According to the NSW Information and Privacy Commission, a data breach occurs when there is a failure that has caused or has the potential to cause unauthorised access to your organisation’s data. The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Investigation is an integral part of a data breach response. The goal is to clarify the circumstances of the breach, assess the damage caused by it, and develop a further plan of action depending on the results of the investigation. Most often the breach is caused by a hacking, but sometimes involves a negligent employee. It’s important to understand the necessary procedures for privacy and security breaches in order to minimize potential risks and limit access to leaked information before it’s too late.
A well-executed incident response can help minimize breach impact, reduce fines, decrease negative press, and ultimately help your company get back on track. There are a number of important considerations to make when investigating privacy and security breaches.
This blog will cover:
- Data Breach Detection
- Potential Impacts of Data, Privacy and Security Breaches
- 7 Steps for Investigating Data Breaches
- Best Prevention and Response Plan
Data Breach Detection
A company typically learns they’ve been breached in one of four ways:
- The breach is discovered through detection systems (via review of intrusion detection system logs, event logs, alerting systems, system anomalies, or antivirus scan malware alerts).
- The breach is discovered by your own employees.
- External parties discover the breach while investigating another matter.
- A customer complaint.
Potential Impacts of Data Breach
The impact of a data breach depends on the nature and extent of the breach and the type of information that has been compromised.
Serious impacts of a data breach could include:
- Risk to individuals’ safety
- Financial loss to an individual or organisation
- Damage to personal reputation or position
- Loss of customer or public trust in an organisation or the services it provides
- Commercial risk through disclosure of commercially sensitive information to third parties
- Threat to an organisation’s systems, impacting the capacity to provide services
- Impact on organisation reputation, finances, interests or operation.
Breaches of personal data can result in significant harm, including people having their identities stolen or the private home addresses of protected or vulnerable people being disclosed. In some circumstances, this can expose an individual to a significant risk of harm.
Organisations should also consider the risks that could result from data breaches:
- that result in a loss of data integrity, i.e. where information is maliciously altered
- a loss of availability, where important systems may no longer be useable
- where data may not be disclosed, but is rendered inaccessible, with potentially harmful consequences for individuals.
7 Steps for Investigating Data Breaches
Here is a general guide of the steps you need to take when responding to and investigating a cybersecurity incident. Steps may vary depending on each investigation, requirement, industry, etc.
1. Detect the privacy and/or security breach
Each investigation begins with incident detection. This step is aimed at determining the fact that a data breach has occured. You can confirm this by inspecting the signs of a data breach.
According to the National Institute of Standards and Technology (NIST) of the United States Congress, there are two types of data breach signs: precursors and indicators.
A precursor is a sign that an incident may occur in the future. It can be:
- Web server logs indicating a search for vulnerabilities in an organization’s network
- Discovery of a vulnerability that affects the organization’s network
- An announcement by a hacker group that they intend to attack the organization
In general, precursors are rare and mostly help organizations to stay vigilant.
An indicator is a direct sign that an incident may have occurred or is occurring right now. Common examples of data breach indicators include:
- Buffer overflow attempts against a database server
- Multiple failed login attempts from an unfamiliar remote system
- Bounced emails with suspicious content
Here are some important questions to ask yourself:
- Who is affected by the breach? The assessment may include reviewing whether individuals and organisations have been affected by the breach, the level of sensitivity of the data that is affected, how many individuals and organisations have been affected, and whether any of the individuals have personal circumstances which may put them at particular risk of harm.
- What was the cause of the breach? The assessment may include reviewing whether the breach occurred as part of a targeted attack or through inadvertent oversight. Was it a one-off incident or does it expose a more systemic vulnerability? What steps have been taken to contain the breach? Has the data been recovered? Is the data encrypted or otherwise not readily accessible?
- What is the foreseeable harm to the affected individuals/organisations? The assessment may include reviewing what possible use there is for the data. For example, could it be used for identity theft, threats to physical safety, financial loss, or damage to reputation? Who is in receipt of the data? What is the risk of further access, use or disclosure, including via media or online?
2. Take Urgent Incident Response Actions
There are a number of urgent steps you should take when a data breach is detected. The first thing you should do after detection is to record the date and time of detection as well as all information known about the incident at the moment.
Then, the person who discovered a breach must immediately report to those responsible within the organization. Access to breached information should also be restricted to stop the further spread of leaked data.
