This June marks two years since the Office of Personnel Management publicly disclosed data breaches that had exposed the highly sensitive data of over 20 mil- lion current, former and prospective federal employees.
The breach was one of the biggest involving a federal agency in terms of both records compromised and victims affected. A report released by the House Oversight and Government Reform Committee last September blamed the incident on a variety of errors and miscalculations that OPM officials made before and after they discovered the network intrusions that led to the data theft.
Although some have challenged the findings in the re- port, the breach remains a potent reminder of the enor- mous challenges organizations face in detecting and responding to incidents in an era of incessant security threats. Given the vast attack surfaces of today’s systems, intrusions are nearly inevitable, but they don’t have to be catastrophic.
Here, according to security analysts, are five of the most common missteps to avoid after a breach is discovered.
1Acting before fully understanding the problem
The immediate aftermath of a breach discovery can be terrify- ing, especially if there’s reason to believe a malicious actor might have compromised sensitive data or systems. But it is important not to overreact. Often, the first ac- tions organizations take after dis- covering a breach determine how the rest of the incident plays out.
“One of the biggest mistakes that people make is not fully understanding the scope of the problem,” said Brian Calkin, vice president of operations at the Center for Internet Security’s Multi-State Information Sharing and Analysis Center (MS-ISAC).
Unless active data exfiltration or other malicious activity poses
an immediate threat to the net- work, there’s little to be gained by shutting down and wiping systems clean at the first sign of a breach. “It’s better to take an extra day or two to assess the situation versus going with guns blazing taking systems down,” Calkin said.
U.S. Postal Service officials were urged to take that approach after the U.S. Computer Emergen- cy Readiness Team (US-CERT) discovered four servers sending unauthorized communications outside the organization in Sep- tember 2014.
Instead of immediately discon- necting the servers, USPS officials heeded the advice of US-CERT and its own Office of Inspector General and held off on taking any action until they could pre- pare a coordinated response plan.
GCN JUNE/JULY 2017 • GCN.COM 33