Home

What to Do after a Data Breach: 3 Steps to Recover without a Pro

|
|  Updated:  
2021-12-07 18:46:04
Cybersecurity All-in-One For Dummies
Explore Book
Buy On Amazon
Data breaches are dreaded by most cybersecurity professionals and organizations. In fact, much of the planning that is done in the cybersecurity world is an attempt to prevent such an event from occurring. But the best-laid cybersecurity plans often go awry.

If you do not have the ability to bring in a pro, the following steps are those that you should follow. These steps are essentially the ones most cybersecurity professionals follow:

  1. Figure out what happened (or is happening).
  2. Contain the cyberattack.
  3. Terminate and eliminate the cyberattack.

Step 1: Figure out what happened or is happening with the cyberattack

If possible, you want to figure out as much about the cyberattack as possible so that you can respond accordingly. If an attacker is transferring files from your computer to another device, for example, you want to disconnect your device from the internet ASAP.

That said, most home users do not have the technical skills to properly analyze and understand exactly what the nature of a particular cyberattack may be — unless, of course, the attack is overt in nature.

Gather as much information as you can about

  • What happened to cause the cyberattack
  • What information systems and databases were hit
  • What could a criminal or other mischievous party do with the stolen material
  • Who, besides yourself, may face risks because of the data breach (this includes any potential implications for your employer)

Do not spend a lot of time on this step — you need to take action, not just document — but the more information that you do have, the greater the chances that you will be able to prevent another similar cyberattack in the future.

Step 2: Contain the cyberattack

Cut off the attacker by isolating him or her from the compromised devices. Containing may entail:
  • Terminating all network connectivity ASAP: To terminate network connectivity for all devices on a network, turn off your router by unplugging it. (Note: If you’re in a business setting, this step is usually not possible).
  • Unplugging any Ethernet cables: Understand, however, that a network-borne cyberattack may have already spread to other devices on the network. If so, disconnect the network from the internet and disconnect each device from your network until it is scanned for security problems.
  • Turning off Wi-Fi on the infected device: Again, a network-borne attack may have already spread to other devices on the network. If so, disconnect the network from the internet and disconnect each device from your network by turning off Wi-Fi at the router and any access points, not just on the infected computer.
  • Turning off cellular data: In other words, put your device into airplane mode.
  • Turning off Bluetooth and NFC: Bluetooth and NFC are both wireless communication technologies that work with devices that are in close physical proximity to one another. All such communications should be blocked if there is a possibility of infections spreading or hackers jumping from device to device.
  • Unplugging USB drives and other removable drives from the system: Note: The drives may contain malware, so do not attach them to any other systems.
  • Revoking any access rights that the attacker is exploiting: If you have a shared device and the attacker is using an account other than yours to which he or she somehow gained authorized access, temporarily set that account to have no rights to do anything.

If, for some reason, you need internet access from your device in order to get help cleaning it up, turn off all other devices on your network, to prevent any cyberattacks from spreading over the network to your device.

Keep in mind that such a scenario is far from ideal. You want to cut off the infected device from the rest of the world, not just sever the connections between it and your other devices.

Step 3: Terminate and eliminate the cyberattack

Containing a cyberattack is not the same thing as terminating and eliminating an attack. Malware that was present on the infected device is still present after disconnecting the device from the internet, for example, as are any vulnerabilities that a remote hacker or malware may have exploited in order to take control of your device. So, after containing the cyberattack, it is important to clean up the system.

The following describes some steps to follow at this point:

Boot the computer from a security software boot disk

If you have a security software boot disk boot from it. Most modern users will not have such a disk. If you do not, move to the next section.
  1. Remove all USB drives, DVDs, CDs, floppies (yes, some people still have them), and any other external drives from your computer.
  2. Insert the boot disk into the CD/DVD drive.
  3. Shut down your computer.
  4. Wait ten seconds and push the power button to start your computer.
  5. If you are using a Windows computer and it does not boot from the CD, turn the machine off, wait ten seconds, and restart it while pressing the BIOS-boot button (different computers use different buttons, but most use some F-key, such as F1 or F2) to go into the BIOS settings and set it to boot from the CD if a CD is present, before trying to boot from the hard drive.
  6. Exit the BIOS and Reboot.
If you’re using a Windows PC, boot the computer in Safe Mode. Safe Mode is a special mode of windows that allows only essential system services and programs to run when the system starts up. To do this, follow these steps:
  1. Remove all USB drives, DVDs, CDs, floppies (yes, some people still have them), and any other external drives from your computer.
  2. Shut down your computer.
  3. Wait ten seconds and push the power button to start your computer.
  4. While your computer is starting press the F8 key repeatedly to display the Boot Options menu.
  5. When the Boot Options menu appears select the option to boot in Safe Mode.
If you’re using a Mac, boot it with Safe Boot. MacOS does not provide the full equivalent of Safe Mode. Macs always boot with networking enabled. It’s Safe Boot does boot cleaner than a normal boot. To Safe Boot, follow these steps:
  1. Remove all USB drives, DVDs, CDs, floppies (yes, some people still have them), and any other external drives from your computer.
  2. Shut down your computer.
  3. Wait ten seconds and push the power button to start your computer.
  4. While your computer is starting, hold down the Shift key.

