Cybersecurity incident and breach response process.

Here is the process of what to do if a cyber breach happens within the local server or the Veonics Portal.

Table of Contents

Insurance and Physical Security


Express Badging Services, Inc. is protected by General Liability, Cyber Security, and Errors and Omissions (E&O) insurance.  Our facility has external CCTV cameras covering our parking lot and building access.  Internal CCTV cameras cover all elevator ingress and egress on all floors. The building is further controlled by a door access control system that restricts public access to the building during defined schedules (business hours) and requires key access afterward. 

  • General Liability $2m/$1M | E&O/ Cyber $2M | Workman Comp
  • Express Badging Services, Inc. will never work on a customer’s premises as the rule
  • Our building is secured by time-zone controlled door access with CCTV on all floor

Insurance Process Coverage 


Breach Response Costs, covered by Beazley Insurance Company, Inc., means the following fees and costs incurred by the Insured Organization with the Underwriters' prior written consent in response to an actual or reasonably suspected Data Breach or Security Breach:

  1. for an attorney to provide necessary legal advice to the Insured Organization (eXpress badging) to evaluate its obligations pursuant to Breach Notice Laws or a Merchant Services Agreement;
  2. for a computer security expert to determine the existence, cause, and scope of an actual or reasonably suspected Data Breach, and if such Data Breach is actively in progress on the Insured Organization’s Computer Systems, to assist in containing it;
  3. for a PCI Forensic Investigator to investigate the existence and extent of an actual or reasonably suspected Data Breach involving payment card data and for a Qualified Security Assessor to certify and assist in attesting to the Insured Organization's PCI compliance, as required by a Merchant Services Agreement;
  4. to notify those individuals whose Personally Identifiable Information was potentially impacted by a Data Breach;
  5. to provide a call center to respond to inquiries about a Data Breach;
  6. to provide a credit monitoring, identity monitoring, or other personal fraud or loss prevention solution, to be approved by the Underwriters, to individuals whose Personally Identifiable Information was potentially impacted by a Data Breach; and
  7. public relations and crisis management costs directly related to mitigating harm to the Insured Organization are approved in advance by the Underwriters at their discretion.

Roles and Responsibilities

  • Disaster Recovery Lead: Leads the DRP execution, coordinates between teams, and communicates with stakeholders.
  • IT Infrastructure Manager: Responsible for restoring servers, networks, and related infrastructure.

  • Application Support Manager: Handles Veonics Portal recovery and validation issues.

  • Database Administrator: Manages data restoration and integrity checks.

  • Communications Coordinator: Manages internal and external communications during the recovery regarding issue updates, compliance with customer and contractor terms, and legal issues.

  • Assigned Executive: Manages insurance, legal, and larger compliance-related issues.

Communication Plan

Internal Communication:

  • Regular updates to all employees via email and internal messaging platforms.

  • Status meetings held at defined intervals during the recovery process.​

External Communication:

  • Timely notifications to clients regarding service disruptions and expected recovery timelines.

  • Designated spokesperson to handle media inquiries and public statements.​

Communication Channels:

  • Email, SMS alerts, company website updates, and social media platforms.​

Testing and Maintenance

Testing:

  • Conduct semi-annual DRP drills, including tabletop exercises and full-scale simulations.

  • Document outcomes and identify areas for improvement.​

Training:

  • Provide annual training sessions for all DRT members.

  • Update training materials to reflect changes in the DRP.​

Maintenance:

  • Review and update the DRP annually or after significant changes to the Veonics Portal infrastructure.

  • Ensure all contact information and resource inventories are current.​​

Event Documentation

  1. Who and when was the breach noticed?
  2. What date/time was the first occurrence?
  3. Which services, systems, etc., have been affected?
    1. Hosted AWS (Portal)
      1. Customer Data and Photos
      2. User Credential Theft
      3. Virtual ID
    2. Hosted AWS (Website)
      1. Fraudulent Procurement
      2. Consumer or Payment Data Breach
      3. User Credentials Breach
    3. Hosted CRM (HubSpot)
      1. Data Breach
    4. Hosted Payment and Banking
      1. Banking Account Breach
      2. Credit Card Accounts Breach
      3. Credit Card Processor Breach
    5. EBS Server
      1. ApplicationBreach
        1. Financial/Payment PCI information
        2. Quickbooks software or Payment Processor
    6. Employee information
    7. Corporate Intellectual and Confidential Content

Risk Assessment and Business Impact Analysis (BIA)

Risk Assessment: Identifies potential threats, including:​

  • Cyberattacks (e.g., ransomware, DDoS)