Overall, you may stick to this general checklist:
First 24 Hours Response Checklist:
- Document the time and date the data breach was discovered
- Notify the response team
- Isolate the location of data breach
- Stop additional data loss
- Gather all possible data about data breach
- Interview the people who discovered the data breach
- Document the investigation
- Perform a risk assessment
- Notify law enforcement and regulators
3. Gather Evidence
Collecting and checking all evidence related to the data breach is the next step per data breach response best practices. Make sure to gather data from all your cybersecurity tools, servers, and network devices and to collect information from your employees during interviews.
First and foremost, act quickly and gather as much information about the data breach as you can. The better your understanding of the situation, the better your chances of minimizing the consequences.
The list of data you should collect includes:
- The date and time the data breach was detected
- The date and time a response to the data breach began
- Who discovered the breach, who reported it, and who else knows about it
- What was viewed, changed, or stolen and how
- A description of all events related to the incident
- Information about all contacts involved in the breach
- Identification of the systems affected by the incident
- Information on the extent and type of damage caused by the incident
When an organization becomes aware of a possible breach, it’s understandable to want to fix it immediately. However, without taking the proper steps and involving the right people, you could inadvertently destroy valuable forensic data used by investigators to determine how and when the breach occurred, and to make recommendations in order to properly secure the network against the current attack or similar future attacks.
When you discover a breach, remember:
- Don’t panic
- Don’t let panic lead you to hasty actions
- Don’t wipe and re-install your systems (yet)
- Do follow your incident response plan
4. Analyze the Data Breach
Once you’ve gathered as much information about the incident as you can, you need to analyze it. This step is aimed at determining the circumstances of the incident, as well as the scope of the breach and who are the affected parties you need to notify. In addition, you may have to answer a series of questions that will further assist in the investigation:
- Was any suspicious traffic detected?
- Did the attacker have privileged access to data?
- How long has the data been compromised?
- Were people or special software involved in the data breach?
- Was the data breach intentional and were outside attackers involved?
Having carefully analyzed information on the data breach, you can draw some conclusions about the source of the breach to effectively stop it. You can also gather a list of affected, or potentially affected parties in preparation for step 5.
5. Notify related parties
Next, you should notify all affected organizations and individuals, as well as law enforcement if the breach was significant enough. Timely notification is a very important data breach investigation procedure as it will enable individuals to take measures to protect lost data, such as changing passwords, or at least to be careful in case scammers take advantage of the data breach. Additionally, in many jurisdictions there are mandated notification timeframes, which we will discuss below.
The list of those to be notified will vary depending on the type of compromised data and may include:
- Employees
- Customers
- Investors
- Business partners
- Regulators
- And others
Pay particular attention to notice periods. They depend on the regulations and standards you need to comply with and the type of data affected (personal data, financial data, etc.). Failure to notify regulators in a timely manner could result in liability and extensive fines.
Australia
In Australia, entities with existing personal information security obligations under the Australian Privacy Act are required to notify the Office of Australian Information Commissioner (OAIC) and affected individuals of all “eligible data breaches.
United States
As of yet, there has been no federal legislation enacted covering data breach investigation or notification processes, and the laws are a patchwork of state or industry specific laws. For example, organizations that need to comply with the Health Insurance Portability and Accountability Act(HIPAA) must notify each affected individual within 60 days after discovering a breach. Fines for a HIPAA violation may be up to $25,000. The minimum fine is $100. Most states have their own specific laws that deal with security breaches. For example, in California, a business must notify each resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person.
United Kingdom
The GDPR requires data supervisors to notify the appropriate supervisory authorities no later than 72 hours after discovering a data breach. The GDPR sets a maximum fine of €20 million or 4 percent of annual worldwide turnover (whichever is greater) for a data breach.
Similar guidelines apply to organizations in Canada under the Breach of Security Safeguards Regulations.
Many other countries also have laws and regulations regarding the use and unauthorized disclosure of personal data. If your organization operates in more than one country, you should consider local data breach legislation and include its requirements into your incident response plan.
6. Take containment, eradication and recovery measures
The next step is to mitigate and remediate the effects of the breach. Let’s see how each of these measures can help you effectively mitigate the consequences of a data breach.
Containment measures
The goal of these measures is not only to isolate compromised computers and servers but to prevent the destruction of evidence that can help investigate the incident.
Conduct a comprehensive data breach containment operation and preserve all evidence, being careful you don’t destroy it. For example, if a data breach is caused by malware, it may not create files on disk but may place itself entirely in RAM because it’s harder to detect this way. Therefore, it’s unacceptable to power off the computer, as all the information contained in RAM will be lost.
Also, monitor the attacker’s activities and determine whether any data is leaking during the investigation.