Older Macs (macOS versions 6–9) boot into a special superuser mode without extensions if a user presses the hold key during reboot. The advice to boot with Safe Boot applies only to Macs running more recent operating systems.

Backup

If you have not backed up your data recently, do so now. Of course, backing up a compromised device is not necessarily going to save all of your data (because some may already be corrupted or missing), but if you do not already have a backup, do so now — ideally by copying your files to an external USB drive that you will not attach to any other devices until it is properly scanned by security software.

Delete junk (optional)

At this point, you may wish to delete any files that you do not need including any temporary files that have somehow become permanent.

Why do the deletion now?

Well, you should be doing periodic maintenance, and, if you are cleaning up your computer now, now is a good time. The less there is for security software to scan and analyze the faster it will run. Also, some malware hides in temporary files, so deleting such files can also directly remove some malware.

For users of Windows computers, one easy way to delete temporary files is to use the built-in Disk Cleanup utility:

  1. Click on the Start menu.
  2. Click on Programs (or All Programs).
  3. Click on Accessories (or Windows Accessories).
  4. Right-click on System Tools.
  5. Click on Accessories (or Windows Accessories).
  6. Click on Disk Cleanup.

Run security software

Hopefully, you already have security software installed. If you do, run a full system scan. One important caveat: Security software running on a compromised device may itself be compromised or impotent against the relevant threat (after all, the data breach took place with the security software running). So, regardless of whether such a scan comes up clean, it may be wise to run the security software from a bootable CD or other read-only media, or, in cases of some products, from another computer on your home network.

Not all brands of security software catch all variants of malware. Security professionals doing a device “cleanup” often run security software from multiple vendors.

If you are using a Mac and your Safe Boot includes internet access, run the security software update routines prior to running the full scan.

Malware, or attackers, may add new files to a system, remove files, and modify files. They may also open communication ports. Security software should be able to address all of these scenarios. Pay attention to the reports issued by the security software after it runs.

Keep track of exactly what it removes or repairs. This information may be important, if, for example, some programs do not work after the cleanup. (You may need to reinstall programs from which files were removed or from whose malware-modified files malware was removed.) Email databases may need to be restored if malware was found within messages and the security software was unable to fully clean the mess up.

Security software report information may also be useful to a cybersecurity or IT professional if you end up hiring one at a later date. Also, the information in the report may provide you with clues as to where the cyberattack started and what enabled it to happen, thereby also helping to guide you on preventing it from recurring.

Security software often detects, and reports about, various non-attack material that may be undesirable due to their impact on privacy or potential to solicit a user with advertisements. You may, for example, see alerts that security software has detected tracking cookies or adware; neither is a serious problem, however, you may wish to remove adware if the ads bother you.

In many cases you can pay to upgrade the software displaying the ads to a paid version that lacks ads. As far as recovering from a cyberattack is concerned, these undesirable items are not a problem.

Sometimes, security software will inform you that you need to run an add-on in order to fully clean a system. Symantec, for example, offers its Norton Power Eraser, that it says “Eliminates deeply embedded and difficult-to-detect crimeware that traditional virus scanning doesn’t always detect.” If your security software informs you that you need to run such a scanner, you should do so, but make sure that you obtain it from the legitimate, official, original source.

Also, never download or run any scanner of such a sort if you are told to do so not as the result of running security software. Plenty of rogue popups will advise you similarly, but install malware if you download the relevant “security software.”

Ideally, these steps will help you move forward, but consulting a cybersecurity professional is also a good idea to ensure you are protected against future attacks.

About This Article

This article is from the book: 

About the book author:

Joseph Steinberg is a master of cybersecurity. He is one of very few people to hold the suite of security certifications including: CISSP , ISSAP , ISSMP , and CSSLP . Joseph has written several books on cybersecurity, including the previous edition of Cybersecurity For Dummies. He is currently a consultant on information security, and serves as an expert witness in related matters.