Effective Ways for Accounting Professionals to Respond to a Data Breach: Part 2by
If your security is breached by hackers, it's crucial to respond as quickly as possible. But do you know what to do to recover? Expert Danny Severns reviews how to dig deeper and other crucial post-breach steps in the second of a two-part series on protecting yourself against hackers.
Continuing from part one, "What's the Best Way to Respond to Being Hacked?" I'll talk about how you can investigate whether or not your data is compromised on your own and discuss some effective ways to recover.
How to Dig Deeper on Your Own
Your ability to perform the above steps depends on how your system is set up and on you doing a little detective work. If you have File History turned on (Control Panel > File History), Windows is automatically backing up your files and directories as they change. Go to the drive where the files are being backed up; you should see a folder named “File History.” Using File Explorer, scroll down to the directory or folder where the file of interest resides, right click on it and click on properties in the pop-up menu. Look on the Detail tab toward the bottom for Date Accessed & Time. Then, still using File Explorer, go to the location of the live file on your working directory, typically the C: drive, and do the same thing to see the Date Accessed & Time on the live file. If the live file Date Accessed & Time is the current day or previous night, and the Date & Time on the same file in File History is prior to that (and you know it hasn’t been used by the application), the file had to be copied or accessed with another procedure or process.
Other sources of discovery and analysis are the system event, network and application logs. All these can be examined for suspicious events and messages. Here’s how: Access the Event Viewer, START > SEARCH and type in Event Viewer. On the Event Viewer screen, you can access many different logs; the key one is System and Security under the Windows Logs category. The recorded events can be viewed or exported to a spreadsheet so you can slice and dice the data to look for pertinent line items.
If you or your technical adviser determines a breach has occurred and it involves credit/debit cards, bank accounts or payment services like PayPal, you need to contact the company or organization involved and let them know the account(s) may be compromised. The organization may cancel the cards and issue new ones or close accounts and open new ones.
You certainly should notify your employer if a breach occurs so they can start their own investigation into their server and network security to see if the hacker accessed the employer’s systems through your PC.
The point here is that many things can be done to determine if you may be dealing with a breach or an operating system, application or hardware problem. If, based on your evaluation, you find no explanation and the problem persists, then you should get technical help.
There are many procedures to perform in a complete forensic analyst of your system and network/ They should be performed by a Forensic Specialist to determine the exact entry point, extent of the damage and the best recovery method.
How to Recover
If you decided to at least attempt deal with the breach yourself, your first action will be to wipe the drive clean by reformatting it. Then, reload and restore your current data from your most recent backup, which hopefully was performed the prior evening. If you restore from a backup created before the current day, you may lose no more than today’s data. If you do not perform real-time, continuous backups (backups that change as files are added, deleted and updated), hopefully you at least perform nightly ones.
Backups have never been more important than they are today. If you clone your hard disk, you can pop in the clone and be back up and running very quickly, then load current data from your daily backups. However, if, as mentioned above, the ransomware downloaded week or months before activated, your disk clone or Windows image may also be infected. This type of problem is why you need a good backup and media rotation plan.
If the breach is not ransomware, perform a thorough or full scan of all your drives using your virus or malware software. If the software finds suspicious programs, scripts, or data files, you should have it repair the files the malware has infected to remove the malware and restore the infected file to its original state, and/or quarantine them t. In the latter scenario, you can replace those files from a backup. After that, I think it is a good idea to delete the quarantined files.
If the virus software scan does not find anything, you still could have an undetected infection or breach. There also could be some type of corruption in the OS or an application that is causing the system problem. In this case, restore the OS instead of spending more time trying to determine the exact problem.
It is beyond the scope of this article to cover backup/restore procedures, but I will make a few comments just to point you in the right direction. To restore the OS, boot from your Windows Startup Repair deck. After the system boots, select Troubleshoot > Advanced Options > Startup Repair. If the Repair disk cannot fix the problem, it will say so, in which case, you should select System Restore from the Advanced Options menu. You will then select a Restore Point, assuming you have System Protection turned on. If System Protection is turned off, you will not be able to restore from a previous Restore Point. In that case, you should turn it on as further protection.
The last option I will mention is a Disk Scan. If you can boot your PC, even if you have to boot into safe mode, go to the START menu. In the Search entry field, type “cmd” to open a command window. On the menu, select “Run as administrator”; then, a Command Prompt window will display. At the prompt, type “sfc /scannow,” which runs the Windows System File Checker.
Data or system breaches are serious problems and can be terribly disruptive and costly. If you suspect your system has an infection or breached and do not feel equipped to deal with it, get a professional. It is important to determine, if possible, the cause of the problem, the hacker’s entry point, and what has been affected by the breach in order to know what remedies should be taken to prevent future attacks of the same nature. It is also crucial to know what was affected to clean up the system and thoroughly remove all the malware and properly restore the system, applications and data. Knowing the nature of the attack and the affected data also enables you to notify the related organizations so they can take appropriate actions. Using the internet safely is constantly growing more dangerous and costly, and you should spend the time to implement all the protective measures available.
Danny is a professional with a unique blend of skills and expertise combining Financial management, Software development, and Digital transformation and modernization. As a CPA, he has extensive experience in Auditing, Tax, and Consulting with clients of all sizes in a variety of industries. In private industry, he gained deep experience in...