As of June 1, 2024, Vestige Digital Investigations is part of ArcherHall, a leading digital forensics, 
e-discovery, and cybersecurity service provider. The Vestige team that you know and trust will
continue to serve you at ArcherHall. Our expanded team, capabilities, and infrastructure will allow
us to serve you and your clients even better.

Remediation from Data Loss


Remediation from Data Loss

Author photo
Senior Director, Digital Forensic & E-Discovery

So you’ve experienced a data loss.  The process was probably quite daunting.  It started with the realization that something was amiss.  Perhaps it was a computer that wasn’t working right, you noticed heavy network activity coming from that machine or the fact that it was constantly rebooting.  Maybe it was a phone call from a vendor to tell you that they found your data posted on the internet.  Maybe it was law enforcement calling to say that your computers were a launching point for a hacking attack on another company.  Or maybe it was the bank calling to say that your account was overdrawn.

Data breaches are a common occurrence, more common than what the press reports.  The reason for that statement is because many data breaches aren’t reported.  Many are swept under the rug, disregarded or investigated without anyone knowing.  The data breach might involve client account information.  It may involve proprietary project or business plans.  It might involve usernames and passwords that allow access to banking accounts.

My point is that there are many different forms of data breach, how it occurred and how one is notified about them.  Either way, it is not a fun situation.  It definitely is not a situation one wants to experience a second time.  So how does one get remediation from data loss?

The path to avoiding a data breach almost brings us full circle back to the article where we discussed pre-breach assessments.  The only difference this time is that you can concentrate more closely on exactly how the breach occurred.  Perhaps you already had an audit of your systems.  A data breach is a perfect, albeit painful, way to come to grips with what data was stolen, how it was stolen and to learn from it.  The first step of data breach recovery is to consider how it happened in the first place.

  1. Was it the result of social engineering?  No matter how hardened you can make your systems and how protected you can make your data, you still have users that interact with those systems and data.  Those users serve as an entry point to those systems and data.  Social engineering is often the most overlooked weakness in a computer network.  Yet social engineering is one of the most common ways that hackers get into a network.  Whether it is through phishing emails (emails impersonating the sender and enticing a recipient to click a link or open an attachment), convincing phone calls or malicious websites, social engineering will always be a major weakness.
  2. Did you miss a server in the audit?  In a large organization, it can sometimes seem as if one has more servers than employees!  Email servers, file servers, web servers, applications servers database servers, they are all over.  Even when IT is queried for an accounting of servers on the network, they may not be certain of everything that they have.  Vestige has received calls of rogue IT employees or contractors that set up a server, put it in the wrong location or left it with “test data”.  When one says “test data” with the air quotes, they are really talking about live data that someone borrowed for the purpose of testing an application with more bugs than a motel I stayed in once during college.  The point is that the data breach can help a company really understand what servers it has and what the policies are in regards to those servers.
  3. Was it a third party?  In today’s global economy, companies depend heavily on vendors and partners to produce a widget or sell a service.  For seamless integration, companies will share customer data, intellectual property or other important data with third party entities.  Often that sharing is done without any consideration as to how the third party is going to protect the data.  Or maybe there is a consideration, but there sure wasn’t any follow-up to see if the consideration was followed through.
  4. Was it the result of a stolen device?  “The dog ate my homework” has been replaced by “I left my computer in the cab”.  Whether it is a contractor or an employee, someone with a laptop, cell phone, tablet and your data is a potential weakness.

Next one wants to consider the what.  What data did you have that you thought was not important but turned out to be very important?  Was the important data something you thought was encrypted but in reality was in plain text?  Was the data something you never considered important, such as voicemails, only to learn that clients may have left their names, account numbers and other sensitive data in those voicemails.

Vestige was once called to assist in a data recovery project.  Our client was a company that was heavily dependent on a database application.  In fact, the president of the company said that if the database was lost, they might as well close up shop.  At weekly meetings, the president would turn to IT and ask if the database was being backed up to which the IT person would answer “yes”.  When the server on which the database was stored all of a sudden had a hardware failure that resulted in a loss of data, the president was not concerned.  He turned to the IT person and stated “we’ll just restore it from backup”.  However, what the president learned was that while the database was being backed up, it was being backed up to the same device on which the database existed.  So not only was the database at risk for being lost, but so was the backup.

Why tell this story?  The story illustrates a great point that is relevant to the discussion at hand.  Asking someone whether your data or systems are protected is only so reliable.  There can be a miscommunication between the interrogator and the person answering.  There might be a misrepresentation by a careless employee.  Finally, it might just be a situation of “I thought it was set up that way”.  The point is that the remediation stage of a data breach is the perfect time to assume nothing and test all.

If you haven’t hired a consultant to provide an outsider’s point of view to your data security, the remediation phase is the perfect time to wake up and smell the coffee.  An outsider is less likely to take personal accounts at face value.  An outsider is more likely to question first and believe later.  An outsider is likely to look at how you are protecting your data and provide a different way of thinking about protecting that data.

I will leave you with one more client story about how you can turn remediation into a win.  A company contacted us because client financial data was left exposed on an unprotected server.  The immediate result of their acknowledging and reporting the breach is that they lost clients.  However, they decided that it wasn’t good enough to only learn what happened.  The company decided that they wanted to remediate the situation and understand what they could do better going forward.  The company hired Vestige to perform technology audits and offer recommendations as to what the company could do to improve their data posture.  The company than took those reports, those remediation suggestions, acted upon them and used that to market to new clients about how the phoenix rose from the ashes and that they were now serious about their client’s data.  The result was that our client was able to capture clients that they weren’t able to get before.  Not only that, but the company was also able to increase their client base and revenue.  Our client was able to show that they learned from their mistakes, had followed the data breach remediation process and were taking their data seriously.

Contact Vestige to learn more about data breach investigation and data loss prevention.

Greg Kelley - Vestige CTO lft smallby Greg Kelley, EnCE, DFCP, Chief Technology Officer at Vestige Digital Investigations