The moments after you have experienced a breach are of the utmost importance and can significantly impact your organization and the effectiveness of a forensic investigation. If you suspect a computer systems intrusion or breach, you should:
Immediately Contain and Limit the Exposure
The goal of containing and limiting the exposure is to keep the breach from spreading. If you are unable or uncomfortable performing any of the following steps, the Sikich Forensic Team will be able to assist you.
- Do NOT access or alter compromised systems (e.g., do not log on or change passwords).
- Do NOT turn off the compromised machine. Instead, isolate compromised systems from the network (e.g., unplug the network cable). If for some reason it is necessary to power off the machine, unplug the power source.
- Do NOT shutdown the system or push the power button (because it can sometimes create a “soft” shutdown), which modifies system files.
- Preserve logs and electronic evidence. A forensic hard drive image will preserve the state on any suspect machines. Any other network devices (such as firewalls, IDS/IPSes, routers, etc.) that have logs in the active memory should be preserved. Keep all past backup tapes, and use new backup tapes for subsequent backups on other systems.
- Log all the actions you have taken, including composing a timeline of any knowledge related to the incident.
- If using a wireless network, change SSID on the wireless access point (WAP) and other machines that may be using this connection (with the exception of any systems believed to be compromised).
- Be on high alert and monitor all systems.
Alert All Necessary Parties Within 24 Hours
Be sure to notify:
- Your internal information security group and incident response team, if applicable.
- The card associations and your merchant bank if the breach is part of a cardholder data segment.
- The local FBI office and/or U.S. Secret Service (file a complaint online at http://www.ic3.gov).
If you have experienced a data breach, get in touch with experts right away.
Data breach hotline 888.403.3438
We understand time is critical. Contact us and our data breach experts will respond as soon as possible.