Data Breaches: Incident Response Planning – Part 1

Data Breaches: Incident Response Planning – Part 1

Incident Response Planning – Part 1

The topic of cybersecurity has become part of the boardroom agendas in the last couple of years, and not surprisingly — these days, it’s almost impossible to read news headlines without noticing yet another story about a data breach. As cybersecurity shifts from being a strictly IT issue to being a mission-critical component, BODs are also becoming more interested in what their organizations are doing to plan their incident response.

Cybersecurity professionals are smart to use the philosophy of “assumed compromise” — knowing that no matter how robust the defenses, they will be breached. Just like disaster preparedness helps in the aftermath of a major earthquake, hurricane or another natural calamity, incident-response planning helps organizations prepare in advance for the aftermath of a data breach.

In its recently released “2016 Data Breach Investigations Report,” Verizon compared being part of a infosec team to being a soldier who’s tasked to guard a hill at all costs, but without knowing who the enemy is, what it looks like, where it’s coming from and when. And to make matters worse, that soldier only has an old rifle with a few ammunition rounds.

Incident Response Planning

That is certainly a fitting description of today’s cybersecurity threat landscape. Using this analogy, now imagine this soldier has extensively practiced a variety of scenarios on what an attack “may” look like, and the steps he needs to do when it does happen, regardless of how the attack plays out. This soldier still doesn’t have any more specific details about the enemy or the impending attack, but he is much better equipped for whatever unknown comes his way. That is exactly what an incident-response plan does.

You don’t have to look hard for statistics to know why you need this plan: Last year, the number of discovered zero-day vulnerabilities more than doubled from 2014, according to the 2016 Internet Security Risk Report, newly released from Symantec. In other words, a new zero-day vulnerability popped up every week, on average. At the same time, McAfee Labs whitepaper report predicts a significant shift in the next five yearstoward new threats that are more difficult to detect, including file-less attacks, exploits of remote shell and remote control protocols, encrypted infiltrations and credential theft.”

The size of the organization doesn’t matter, as bad actors don’t discriminate when they look for the lowest-hanging fruit. In its 2015 Internet Security Threat Report, Symantec found a 40 percent increase in the number of large companies targeted compared to the year before — with five of six companies becoming a target. But small businesses aren’t doing any better: In its 2015 Year-End Economic Report, the National Small Business Association found that 63 percent of the businesses fell victim of cyberattacks in the past year. Since almost 90 percent of attacks are driven by financial motivation or espionage (based on the 2016 Verizon study), if you collect and store any type of information — employee records, customer data, intellectual property etc. — you’re on the cybercriminals’ radar.

What Not To Do After an Incident

common_cyber_attacks

(Image Source: https://www.cert.gov.uk)

If you find yourself in the middle of a cyberattack without a plan, you’re going to scramble as fast as you can, and not just from a tactical IT standpoint to secure your information infrastructure as fast as you can. That’s just step one. If sensitive data was breached, you have a long road ahead — notifying multiple layers of stakeholders, being inundated by customer and media calls, responding to any government inquiries, offering mitigation such as credit monitoring and potentially bracing for lawsuits. When you are in crisis mode, it’s difficult to think strategically about all these phases — it’s unlikely you’ll even know all the ramifications if you’ve never gone through an incident like this before.

Incident Response 

That’s where incident-response planning comes in. You can give yourself ample time to consider potential scenarios and then train your employees — even taking them through actual drills and tabletop scenarios.

Look at some of the big companies’ responses to appreciate why a well-planned out response is necessary. In many of the breaches we’ve seen in the past two or three years, the post-breach actions didn’t play out as well as they should have, resulting in PR nightmares.

Target, for example, took a week to announce its data breach in 2013, in the middle of the peak shopping season, as news began to hit customers through media reports. A gridlocked customer service line and a negative social media outburst were just some of the consequences — to say nothing of the class-action suit that eventually followed, costing the company $10 million in customer settlements and another $6.75 million in legal costs. As Target struggled to contain the damage and set up an official breach-communication website, scammers acted quickly to take advantage of the chaos — sending out fake messages that claimed to be from the company.

EBay topped Target by not only taking three months to realize a breach (which is not that uncommon) but also waiting for two weeks after that to notify customers. What followed, however, was awkward for such a big player: The first announcement was posted on ebayinc.com, a little-known corporate website and when it finally made its way to the eBay ecommerce site, it only went as far as telling users to change passwords, without any explanation. Meanwhile, PayPal customers were confused because a banner posted on that website didn’t clarify whether PayPal accounts were compromised as well.

While eBay was nonchalant in social media — simply responding to a storm of complaints with a tweet saying it would take a while for all customers to receive the password-resetting email — it worked really hard to downplay the magnitude of the breach. Even going so far as refusing to give an estimate, based on its best knowledge, on the number of records potentially affected.

