POST-BREACH ASSESSMENT SUMMARY
7
CRITICAL FINDINGS
Immediate action
8
HIGH FINDINGS
30-day remediation
28%
NIST CSF MATURITY
Pre-breach baseline
67%
TARGET MATURITY
Post-remediation
NIST CSF 2.0 — PRE vs TARGET MATURITY
Scale: 1.0 (Partial) → 2.0 (Risk Informed) → 3.0 (Repeatable) → 4.0 (Adaptive)
BREACH TIMELINE — WHAT HAPPENED
DAY 0 — 02:17
Initial compromise via phishing email
Finance department employee clicked a malicious link. Credentials harvested. VPN access gained.
DAY 0 — 06:45
Lateral movement across network
Attacker moved from finance workstation to core ERP system. No network segmentation to stop spread.
DAY 0 — 09:23
Ransomware deployed — 847 files encrypted
Financial data, customer PII, operational systems encrypted. Ransom note demands R2.1M in Bitcoin.
DAY 1
Incident declared — external forensics engaged
CISO activates IR plan. External forensic firm engaged. SAPS cybercrime unit notified.
DAY 3
POPIA Section 22 notification submitted
Information Regulator notified. Customer PII confirmed exposed — 14,200 records affected.
DAY 14
Systems substantially restored
Ransom NOT paid. Restored from clean backups. This assessment commissioned to prevent recurrence.
ROOT CAUSE ANALYSIS — WHY THE BREACH SUCCEEDED
NO MFA
VPN access had no multi-factor authentication. Once credentials were harvested via phishing, the attacker had direct network access with no additional barrier.
FLAT NETWORK
No network segmentation between finance workstations and core ERP systems. Lateral movement from one compromised endpoint to every critical system took under 3 hours.
NO EDR
No endpoint detection and response tool deployed. The ransomware executed for over 2 hours before any alert was triggered. By then 847 files were already encrypted.
NIST CSF 2.0 — PRE-BREACH vs POST-REMEDIATION MATURITY
MATURITY COMPARISON — ALL 6 FUNCTIONS
FUNCTION
BEFORE / TARGET
BEFORE
TARGET
GV — Govern
1.0
3.0
ID — Identify
1.5
2.5
PR — Protect
1.0
3.5
DE — Detect
0.5
3.0
RS — Respond
1.0
2.5
RC — Recover
0.5
2.5
Pre-breach (current)
Post-remediation target
GV — GOVERN
1.0 / 4.0
No formal information security policy. No risk management framework. No supplier security requirements. ISO 27001 implementation not started.
Key gaps: OV-POL-001, risk register, SoA, management commitment
PR — PROTECT
1.0 / 4.0
No MFA on VPN or critical systems. No network segmentation. No EDR deployed. Patch management ad hoc. No DLP tool. Security awareness training absent.
Critical: MFA, segmentation, EDR, patching, awareness
DE — DETECT
0.5 / 4.0
No SIEM. No centralised logging. No anomaly detection. Ransomware ran for 2+ hours before detection. Threat was only discovered when employees reported encrypted files.
Critical: SIEM, log aggregation, EDR alerts, SOC capability
20 CONTROL FINDINGS — POST-BREACH ASSESSMENT
| ID | CONTROL AREA | FINDING | NIST CSF | ISO 27001 | SEVERITY | STATUS |
|---|---|---|---|---|---|---|
| F-001 | MFA / Authentication | VPN and critical systems lack MFA — direct enabler of breach | PR.AC | A.8.5 | CRITICAL | IN PROGRESS |
| F-002 | Network Segmentation | Flat network enabled lateral movement from one endpoint to ERP | PR.PT | A.8.22 | CRITICAL | OPEN |
| F-003 | Endpoint Detection (EDR) | No EDR deployed — ransomware ran 2+ hours undetected | DE.CM | A.8.7 | CRITICAL | IN PROGRESS |
| F-004 | SIEM / Log Management | No centralised logging — attack went undetected for hours | DE.AE | A.8.15 | CRITICAL | OPEN |
| F-005 | Incident Response Plan | No tested IR plan — response was ad hoc and delayed | RS.RP | A.5.24 | CRITICAL | IN PROGRESS |
| F-006 | Security Awareness | No phishing awareness training — finance employee clicked malicious link | PR.AT | A.6.3 | CRITICAL | OPEN |
| F-007 | Backup & Recovery | Backups untested — recovery took 14 days instead of RTO target of 4h | RC.RP | A.8.13 | CRITICAL | IN PROGRESS |
| F-008 | Patch Management | Critical patches 6+ months overdue on ERP server — exploited by attacker | PR.IP | A.8.8 | HIGH | IN PROGRESS |