  • Natural disasters (e.g., hurricanes, floods)

  • System failures (e.g., hardware malfunctions)

  • Human errors (e.g., accidental data deletion)​

    • Sending a Document to the wrong recipient
    • Not Understanding Security protocols and procedures
  • Human errors (e.g., intentional data deletion)​
    • Getting around the permissions or protocols that are in place
    • An ex-employee or contractor who is disgruntled causes problems

Business Impact Analysis: Determines the potential impact of disruptions.​

  • Recovery Time Objective (RTO): 4 hours

    • It defines the maximum acceptable duration that a system, application, or process can be unavailable after a disruption before causing significant harm to the organization.
  • Recovery Point Objective (RPO): 1 hour

    • It defines the maximum acceptable amount of data loss measured in time. In other words, RPO indicates how far back in time your data backups can go from the point of a disruption without causing significant harm to your business operations.​

Attack Type Forensics

  1. Hacking/Computer Intrusion (includes Phishing, Ransomware/Malware, and Skimming):
    1. The fact is that nearly all the hacking activity is accounted for by a few methods. Along with using stolen credentials and brute-force methods, which deal with weak credentials, other everyday hacking actions include using backdoors (44%) and SQL injection (8%). Exploiting buffer overflow vulnerabilities made the top 10 everyday hacking actions, but only 1% of the incidents were observed.
  2. Weak and Stolen Credentials, a.k.a. Passwords
  3. Password attacks – Password attacks are a combination of brute force attacks that are used to gain access to insecure passwords. A hacker uses a program that tries multiple passwords to access a user’s data until a password work.
  4. Overly complex access permissions
  5. Not forcing security policy on mobile devices
  6. Backdoors
    1. A backdoor is a means to access a computer system or encrypted data that by-passes the system’s customary security mechanisms.
    2. A developer may create a backdoor to access an application or operating system for troubleshooting or other purposes. However, attackers often use backdoors that they detect or install themselves as part of an exploit. Sometimes, a worm or virus is designed to take advantage of a backdoor created by an earlier attack.
  7. SQL injection
    1. SQL injection is a hacker’s method to penetrate a network. The idea is to execute SQL code for fraud inside an application or web page. An example may be if a website requires a login and a perp would like to bypass this, they may try using SQL injection. Most sites that require a login will have three things... A username, password, and a submit button of some nature. When the submit button is executed, it usually talks to a database of some flavor. Consequently, the application will decide based on whatever was typed in the Username and Password fields. Therefore, a hacker might type SQL code in these fields to create a new user or by-pass the Login altogether.
  8. Buffer overflow
    1. A buffer overflow is when a running program attempts to write data outside the memory buffer not intended to store this data. When this happens, we reference a buffer overflow or buffer overrun situation. A memory buffer is an area in the computer’s memory (RAM) that temporarily stores data. This kind of buffer can be found in all programs and stores input, output, and processing data.
    2. An example of data stored in buffers is login credentials or the hostname for an FTP server. Also, other data temporarily stored before processing can be stored in buffers. This could be anything from user input fields, such as username and password, to input files that import specific configuration files. When the amount of data written to the buffer exceeds the expected amount of data, the memory buffer is overrun. For example, this happens when a username with a maximum of 8 bytes is expected, and a username of 10 bytes is given and written to the buffer. In this case, the buffer is exceeded by 2 bytes, and an overflow will occur when it’s not prevented from happening. This often happens due to bad programming and the lack of input sanitization.
  9. Phishing – Email or phone calls that seem official to gain access or personal information is called phishing. They frequently take the guise of known, credible entities—such as a person’s bank. Various misrepresentation and outright deception levels are employed to defraud or gain information. Who committed the attack, and do they have a plan? (external or internal?)
  10. Ransomware – Ransomware is often, but not exclusively, used on businesses that need access to time-sensitive data, such as hospitals. A hacker gains control of the company system and locks it from use. A ransom note is left within the virus. The company or user is extorted to pay money for data to be restored, or their data is destroyed.
  11. Malware – Any virus, including worms and Trojans, is malware.
  12. Skimming – Using devices to capture transmitted data for fraudulent purposes electronically.
  13. Insider Threat: Employees know the most about where most sensitive data exist and, in some cases, how it is protected, so they can inflict significant damage if not adequately monitored or security protocols put in place.
  14. Data on the Move: We live in an increasingly mobile world, so another concern has to be when laptops or flash drives are stolen or backup tapes are lost in the mail.
  15. Physical Theft: physical data theft can be as simple as plugging a USB drive into a sensitive port or uploading data to a personal cloud storage location.
  16. Employee Error/Negligence/Improper Disposal/Lost: People make mistakes all of the time, so once assume an employee or a vendor’s employee could cause a PII data security breach at some point in time.
  17. Accidental Web/Internet Exposure: The likelihood of unintentional exposure increases as an organization migrates more data to cloud-based applications and infrastructure. All parties must practice security best practices at all times.
  18. Unauthorized Access: This data breach is attributed to a lack of access controls. Precisely, poorly monitored admin privileges or the lack of controls regarding privilege levels within specific applications or even across network resources.

