The Lesson of WikiLeaks: Six Steps to Responding to a Security Crisis

The ongoing WikiLeaks debacle reminds us all of the fact that online and offline security is still vulnerable. It’s easy to dismiss the incident as lax oversight on the part of the U.S. Department of Defense (and that may be the case) but the truth is that most organizations have gotten complacent about data security -- this is a wake-up call to us all.

If you find yourself suddenly faced with a data security breach, your goal is a quick, but considered response. Gather the facts as quickly as you can and act as soon as you have enough information to respond correctly. Don’t take any action until you can accurately define the problem (not necessarily the cause) and know its scope. Consider the following six steps: 

1. Review Your Compliance Documents

In tightly regulated industries, organizations must document their compliance with government mandated security standards. If this applies, be sure you can demonstrate compliance in order to avoid fines and regulatory action.

2. Identify an Incident Response Team

Hopefully, you have a computer security incident response team ready to go. If not, assemble a team that (in addition to IT) may include: attorneys, C-suite executives, public relations, and a representative from each of the business lines affected – including HR if the breach involves employees. No matter how small your organization, don’t allow one person to handle the situation. Having a team will reduce the chances of an erratic response. 

3. Assess the Damage

Determine who and what is/may be affected and the potential effect on your business. An external attack on your public website might not be a big deal if it’s an informational site, but it can break your business if you’re dependent on e-commerce. Also, an insider attack on the company’s personnel database may have a different impact than a hacker’s theft of a client database. 

4. Notify Stakeholders

Who you tell and when you tell them can make a difference as to whether you're able to quickly find and fix the problem. If yours is a highly regulated industry, you’ll need to call government officials immediately. If a crime may have been committed, law enforcement will be one of the first calls. If you are planning to bring in third-party consultants, such as security or computer forensic experts, bring them in as early as possible.

Most states have specific deadlines for informing customers and others who may be affected by the breach (up to 30 days for disclosure). This mean you’ll have time to get the situation under control before the information becomes public.

5. Identify the Cause and Minimize the Damage

Many severe security problems appear mild at first. In fact, your IT staff may have seen it as a nuisance and applied a routine fix. For example, many insider attacks look like minor glitches until someone notices unusual or suspicious behavior and the situation escalates. Initial signs may include an increase in overall traffic – especially an unusual amount of outbound activity and an increase in help desk requests. More overt signs include crashing websites and internal sites. In the extreme, nothing will work at all.

Unless the breach is actively hurting your business, don’t begin remediation until you fully understand the cause and its potential impact. In some cases, you shouldn't touch anything until a forensics team has finished collecting evidence.

If the breach is affecting your business, you’ll want to limit damage immediately by doing such things as unplugging servers and storage systems that are being infected or penetrated. Other measures may include disconnecting media devices – especially if you suspect a malicious code is running. Generally speaking, the faster you disconnect the equipment, the better your chances of saving your data. Once you’ve taken these basic steps, don’t do anything else without the help of experts.

6. Document the Incident

Lack of documentation will not only make it difficult to rebuild your systems, it can also hurt your chances of successfully prosecuting an attacker. Throughout the assessment and remediation process, you should record everything, from how the incident was detected to what the members of the response team did. 

If the attack came from outside the company and your security hardware and software is up to date, documentation will occur automatically through firewall log files, IDS/IPS/IDP systems, and other security information management tools. Your job will be much easier if the tools you have in place are sophisticated enough to record the intrusion; the ensuing infections or downloads; and the configuration changes that stopped the attack.

Documentation is one of the most overlooked and time-consuming aspects of a security incident. However, documentation is critical for many things such as rebuilding systems that have been temporarily modified to halt an incident.