Understanding the type and severity of an IT security breach is the first step towards effectively containing the damage and minimizing the risk. Adapting an overzealous PCI incident response plan could cause more damage than that done by the initial IT security breach.
Moreover, to effectively recover from an IT security breach, you need to determine how seriously your networks have been compromised. This will consequently determine how to further contain and minimize the impact of the damage. This may involve looking into aspects such as how to recover, how quickly and to whom you should communicate the security incident to and whether or not to seek legal redress.
When determining the nature of the IT security breach or attack during the first assessment stages, remember to also determine the source of the attack. This will come in handy when analyzing your PCI incident response strategy to ensure that it is both plausible and compliant much later. At this stage it is also advisable to determine the intent of the IT security breach on your network. You should be able to determine whether it was specifically targeted at your company in order to acquire certain sensitive information or it was just random attack. Note that this kind of information cannot be determined if you do not identify the origin of the attack in the first place.
When assessing the extent of the attack, you should basically look into the type of files that have been compromised and the sensitivity of the information in those files.
By performing these steps you will be able to determine the appropriate PCI incident response plans for your network environment. A good PCI incident response plan will outline specific procedures and policies to follow as you learn more about the IT security breach. In other words, the nature of the incident symptoms will determine the order in which you follow the procedures and steps defined in your security incident response plan. Since time is critical in order to minimize the damage, less time-consuming procedures and steps should generally be performed before the more lengthy ones.
To help determine the severity of the IT security breach you should consider contacting other members of the Computer security Incident Response Team CSIRT to inform them of your findings and seek for their verifications and results. This is very critical because one or several members of the CSIRT might be aware of a looming potential security breach. Furthermore, the computer security incident response team may help in identifying whether the incident is a false positive. This is because sometimes what appears to be a genuine incident on initial assessment might prove to be a false positive.
You should not overlook any detail including what might seem negligible to you when doing an assessment of the compromise. Therefore, you should determine whether unauthorized hardware had been attached to the network environment or there are any signs of unauthorized access through the IT security controls. Basically, you can save a lot of time and money when responding to security incidents if you identify exactly what has been attacked and what areas of your security incident response plan need to be recovered.
