What to Do If You’ve Experienced a System Breach

Reading Time: 6 minutes

Share:

Share on facebook
Share on twitter
Share on linkedin

The moments after you have experienced a breach are of the utmost importance and can significantly impact your organization and the effectiveness of a forensic investigation. If you suspect a computer systems intrusion or breach, you should:

Immediately Contain and Limit the Exposure

The goal of containing and limiting the exposure is to keep the breach from spreading. If you are unable or uncomfortable performing any of the following steps, the Sikich Forensic Team will be able to assist you.

  • Do NOT access or alter compromised systems (e.g., do not log on or change passwords).
  • Do NOT turn off the compromised machine. Instead, isolate compromised systems from the network (e.g., unplug the network cable). If for some reason it is necessary to power off the machine, unplug the power source.
  • Do NOT shutdown the system or push the power button (because it can sometimes create a “soft” shutdown), which modifies system files.
  • Preserve logs and electronic evidence. A forensic hard drive image will preserve the state on any suspect machines. Any other network devices (such as firewalls, IDS/IPSes, routers, etc.) that have logs in the active memory should be preserved. Keep all past backup tapes, and use new backup tapes for subsequent backups on other systems.
  • Log all the actions you have taken, including composing a timeline of any knowledge related to the incident.
  • If using a wireless network, change SSID on the wireless access point (WAP) and other machines that may be using this connection (with the exception of any systems believed to be compromised).
  • Be on high alert and monitor all systems.

Alert All Necessary Parties Within 24 Hours

Be sure to notify:

  • Your internal information security group and incident response team, if applicable.
  • The card associations and your merchant bank if the breach is part of a cardholder data segment.
  • The local FBI office and/or U.S. Secret Service (file a complaint online at http://www.ic3.gov).

If you have experienced a data breach, get in touch with experts right away.

Data breach hotline  888.403.3438

Contact Us

We understand time is critical. Contact us and our data breach experts will respond as soon as possible.

 

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

SIGN-UP FOR INSIGHTS

GET UPDATES FROM OUR EXPERTS
  • This field is for validation purposes and should be left unchanged.

Upcoming Events

  1. CPE Trainings: Tax Level 1

    July 28 @ 8:30 am - July 30 @ 5:00 pm CDT

  2. CPE Trainings: Tax Level 2

    August 5 @ 8:30 am - August 7 @ 5:00 pm CDT

  3. CPE Trainings: Tax Level 3

    August 26 @ 8:30 am - August 28 @ 5:00 pm CDT

View All Events

Latest Insights

View All Insights

About The Author

Mark Shelhart

Mark Shelhart

Mark’s expansive technical background and excellent communication skills allow him to efficiently drive e-discovery, incident response and other forensic projects to effective conclusions. His leadership role in the forensics practice includes speaking at conferences and writing for industry publications to share his knowledge of the information security and forensics industries. Mark has more than 15 years of experience working in consulting, information technology, e-discovery and incident response. He is a Core Forensic Investigator (CFI), Certified Information Systems Security Professional (CISSP) and a Payment Card Industry Qualified Security Assessor (QSA).