Here are possible measures you can take for containment:
- Disconnect from the Internet by pulling the network cable from the firewall/router to stop the bleeding of data.
- Document the entire incident. Document how you learned of the suspected breach, the date and time you were notified, how you were notified, what you were told in the notification, all actions you take between now and the end of the incident, date and time you disconnected systems in the card data environment from the Internet, disabled remote access, changed credentials/passwords, and all other system hardening or remediation steps taken.
- Disable (do not delete) remote access capability and wireless access points. Change all account passwords and disable (not delete) non-critical accounts. Document old passwords for later analysis.
- Change access control credentials (usernames and passwords) and implement highly complex passwords: 10+ characters that include upper and lower case, numbers, and special characters. (Avoid passwords that can be found in any dictionary, even if you are substituting special characters in place of letter characters.)
- If you process payments, segregate all hardware devices in the payment process from other business critical devices. Relocate these devices to a separate network subnet and keep them powered on to preserve volatile data.
- Quarantine instead of deleting (removing) identified malware found by your antivirus scanner for later analysis and evidence.
- Preserve firewall settings, firewall logs, system logs, and security logs (take screenshots if necessary).
- Restrict Internet traffic to only business critical servers and ports outside of any payment-processing environment(s). If you must reconnect to the Internet before an investigator arrives, remove your credit card processing environment(s) from any devices that must have Internet connectivity and process credit cards via dial-up, stand-alone terminals obtained from your merchant bank until you consult with your forensic investigator.
- If relevant, contact your merchant processing bank (if you haven’t already) and let them know what happened.
Eradication measures
Next, it’s important to eliminate all causes that led to the data breach. For example, if the breach occurred as a result of an insider threat, security specialists should disable all accounts that leaked information. If the threat was external, such as malware, it may be necessary to clean up the affected system and patch exploited vulnerabilities.
Recovery measures
After a successful eradication step, it’s necessary for the organization to return to normal operations. This includes putting the affected systems back into a fully operational state, installing patches, changing passwords, etc.
Security specialists should carefully monitor the network, recovered computers, and servers to ensure that the threat has been fully removed.
7. Conduct a root cause analysis
Once you’ve taken basic actions to counter the data breach, it’s time to analyze the incident and its consequences and take steps to prevent similar issues in the future. Every data breach should be thoroughly audited afterwards. The specifics of each audit depend on the data breach itself and its causes.
In general, an audit may include:
- Reviewing the organization’s cybersecurity systems
- Analyzing causes of the data breach
- Creating a plan to prevent similar incidents in the future
- Reviewing policies and procedures to reflect lessons learned from the data breach
- Improve cybersecurity awareness among employees
The 5 Whys and 5 Hows technique may help you achieve continuous improvement at any organization. The 5 Why method is simply asking the question “Why” enough times until you get past all the symptoms of a problem and down to the root cause. The 5 Hows are then used to determine a root or permanent solution to the “root cause (s)” of the problem.
How to Perform 5 Why & 5 How
1. Form the Team
The 5 Why & 5 How exercise should be performed by a team, not an individual. The team should include diverse members. Each team member will bring their own unique viewpoint of the problem and ask important questions that may not otherwise have been asked.
2. Define the Problem
Develop a clear and concise problem statement. The team should keep their focus on the process and not on the personnel. The team should also determine the scope of the problem to be addressed. If the scope is too narrow the problem solving exercise could result in small improvements when larger, broader improvements are needed. Adversely, defining the problem with too broad of a scope could extend the time required to resolve a problem and generate solutions that might not fit the corporate culture or align with corporate strategy, and never be carried out. When you take the time to clearly define the problem up front, it often saves time and makes solving the problem easier.
3. Ask Why
Next the team leader or facilitator should ask “Why” the problem or failure occurred. The responses should be backed by facts or data and not based on an emotional response. The responses should also focus on process or system errors.
The facilitator should then ask the team “if the identified causes were corrected, could the failure or problem still occur?” If the answer is yes, then move on to the second “Why” and then the third, fourth, fifth and so on until the answer is no.
Note: It is not always necessary to ask “Why” five times. The root cause could be identified during the third or fourth “Why”. It may also take more than five times to get through the symptoms of the problem and down to the root cause. In addition, by the 3rd, 4th, or 5th “Why”, you may likely discover a systemic or management practice as the cause.
