan
that outline how you will make mandated notifications.
HOW TO MAKE AND IMPLEMENT A SUCCESSFUL INCIDENT RESPONSE PLAN | 14
DISCUSSION-BASED EXERCISE
In a discussion-based table exercise, you and your staff PARALLEL TESTING
discuss response roles in hypothetical situations. In parallel testing, your incident response team
actually tests their incident response roles in a test
A discussion-based tabletop exercise is a great starting environment.
point because it doesn’t require extensive preparation
or resources, while still testing your team’s response Parallel testing is the most realistic simulation possible
to real-life scenarios without risk to your organization. and provides your team with the best feedback about
However, this exercise can’t fully test your incident their roles. However, parallel testing is more expensive
response plan or your team’s response roles. and requires more time planning than other exercise
because you need to simulate an actual production
environment (e.g., systems, networks).
HOW TO MAKE AND IMPLEMENT A SUCCESSFUL INCIDENT RESPONSE PLAN | 18
CONCLUSION
If you don’t already have an incident response plan,
making one should be a top priority. Next, regularly
practice and review your plan. Without regular tabletop
exercises andsimulation trainings, your staff may make
poor decisions which may make beach impact worse.
ABOUT SECURITYMETRICS
We help customers close security and
compliance gaps to avoid data breaches.
Our forensic, penetration testing, and audit
teams identify best security practices and
simplify compliance mandates (PCI DSS,
HIPAA, HITRUST, GDPR). As an Approved
Scanning Vendor, Qualified Security Asses-
sor, Certified Forensic Investigator, we have
tested over 1 million systems for security.
https://www.securitymetrics.com/forensics