Anthem was also seemingly overwhelmed by the magnitude of the impact from its data breach. It took the company five days to announce a breach (which took two months to discover) and quite some time to assess the scale and communicate with stakeholders. Its original disclosure, in February 2014, put the number of records potentially stolen by hackers at 37.5 million, but then it more than doubled that estimate, 20 days later, to 78.8 million.

As an estimated 50 million consumers were yet to be informed more than a month after the breach discovery, a Senate health committee had to intervene. But that wasn’t the end of Anthem’s missteps — it took customer’s days after calling a dedicated phone line to receive a call back…

What Post-Breach Response ‘Should’ Have Looked Like…

Read Part 2

By Sekhar Sarukkai

About Sekhar Sarukkai

Sekhar Sarukkai is a Co-founder and the Chief Scientist at Skyhigh Networks, driving the future of innovation and technology. He has more than 20 years of experience in enterprise networking, security, and cloud services development.

View Website
View All Articles

Sorry, comments are closed for this post.

Comics
The Five Rules of Security and Compliance in the Public Cloud Era

The Five Rules of Security and Compliance in the Public Cloud Era

Security and Compliance  With technology at the heart of businesses today, IT systems and data are being targeted by criminals, competitors and even foreign governments. Every day, we hear about how another retailer, bank or Internet company has been hacked and private information of customers or employees stolen. Governments and oversight organizations are responding to…

Digital Identity Trends 2017 – Previewing The Year Ahead

Digital Identity Trends 2017 – Previewing The Year Ahead

Digital Identity Trends 2017 The lack of security of the Internet of Things captured public attention this year as massive distributed denial of service attacks took down much of the internet. The culprits? Unsecured connected devices that were easily accessed and manipulated to do the bidding of shadowy hackers. When you can’t access Netflix anymore,…

Are Cloud Solutions Secure Enough Out-of-the-box?

Are Cloud Solutions Secure Enough Out-of-the-box?

Out-of-the-box Cloud Solutions Although people may argue that data is not safe in the Cloud because using cloud infrastructure requires trusting another party to look after mission critical data, cloud services actually are more secure than legacy systems. In fact, a recent study on the state of cloud security in the enterprise market revealed that…

Cloud-Based Services vs. On-Premises: It’s About More Than Just Dollars

Cloud-Based Services vs. On-Premises: It’s About More Than Just Dollars

Cloud-Based Services vs. On-Premises The surface costs might give you pause, but the cost of diminishing your differentiators is far greater. Will a shift to the cloud save you money? Potential savings are historically the main business driver cited when companies move to the cloud, but it shouldn’t be viewed as a cost-saving exercise. There…

Through the Looking Glass: 2017 Tech and Security Industry Predictions

Through the Looking Glass: 2017 Tech and Security Industry Predictions

2017 Tech and Security Industry Predictions As we close out 2016, which didn’t start off very well for tech IPOs, momentum and performance has increased in the second half, and I believe that will continue well into 2017. M&A activity will also increase as many of the incumbents will realize that they need to inject…

Cloud Native Trends Picking Up – Legacy Security Losing Ground

Cloud Native Trends Picking Up – Legacy Security Losing Ground

Cloud Native Trends Once upon a time, only a select few companies like Google and Salesforce possessed the knowledge and expertise to operate efficient cloud infrastructure and applications. Organizations patronizing those companies benefitted with apps that offered new benefits in flexibility, scalability and cost effectiveness. These days, the sharp division between cloud and on-premises infrastructure…

Technology Influencer in Chief: 5 Steps to Success for Today’s CMOs

Technology Influencer in Chief: 5 Steps to Success for Today’s CMOs

Success for Today’s CMOs Being a CMO is an exhilarating experience – it’s a lot like running a triathlon and then following it with a base jump. Not only do you play an active role in building a company and brand, but the decisions you make have direct impact on the company’s business outcomes for…

Three Challenges of Network Deployment in Hyperconverged Infrastructure for Private Cloud

Three Challenges of Network Deployment in Hyperconverged Infrastructure for Private Cloud

Hyperconverged Infrastructure In this article, we’ll explore three challenges that are associated with network deployment in a hyperconverged private cloud environment, and then we’ll consider several methods to overcome those challenges. The Main Challenge: Bring Your Own (Physical) Network Some of the main challenges of deploying a hyperconverged infrastructure software solution in a data center are the diverse physical…

The Rise Of BI Data And How To Use It Effectively

The Rise Of BI Data And How To Use It Effectively

The Rise of BI Data Every few years, a new concept or technological development is introduced that drastically improves the business world as a whole. In 1983, the first commercially handheld mobile phone debuted and provided workers with an unprecedented amount of availability, leading to more productivity and profits. More recently, the Cloud has taken…