Recovering Corporate Data After a Data Security Attack

Eliminating Possible Data Security Threats and Attacks

It’s nearly impossible to define a detailed eradication process general enough to include here. Each possible data and network attack is unique, requiring a unique approach to eliminating the corresponding threat or data security attack. Proper preparation prior to an attack, however, provides the tools and external resources necessary to construct an effective elimination plan. Eradication of data security threats include:

• Deleting malware from affected network systems
• Disabling access for compromised user accounts
• Detention of human intruders
• Possible arrest or termination of employees responsible for fraudulent or destructive acts on corporate data
  
• Any other action that removes a security threat and stops attack activities

The first three steps of data loss incident response – detect, contain, eradicate – are focused on containing the scope of the security attack and eliminating the data and network security threat. Once these objectives are met, data and network recovery operations begin.

Recovering Lost Data from Corporate Information Systems

Data recovery operations can actually begin once containment is achieved. Recovery of critical data systems may be necessary to meet deadlines associated with employees (e.g. payroll) or customers. The important thing to remember is to ensure the system you plan to recover is no longer exposed to the data security threat. Your flexibility in simultaneously executing multiple steps during a data security incident response is directly related to the IRT skills developed during training and practice exercises BEFORE a security attack occurs on your enterprise's data or network.

Depending on the nature of a security attack and your enterprise's ability to quickly identify loss of data and/or computer networks, activities intended to recover corporate data systems might include:

1. Reconnecting servers and workstations to the network or data storage devices
   
2. Data and network system restores from tape
3. Complete rebuild of data systems
4. Replacement of compromised data or reinstallation of applications
5. Immediate device hardening
   1. Install patches
   2. Change passwords
   3. Reconfigure physical and logical perimeter devices that protect data
      

Again, each data security attack is different. With each data recovery response, your teams should get incrementally better at minimizing the amount of data recovery work necessary. This is the purpose of the final step in the incident management process, identifying causes of data security risks and how to manage data security attacks emergencies.

Security Incident Management

in this series, I provide an overview and recommendations related to responding to a security incident. Effective incident management is critical when attempting to mitigate damage from a breach, system failure, data leakage, etc.