I have identified signs that my network has been breached. What do I do now?
January 15, 2012
There are a few steps that must be taken if your network is showing signs of a breach. The first step is to disconnect and contain. Disconnect any devices that you feel may have been compromised from your network as well as from the internet, but do not power down. Powering down suspicious devices may eliminate any malware from the device’s memory and make tracking more difficult. Try to preserve evidence and attempt to contain the breach so that no more data can be compromised.
Some important steps you must take are to:
- Notify law enforcement, affected businesses (like your bank or processing company) and affected individuals. It is important to notify these parties in a timely manner so that remediation measures can be taken quickly and so that affected parties are not left unaware of the situation.
- Notify federal authorities immediately about your breach. This could help you in buying more time to deal with the situation.
- Never try to hide a breach. It will only hurt your reputation further if it is discovered that your business attempted to contain this information.
- Investigate your network to determine the source and scope of the breach. Some banks or processing companies may require a PFI (PCI Forensics Investigator) to perform an investigation of your business, usually depending on the severity of the breach. If this is not required, complete some form of investigation so that the source or sources of the breach can be determine and fixed. Provide written documentation of the events and findings for yourself and for your processing company or bank, if required.
- Remediate as quickly as possible to prevent further data compromise. Immediately begin fixing issues that were found by a PFI, by your external source, or in your own investigation. Also, determine other sources of vulnerability so that those issues will be resolved before hackers have a chance to strike again.
Read the next blog – What can I do to prevent a breach from happening again?