In this article, we continue the series on data security incident management with an examination of what happens after a software or human security threat is identified and contained: eliminate the data security threat and restore data and network services.
Eliminating Possible Data Security Threats and Attacks
It’s nearly impossible to define a detailed eradication process general enough to include here. Each possible data and network attack is unique, requiring a unique approach to eliminating the corresponding threat or data security attack. Proper preparation prior to an attack, however, provides the tools and external resources necessary to construct an effective elimination plan. Eradication of data security threats include:
-
Deleting malware from affected network systems
Advertisement -
Disabling access for compromised user accounts
-
Detention of human intruders
Advertisement -
Possible arrest or termination of employees responsible for fraudulent or destructive acts on corporate data
-
Any other action that removes a security threat and stops attack activities
Advertisement
The first three steps of data loss incident response – detect, contain, eradicate – are focused on containing the scope of the security attack and eliminating the data and network security threat . Once these objectives are met, data and network recovery operations begin.
Recovering Lost Data from Corporate Information Systems
Data recovery operations can actually begin once containment is achieved. Recovery of critical data systems may be necessary to meet deadlines associated with employees (e.g. payroll) or customers. The important thing to remember is to ensure the system you plan to recover is no longer exposed to the data security threat. Your flexibility in simultaneously executing multiple steps during a data security incident response is directly related to the IRT skills developed during training and practice exercises BEFORE a security attack occurs on your enterprise’s data or network.
Depending on the nature of a security attack and your enterprise’s ability to quickly identify loss of data and/or computer networks, activities intended to recover corporate data systems might include:
-
Reconnecting servers and workstations to the network or data storage devices
Advertisement -
Data and network system restores from tape
-
Complete rebuild of data systems
Advertisement -
Replacement of compromised data or reinstallation of applications
-
Immediate device hardening
Advertisement- Install patches
- Change passwords
- Reconfigure physical and logical perimeter devices that protect data
Again, each data security attack is different. With each data recovery response, your teams should get incrementally better at minimizing the amount of data recovery work necessary. This is the purpose of the final step in the incident management process, identifying causes of data security risks and how to manage data security attacks emergencies .
This post is part of the series: Security Incident Management
in this series, I provide an overview and recommendations related to responding to a security incident. Effective incident management is critical when attempting to mitigate damage from a breach, system failure, data leakage, etc.
- The Data Security Incident Management Process: Policies, Teams, and Communication
- Preventing and Containing Data Loss by Detecting and Analyzing Data Security Issues
- Reducing the Damage Caused by Network Security Threats and Identifying Attackers
- Recovering Corporate Data After a Data Security Attack
- Challenges of Managing Data Security: Causes and Effects of Data System Failures
