What to Do If You Have a Security Breach in Your Data Center

October 30, 2012 3 Comments »
What to Do If You Have a Security Breach in Your Data Center

You’ve taken the time, spent the money, trained your employees and taken every precaution you can think of to prevent security breaches in your data center. And then it happens anyway: someone beats your security apparatus and steals your data, or worse. What do you do now?

Security Breaches Will Happen to You, So Plan Ahead

StillSecure CTO James Brown notes, “Clearly, hackers want to infiltrate any organization that is expected to be a highly secure environment. It is imperative that controls are established that go beyond the governmental requirements, and a remediation plan needs to be in place for when—not if—a breach happens.” No data center is totally secure, and that means that eventually yours will be broken into, whether virtually or physically. Good security measures will certainly help reduce the number of successful attacks and can provide a solid return on the investment, but you still need to prepare for the inevitable—albeit hopefully rare—breach.

“Having a plan can not only help your staff keep calm but can also alert them to some important guidelines that might not be within their realm of expertise as technicians,” according to Hostway’s Senior Director of Operations, Mark Gainer. The stress and chaos that can result from a security breach can quickly overwhelm your staff and lead to greater losses in both money and reputation, but if you have a plan of action in place before the breach occurs—and your staff is familiar with them—you have a much better chance of minimizing losses and of learning enough to prevent such breaches from occurring again. You should consider the following suggestions for inclusion in a comprehensive security-breach response plan. They are not intended, by themselves, to be a checklist that you look at only after the fact. Look at how these items affect your data center specifically: not all will be applicable, and some will be more so than others.

It Happened; Now What?

A security breach occurred in your data center. Here are some steps to take in response.

  • Remain calm. This isn’t a platitude—it’s a critical step in response to any emergency. Hostway and StillSecure say it this way: “Take a deep breath. This can be fixed.” It’s happened to many other companies; you can survive it as well.
  • Inform necessary response personnel. Since you’ve already planned ahead for this kind of event (right?), you should have a ready list of staff members that must be informed—and present, if necessary—in response to the breach. Coordinate your strategy for tackling the problem, and begin your investigation as quickly as possible.
  • Preserve evidence with potential forensic value. If your security is breached, a crime may well have occurred. And even if there’s not a sufficient criminal case, computer forensics personnel can gather evidence to possibly identify perpetrators or means of attack, enabling improvement of the security system. For example, Hostway and StillSecure suggest leaving on all servers, as shutting them down can destroy information that may be critical to an internal or criminal investigation.
  • Determine which outside entities to inform. If the breach is a potential criminal case, you may need to contact the appropriate law-enforcement authority. In such a situation, coordinate your investigation with that of the police so as to avoid any conflicts. You may also choose to bring in a third-party computer forensics specialist to aid in the investigation. In your contingency planning, consider how your investigation strategy will vary depending on who else is involved in the situation.
  • Carefully conduct your investigation. The necessary approach at this stage will depend on the details of the breach. Hostway and StillSecure suggest a number of steps to consider:
    • Determine which server(s) has been compromised, which internal or external customers may be affected, and what information is stored there.
    • Quarantine all affected hardware by isolating it on the network and immediately have a qualified person run forensic tools to record any new data or incidences on your network.
    • Dissect the recorded data. This will help you and the authorities build a case against the hacker.
    • Try to answer and document as much info as possible.
  • Identify the weakness in your security system and take steps to strengthen it. Hackers and other malicious parties spend a lot of time trying to break into systems like yours. Some breaches occur despite the best efforts of companies to secure their data centers—the only shame is in not taking the necessary steps to resolve known weaknesses. Here, security consultants may be able to offer you advice in correcting deficiencies effectively and economically. Hostway and StillSecure suggest considering “WAF, IDPS, file-integrity scanning, vulnerability scanning, managed VPN, firewall and others.”
  • Address legal and regulatory issues. If your data center handles financial or medical data, then PCI DSS, HIPAA or other compliance issues will come into play. Data breaches involving medical records can be very costly, but you still may need to inform the appropriate regulatory agencies. Also, consult with your legal team or an outside attorney regarding any implications of the breach. Legal counsel can help you avoid costly mistakes in resolving the breach.
  • Notify affected parties. You may need to inform affected parties regarding the data breach, particularly if it involves medical or financial records. Here, consulting with an attorney or compliance officer will help you take the right steps to avoid fines and lawsuits. Honesty may not be pleasant, but it may be the required policy in the wake of a security breach.
  • Evaluate your staff’s performance in response to the breach. Practicing for a security breach is one thing; responding to an actual breach is another. Look at how your team did in response to the breach. Certainly, don’t be too harsh: mistakes will almost certainly be made. Take a constructive approach that seeks improvement, not laying of blame. Of course, the hope is that you’ll never again have to practice the skills you learn for dealing with security breaches, but chances are if you’re in business long enough, it will happen again. Modify your plan so that next time, you’ll be even better prepared to deal with the situation.

Conclusions

A security breach will probably happen at your company’s data center. And yes, it’ll be an annoying and, probably, slightly disturbing situation. Nevertheless, by planning ahead, you can prepare to respond quickly and decisively should a breach occur, and then gain the necessary knowledge to improve security and—hopefully—prevent similar breaches from occurring again. “Let’s face it,” says Brown. “Even with the right security controls in place, most data centers are not safe enough. They need to play defensively and implement a strategy for the inevitable security breach—because it will happen.”

Photo courtesy of DeclanTM

About Jeff Clark

Jeff Clark is editor for the Data Center Journal. He holds a bachelor’s degree in physics from the University of Richmond, as well as master’s and doctorate degrees in electrical engineering from Virginia Tech. An author and aspiring renaissance man, his interests range from quantum mechanics and processor technology to drawing and philosophy.

Pin It

3 Comments

  1. Alkesh Chavda November 2, 2012 at 5:00 pm -

    Under “Preserve evidence with potential forensic value” and “Carefully conduct your investigation”, how about ensuring your database audit logs are switched on and using a proactive realtime database auditing solution to monitor the logs?

    alkesh.chavda@ategrity.com

Add Comment Register



Leave a Reply