Today we learned that surveillance video related to Jeffrey Epstein’s apparent suicide attempt in July 2019 supposedly was accidentally deleted. (See this Forbes article and this article from NBC News for more details about the situation.) Errors happen, and files of all types are accidentally deleted from time to time. But a good cybersecurity program should include multiple controls to prevent accidents from causing the permanent loss of critical information and data. If the surveillance video in this situation – or any file – was accidentally deleted and truly is irrecoverable, deep cracks exist in the organization’s approach to information security. Read on for 4 ways in which the deleted Epstein surveillance video highlights gaps in an organization’s cybersecurity program, and what you can do to prevent such nightmares at your organization.
Cybersecurity Failure #1: Flawed Approach to Backups
Imagine what would happen if a clerical error occurred and your bank permanently lost the records of your account, or if an employee in your company’s finance department accidentally dragged a key payroll file into the recycle bin?
Accidental deletions happen, hard drives crash, laptops get stolen, and natural disasters (fires, floods, tornadoes) occur. Since it isn’t possible to prevent these types of events, organizations need to have proper backup systems, policies, and processes in place.
Backup systems can’t be trusted unless they are carefully monitored and periodically tested. We’ve worked with many clients whose backup systems weren’t working properly, but they didn’t discover failures with backups until it was too late.
A good backup strategy involves:
- Creating multiple copies of important data
- Spreading backups across multiple independent systems
- Ensuring there is at least one full backup set stored in a physically remote location
- Continually monitoring and regularly testing backups
Cybersecurity Failure #2: Gaps in Incident Response Planning
The steps for responding to the unexpected loss of critical data – whether from a system crash, cyber-attack, or even user error – should be documented in an organization’s incident response plan.
In addition to the technical steps involved in recovering data, incident response plans should mandate what data and information about incidents should be tracked. For example:
- A description of the incident
- Collection and preservation of relevant artifacts such as log files, system images, and other technical details
- Steps taken to recover data
- Recommendations for changes to the technical infrastructure, policies, procedures, and/or the incident response plan itself to address any gaps uncovered during incident response
Furthermore, incident response plans should be tested periodically via a tabletop exercise, so you don’t have to wait for an actual emergency to surface and address gaps in your organization’s plan.
Cybersecurity Failure #3: Principle of Least Privilege
The principle of least privilege should be a cornerstone of your organization’s cybersecurity program.
User accounts should be granted the minimum set of privileges needed to carry out that role’s job functions. For example, the ability to permanently delete critical organizational data should be extremely limited and granted only to a small collection of high-level administrative accounts that are kept under lock and key.
The principle of least privilege should apply to all systems and all user accounts, regardless of whether the systems are hosted in an on-premises data center or in the cloud.
Cybersecurity Failure #4: Forensics & Data Recovery
In situations where data was deleted and backups are missing, incomplete, or unusable, it is still very likely that the deleted data can be recovered. In fact, permanently deleting data in a manner that cannot be recovered is exceedingly difficult. An ABC News story from 2012 highlights the FBI’s extensive capabilities to recover deleted data to be used in criminal proceedings.
While such techniques should not be relied upon as your primary defense against accidentally deleted files, it is a valid and often-productive approach for data recovery when no other options exist. It is rare that data recovery experts cannot restore accidentally deleted files.
Information Security: Ensuring the Confidentiality, Integrity, and Availability of Information and Data
Information security, after all, is about ensuring the confidentiality, integrity, and availability of information and data. Hackers and data breaches are constantly in the news, but the more mundane, low-level threats such as theft of a laptop or the accidental deletion of a critically important file occur much more frequently.
Your organization’s information security program should provide protections against any type of threat, whether accidental or malicious. If not, it’s time for an upgrade.