| F-009 | Access Control (PAM) | Privileged accounts not managed — admin credentials reused across systems | PR.AC | A.8.2 | HIGH | OPEN |
| F-010 | Data Loss Prevention | No DLP — 14,200 customer PII records exfiltrated undetected | PR.DS | A.5.12 | HIGH | OPEN |
| F-011 | Vulnerability Scanning | No vulnerability scanning programme — unpatched CVEs present for months | ID.RA | A.8.8 | HIGH | OPEN |
| F-012 | Asset Inventory | No comprehensive asset register — shadow IT exposed unknown attack surface | ID.AM | A.5.9 | HIGH | IN PROGRESS |
| F-013 | Third-Party Risk | No vendor risk assessments — IT support contractor had excessive access | GV.SC | A.5.19 | HIGH | OPEN |
| F-014 | Email Security | No advanced email filtering — phishing email bypassed basic spam filter | PR.AT | A.8.7 | HIGH | IN PROGRESS |
| F-015 | Encryption at Rest | Customer PII database not encrypted — exfiltrated data immediately readable | PR.DS | A.8.24 | HIGH | OPEN |
| F-016 | POPIA Compliance | No POPIA breach response procedure — S.22 notification delayed 3 days | GV.PO | A.5.31 | MEDIUM | DONE |
| F-017 | BCP / DR Plan | BCP existed but untested — manual fallback procedures unknown to staff | RC.IM | A.5.29 | MEDIUM | IN PROGRESS |
| F-018 | Password Policy | No enforced password complexity or rotation — weak credentials on VPN accounts | PR.AC | A.5.17 | MEDIUM | DONE |
| F-019 | Mobile Device Management | No MDM — personal devices accessing corporate systems without controls | PR.AC | A.6.7 | MEDIUM | OPEN |
| F-020 | Security Policy | Information security policy outdated — last reviewed 3 years ago | GV.PO | A.5.1 | MEDIUM | DONE |
FINANCIAL IMPACT MODELLER — ADJUST SLIDERS TO CALCULATE EXPOSURE
INCIDENT PARAMETERS
SA BENCHMARK DATA
Average SA breach cost (IBM 2024): R53.1M
Average SA downtime: 23 days
POPIA fine (maximum): R10M or 10%
Reputational loss multiplier: 1.4x–2.1x
ESTIMATED TOTAL IMPACT
R0
COMBINED FINANCIAL EXPOSURE
COST BREAKDOWN
Revenue loss (downtime)R0
Incident response & forensicsR0
Regulatory fines (POPIA)R0
Customer notification costsR0
Remediation & hardeningR0
Reputational damageR0
90-DAY REMEDIATION ROADMAP
PHASE 1 — DAYS 1–30 · CRITICAL
STOP THE BLEEDING
Deploy MFA on all systems
VPN, email, ERP, admin consoles. Eliminates credential theft as attack vector. NIST PR.AC — ISO A.8.5
Deploy EDR across all endpoints
CrowdStrike, SentinelOne or Microsoft Defender. Real-time ransomware detection. NIST DE.CM
Emergency patch cycle
All critical CVEs (CVSS 9.0+) patched within 14 days. NIST PR.IP — ISO A.8.8
Segment finance & ERP network
VLAN isolation prevents lateral movement. NIST PR.PT — ISO A.8.22
PHASE 2 — DAYS 31–60 · HIGH
BUILD DETECTION
Deploy SIEM / log aggregation
Splunk or Microsoft Sentinel. Centralised logging with alerting rules. NIST DE.AE — ISO A.8.15
Implement PAM solution
Privileged access management — rotate all admin credentials. NIST PR.AC — ISO A.8.2
Test backup & recovery
Full DR test. Verify RTO of 4 hours is achievable. NIST RC.RP — ISO A.8.13
Security awareness training
Mandatory phishing training for all staff. Simulated phishing campaigns. ISO A.6.3
PHASE 3 — DAYS 61–90 · MEDIUM
SUSTAIN & GOVERN
Begin ISO 27001:2022 ISMS
Scope, risk assessment, SoA, policy suite. NIST GV — ISO Clause 4–6
Vendor risk assessments
Assess all IT suppliers and contractors. POPIA operator agreements. ISO A.5.19
Encrypt customer PII database
AES-256 at rest. POPIA Section 19 compliance. ISO A.8.24
Monthly vulnerability scanning
Nessus or Qualys. Continuous posture management. ISO A.8.8
NIST CSF 2.0 MATURITY TARGETS — 90-DAY GOAL
| FUNCTION | CURRENT | 30-DAY | 60-DAY | 90-DAY | KEY ACTIONS |
|---|---|---|---|---|---|
| GV — Govern | 1.0 | 1.5 | 2.0 | 3.0 | Policy, risk register, ISMS scope |
| ID — Identify | 1.5 | 2.0 | 2.5 | 2.5 | Asset inventory, vulnerability scanning |
| PR — Protect | 1.0 | 2.0 | 2.5 | 3.5 | MFA, EDR, segmentation, patching |
| DE — Detect | 0.5 | 1.5 | 2.5 | 3.0 | EDR, SIEM, log aggregation |
| RS — Respond | 1.0 | 2.0 | 2.5 | 2.5 | Tested IR plan, POPIA S.22 procedure |
| RC — Recover | 0.5 | 1.5 | 2.5 | 2.5 | Tested BCP, verified RTO |