In this article, we continue the series on data security incident management with an examination of what happens after a software or human security threat is identified and contained: eliminate the data security threat and restore data and network services.
Eliminating Possible Data Security Threats and Attacks
It’s nearly impossible to define a detailed eradication process general enough to include here. Each possible data and network attack is unique, requiring a unique approach to eliminating the corresponding threat or data security attack. Proper preparation prior to an attack, however, provides the tools and external resources necessary to construct an effective elimination plan. Eradication of data security threats include:
- Deleting malware from affected network systems
- Disabling access for compromised user accounts
- Detention of human intruders
- Possible arrest or termination of employees responsible for fraudulent or destructive acts on corporate data
- Any other action that removes a security threat and stops attack activities
The first three steps of data loss incident response – detect, contain, eradicate – are focused on containing the scope of the security attack and eliminating the data and network security threat. Once these objectives are met, data and network recovery operations begin.
Recovering Lost Data from Corporate Information Systems
Data recovery operations can actually begin once containment is achieved. Recovery of critical data systems may be necessary to meet deadlines associated with employees (e.g. payroll) or customers. The important thing to remember is to ensure the system you plan to recover is no longer exposed to the data security threat. Your flexibility in simultaneously executing multiple steps during a data security incident response is directly related to the IRT skills developed during training and practice exercises BEFORE a security attack occurs on your enterprise's data or network.
Depending on the nature of a security attack and your enterprise's ability to quickly identify loss of data and/or computer networks, activities intended to recover corporate data systems might include:
- Reconnecting servers and workstations to the network or data storage devices
- Data and network system restores from tape
- Complete rebuild of data systems
- Replacement of compromised data or reinstallation of applications
Immediate device hardening
- Install patches
- Change passwords
- Reconfigure physical and logical perimeter devices that protect data
Again, each data security attack is different. With each data recovery response, your teams should get incrementally better at minimizing the amount of data recovery work necessary. This is the purpose of the final step in the incident management process, identifying causes of data security risks and how to manage data security attacks emergencies.