Is staging necessary rather than a single return-to-work day to manage capacity?
Does security need to reposition tools and staffing to handle volume? Customer-friendly and speedy processes will encourage compliance and participation.
Should IT security partner with risk management, HR and operations on the staggered return of teams to control intake?
Does the service desk have ample number of “hot swaps” ready for assets that cannot be returned to service and must get replaced?
Do you have a training program for device evaluation, data preservation, device cleanup/restoration?
Does IRT/SOC have a plan expecting to see a potential spike in events as devices are added back to the network?
Have you verified if resources on retainer are ready (e.g. forensic, incident response).
Have DLP tools been tuned for possible exfiltration attempts?
Have all assets on the organization’s internal networks received their regularly scheduled security updates before allowing previously remote assets back onto the network?
Do you have a system for recordkeeping?
Will you establish a quarantine network and what does the clean-bill-of- health look like?
Should the company reset all credentials as policy?
Should the staggered return get tied to data classification as well as role-in- company?
Is there a shredder campaign for all the printed materials at home?
Should the company distribute data-gathering questionnaires prior to asset return?
Should an audit of data controls occur and how?
Have you checked for compromised BIOS or fileless malware?
Will the company collect data for research or preservation for potential forensic value?
Did the user have access to information classified by the organization as confidential or secret?
Was the device under management?
Has this device been connected to wireless networks?
Have any of those been public networks?
Were any files stored locally that must be preserved?
Were any files preserved/stored/backed-up on a removable device?
Has the device received regular endpoint detection signatures?
How long has the asset been running without a restart?
Was the device monitored for security events while remote, and were any detected?
Are there physical documents to preserve or destroy?
Was any device not issued by the organization plugged into a USB port while remote?
Image memory contents, if possible.
Perform a forensically sound image process.
Attach chain of custody form.
Create images for analysis.
If possible, image each one for research purposes and reimage – especially for executives and key personnel.
If it’s not possible, or there are too many, perform a reboot with a sniffer to ensure a bios-mod does not exist.
Run a malware scan using at least one different tool/agent than the one that’s currently installed.
Remove all cookies.
Add the computers to the network under Active Directory quarantine or an equivalent process, such that they have limited network access to required services but can still be evaluated by help desk/security ops.
This week’s breach roundup is led by network outage at Central Indiana Orthopedics brought on by a ransomware attack and a dental vendor data breach affecting multiple dentist offices and 174,000 patients.