4. Determine and Implement Corrective Actions
Upon determination of the root cause(s), a list of appropriate corrective actions should be developed to address each root cause. 5 How is a useful method of brainstorming resolutions to the root causes and developing action items to resolve the problem. The facilitator should ask the 5 Hows related to the issue at hand. How can this cause be prevented or detected? Keep asking “How” until you get to the root solution that resolves the root cause. The actions should have an owner and a due date. Regular meetings should be held to update the team on the status of the actions until all are completed. Upon completion of the recommended actions, the effectiveness of the actions should be determined.
Basic 5 Why Example
There are various formats used to document the 5 Why exercise, some more detailed than others. The following is an example of the basic 5 why process.
Problem statement – the file ‘evilcode.php’ was injected into our web service, allowing an attacker to gain configuration information, though they were stopped without further attacks.
- Why? There was a remote code execution vulnerability in our web application
- Why? No-one updated the web framework.
- Why? Web applications and frameworks aren’t part of our patching process.
- Why? It’s too hard and takes too much time to apply updates to web applications.
- Why? We haven’t built processes, procedures, and pipelines to allow for easy updating of web applications.
Caution must be observed to assure that the “Whys” follow a logical path. One method to check if the progression follows a logical path is to read the causes in reverse order. When you read the causes or “Whys” in reverse order, they should follow a logical progression to the problem statement or failure mode. Referencing the example above, the progression would be like this:
- There is no documented, easily understandable, efficient process for updating web applications
- Therefore – employees need to figure it out for themselves each time, which is hard and time consuming
- Therefore – web applications were not included in our regular patching process
- Therefore – no-one updated the web framework
- Therefore – there was a remote code execution vulnerability in our web application
- Therefore – someone was able to inject malicious code into our web service and gain configuration information
By thoroughly implementing these steps, you can get a better understanding of the data breach that occured, discover its true causes, and determine the best pathway for mitigating its consequences.
Best Prevention and Response Plan
After the cause of the breach has been identified and eradicated, you need to ensure all systems have been hardened, patched, replaced, and tested before you consider re-introducing the previously compromised systems back into your production environment. During this process, ask yourself these questions:
- Have you properly implemented all of the recommended changes?
- Have all systems been patched, hardened,
- and tested?
- What tools/reparations will ensure you’re secure from a similar attack?
- How will you prevent this from happening again? (Who will respond to security notifications and be responsible to monitor security, Intrusion Detection System, and firewall logs?)
There are many elements of a good prevention plan. According to the Data Breach Guideline created by the Information and Privacy Commission, here are some suggestions:
People/Culture
- Make sure you’re aware of your organisation’s privacy principles as well as the types of breaches that might affect your organisation.
- Identify the individuals in your organisation responsible for privacy and data protection. These are the staff members who will provide support for understanding and implementing data breach prevention practices, as well being the contact points in the event that you identify as suspected breach.
- Establish honest and consistent privacy and data breach communication channels with employees.
Processes
- Ensure that you are aware of proper processes and that they are followed.
- If you identify where privacy and data protection improvements to processes can be made, communicate this with management.
- Minimise the transporting and copying of data in common processes, especially if this is done using portable devices, email, or syncing files to local devices.
Policy
- Be aware of privacy and data protection policies and abide by them. Provide feedback on policy that is difficult to implement so that it may be improved.
- Relevant policies include those that cover computer and email use, BYOD, information access restrictions and conditions, and personal information collection and use.
Technology
- Abide by the data protection policies and practices of your Agency with regard to the use of computers, emails and other electronic devices.
- Ensure that security protections, such as passwords and two-factor authentication are compliant with your organisation’s rules.
- Avoid transferring data through insecure methods, such as USB-sticks, paper copies, unencrypted attachments to emails.
- Keep applications on your devices updated to the latest version, as vulnerabilities are frequently patched.
- Be aware of the data you hold on your computer and your devices. Avoid replicating data across multiple devices, especially if they are portable and may be lost, stolen or misplaced.
How Polonious can Help
Data breaches carry significant risks and can incur significant losses, so the sooner you deal with them, the better. Proper investigation will help you identify the extent of an incident and take measures to mitigate it in order to minimize the risks.
It’s best to have a set of measures prepared to respond to data breaches, such as an incident response plan and a pre-assembled response team. Coordinated actions and a consistent approach can significantly speed up the process of recovering after a breach. Polonious Systems offers a rich set of features for data breach investigation and mitigation.
Additionally, Polonious maintains ISO27001 certification to ensure its own processes and software are kept to the highest international standards for security. This includes regular penetration testing, code reviews, disaster recovery and business continuity drills, as well as frequent internal audits and twice yearly external audits of our processes.
Let's Get Started
Interested in learning more about how Polonious can help?
Get a free consultation or demo with one of our experts