Pin Me

Recovering Corporate Data After a Data Security Attack

written by: Tom Olzak, CISSP•edited by: Ronda Bowen•updated: 7/4/2011

In this article, we continue the series on data security incident management with an examination of what happens after a software or human security threat is identified and contained: eliminate the data security threat and restore data and network services.

  • slide 1 of 2

    Eliminating Possible Data Security Threats and Attacks

    It’s nearly impossible to define a detailed eradication process general enough to include here. Each possible data and network attack is unique, requiring a unique approach to eliminating the corresponding threat or data security attack. Proper preparation prior to an attack, however, provides the tools and external resources necessary to construct an effective elimination plan. Eradication of data security threats include:

    • Deleting malware from affected network systems
    • Disabling access for compromised user accounts
    • Detention of human intruders
    • Possible arrest or termination of employees responsible for fraudulent or destructive acts on corporate data
    • Any other action that removes a security threat and stops attack activities

    The first three steps of data loss incident response – detect, contain, eradicate – are focused on containing the scope of the security attack and eliminating the data and network security threat. Once these objectives are met, data and network recovery operations begin.

  • slide 2 of 2

    Recovering Lost Data from Corporate Information Systems

    Data recovery operations can actually begin once containment is achieved. Recovery of critical data systems may be necessary to meet deadlines associated with employees (e.g. payroll) or customers. The important thing to remember is to ensure the system you plan to recover is no longer exposed to the data security threat. Your flexibility in simultaneously executing multiple steps during a data security incident response is directly related to the IRT skills developed during training and practice exercises BEFORE a security attack occurs on your enterprise's data or network.

    Depending on the nature of a security attack and your enterprise's ability to quickly identify loss of data and/or computer networks, activities intended to recover corporate data systems might include:

    1. Reconnecting servers and workstations to the network or data storage devices
    2. Data and network system restores from tape
    3. Complete rebuild of data systems
    4. Replacement of compromised data or reinstallation of applications
    5. Immediate device hardening
      1. Install patches
      2. Change passwords
      3. Reconfigure physical and logical perimeter devices that protect data

    Again, each data security attack is different. With each data recovery response, your teams should get incrementally better at minimizing the amount of data recovery work necessary. This is the purpose of the final step in the incident management process, identifying causes of data security risks and how to manage data security attacks emergencies.

Security Incident Management

in this series, I provide an overview and recommendations related to responding to a security incident. Effective incident management is critical when attempting to mitigate damage from a breach, system failure, data leakage, etc.
  1. The Data Security Incident Management Process: Policies, Teams, and Communication
  2. Preventing and Containing Data Loss by Detecting and Analyzing Data Security Issues
  3. Reducing the Damage Caused by Network Security Threats and Identifying Attackers
  4. Recovering Corporate Data After a Data Security Attack
  5. Challenges of Managing Data Security: Causes and Effects of Data System Failures