Isolation and Remediation

  1. Close any access points to deny further access to the Network (s)
  2. Isolate any identified personnel involved
  3. Begin the remediation process
  4. Execute developed communication protocols

Recovery Strategies

The Veonics Portal leverages Amazon Web Services (AWS) to ensure high availability, data durability, and rapid recovery. Our infrastructure incorporates robust backup and redundancy mechanisms across key AWS services: EC2 for compute resources, RDS for relational databases, and S3 for object storage. The Veonics Portal General Terms and Conditions specify that all data backups are the responsibility of the customer, unless explicitly stated in signed contractual agreements. 

  • 🖥️ Amazon EC2: Compute Resources

    Backups:

    • Automated Snapshots: We employ AWS Data Lifecycle Manager (DLM) to automate the creation of Amazon Elastic Block Store (EBS) snapshots for our EC2 instances. These snapshots are incremental, capturing only changes since the last snapshot, optimizing storage and reducing backup time.

    Redundancy:

    • Multi-AZ Deployment: Our EC2 instances are distributed across multiple Availability Zones (AZs) within the AWS Virginia region. This configuration enhances fault tolerance, ensuring that if one AZ experiences issues, others can seamlessly handle the load.


    🗄️ Amazon RDS: Relational Database Service

    Backups:

    • Automated Backups: Amazon RDS performs daily automated backups during off-peak hours, capturing the entire DB instance and transaction logs. This setup enables point-in-time recovery within the specified retention period.

    Redundancy:

    • Multi-AZ Configuration: Our RDS instances are configured for Multi-AZ deployments, maintaining a synchronous standby replica in a different AZ. In the event of a failure, RDS automatically fails over to the standby, minimizing downtime and ensuring data integrity.


    🗂️ Amazon S3: Object Storage

    Backups:

    • Versioning and AWS Backup: We enable versioning on our S3 buckets, preserving every version of an object to protect against accidental deletions and overwrites.

    Redundancy:

    • Cross-Region Replication (CRR): To enhance data durability and disaster recovery capabilities, we implement CRR, automatically replicating objects to a bucket in a different AWS region. This ensures that our data remains accessible even in the event of regional disruptions.


    ✅ Summary

    By integrating these AWS services and configurations, the Veonics Portal achieves:

    • High Availability: Through Multi-AZ deployments and cross-region replication.

    • Data Durability: Via automated backups, versioning, and incremental snapshots.AWS Documentation

    • Rapid Recovery: Enabled by point-in-time recovery for RDS and readily available EC2 snapshots.


Disaster Recovery Procedures

Activation Criteria:

  • Detection of a disaster event that significantly disrupts the Veonics Portal services.

  • Assessment by the DRT confirms the need to activate the DRP.

Recovery Steps:

  1. Notification: Alert all DRT members and relevant stakeholders.

  2. Assessment: Evaluate the extent of the damage and identify affected components.

  3. Restoration:

    • Initiate restoration of infrastructure using AWS CloudFormation templates.

    • Recover data from the latest backups.

    • Validate the integrity of restored systems and data.

  4. Testing: Conduct thorough testing to ensure all systems are operational.

  5. Resumption: Gradually resume normal operations and monitor for any anomalies.​

End of Incident & Exit Plan 

  1. Manage the incident using standard project management procedures
  2. Document completed actions and milestones
  3. Post-incident reviews to reflect, assess, and evaluate the DRP's alignment with industry best practices.
  4. Review and analyse the DRP in Quarterly L10, and address any incident actions taken
  5. Address the entire company with DRP incident highlights and takeaways
  6. Incorporate lessons learned into plan revisions.
  7. If needed, engage with third-party auditors to evaluate the DRP's alignment with industry best practices.


By implementing this comprehensive Disaster Recovery Plan, eXpress badging ensures that the Veonics Portal and other critical systems can withstand and rapidly recover from unforeseen disruptions, maintaining service continuity and upholding client trust.