Stolen and leaked data. Website defacements. Compromised information. A data breach could happen to anyone, anywhere, with a potential for sky-high costs. Experts share what to do after hackers strike or insiders act.
“You can’t respond to a data breach unless you know that it’s happening, and you can’t know that it’s happening unless you have the proper resources, systems and personnel in place to detect when something’s wrong,” said Rich Plansky, senior managing director of the business intelligence and investigations division at Kroll. Organizations must have security measures such as intrusion detection, prevention systems and log analysis, so they know what happens within their system at any time, as well as anomaly analysis so they know when things aren’t quite right.
“Much, much better that you find out on your own than you get a call from, say, a disgruntled customer or somebody from the press,” Plansky added.
Rodney Joffe, senior vice president and senior technologist at Neustar, said not only do companies have to understand exactly what has happened — they must understand quickly. But with data breaches, confusion often abounds. A 2010/2011 report from the Computer Security Institute, Joffe said, revealed that respondents didn’t seem to feel their challenges could be attributed to inadequate investment in their security programs or dissatisfaction with security tools, but rather, despite all their efforts, they weren’t certain about what was really going on in their environments, nor whether their efforts truly worked.
“The net result is that companies have no idea what may have been lost, and in some cases, may have made suboptimal decisions as to what steps to take,” Joffe said. “So, companies need to understand the full extent of breaches rapidly.”
After the breach has been detected, organizations should work to halt it and minimize its impact.
Typical measures include notifying all network defense groups within the organization and identifying the workstations, servers and accounts affected by the breach, said Kathy Warden, vice president and general manager of the Cyber Intelligence Division at Northrop Grumman.
There should also be a response group who begins to assess any damage, data loss or ongoing activity as soon as possible, she said, to stop the malicious activity.
Occasionally, organizations “assume — sometimes wrongly, sometimes disastrously” a breach has stopped when in fact it’s still going on, Plansky said.
“As hackers become increasingly sophisticated, we see things like malicious software that will essentially go to sleep within your system and wake up weeks or even months later,” he added. “It’s really important to fully understand whether the breach event is still going on, and if it’s still going on, you need to stop the bleeding right away.
Maintaining seamless operations is vital to the credibility of the organization, as well as getting the morale of the people who are involved back on track, said Al Kinney, director of defense cybersecurity capabilities at HP Enterprise Services.In parallel with maintaining operational momentum, there is a host of things to be done in terms of finding out exactly what happened. For instance, organizations experiencing a large-scale security breach must quickly identify
its priorities for dealing with the fallout.
“Specific concerns will range from, ‘My website has been defaced,’ all the way through, ‘I’ve lost thousands of Social Security numbers,’” Kinney said. “Obviously, mitigating the loss of privacy data is more important from several standpoints.”
Following the passage of the Sarbanes- Oxley bill and deployment of its stringent notification requirements, publicly traded companies are even more attuned to the need to broadly disclose a breach. There are two considerations: internal and external notification.
Internal: “Most states now have data breach notification laws which require organizations to provide notice to those residents whose unencrypted [personally identifiable information] was stolen in the most expedient time possible and without unreasonable delay,” said Andrew M. Weidenhamer, audit and compliance manager at SecureState. Failure to notify affected parties can result in fines and other nefarious action, he said, either by private right of action, state attorneys general or other regulators.
Per general counsel review and corporate policy, a response group should deploy a crisis plan for internal notification of the organization’s leadership and board of directors, Warden said. However, even before the ongoing activity is stopped, the response group can fix any security vulnerabilities on the organization’s networks, notify stakeholders and assess the cause of the breach.
External: Inevitably, the first step in external communication is contacting the authorities as soon as possible, Joffe said. “I believe that law enforcement should be brought in immediately in almost every case [with] rare exceptions,” he said. “They may have seen this kind of breach before, and may have excellent advice on how to deal with the problem. I have found that they really can be helpful.”
In the event health information is breached, Weidenhamer said, Office of Civil Rights regulations require healthcare providers and other HIPAA-covered
entities to promptly notify impacted individuals of a breach. If a breach affects more than 500 individuals, the HHS secretary and the media must be notified, as well. Business associates of covered entities also have to notify the covered entity of breaches at or by the business associate. If personal nonpublic financial information is stolen, the organization must promptly notify its primary regulator.
If credit card numbers are stolen, each card brand has its own breach notification rules. Visa, for example, requires merchants to notify their merchant bank within 10 days of all possible compromised accounts. Within three days, an incident response document must be provided to the merchant bank. Not following these steps can result in fines, Weidenhamer explained.
A good data-breach response plan has resources in place to determine who’s responsible for the breach and procedures to recover lost data, and this is particularly applicable in situations where the loss of information stems from the loss or theft of a physical object, Plansky said. Whether accidental — an
employee leaving a laptop in a cab — or the result of misconduct of crime, it’s crucial to understand exactly what happened, he added.
Looking for stolen hardware “puts us one step closer into helping that client understand what’s been compromised and often very able to demonstrate that there’s been no data compromised by the return of that laptop or the return of that hard drive,” said Plansky’s colleague Brian Lapidus, Kroll’s chief operating officer of the Fraud Solutions Unit.
“We’re able to forensically prove that that data wasn’t accessed, which puts them at a completely different path as it relates to their notification requirements,” he added.
As the old saying goes, failing to plan is planning to fail. And it holds true for security too — good security can make it harder for hackers and insiders to intrude systems and networks.
When looking at the whole organization, identify which area is most vulnerable and needs most protection, said Steve Hawkins, vice president of Information Security Solutions at Raytheon.
“Once you’ve identified your assets at risk, overlay the types of incidents you anticipate having to deal with based on the nature of your assets,” he said.
“Thinking through and articulating potential incidents will help greatly in terms of creating effective policies, Hawkins weeding out false-positives, collecting data for timeline reconstruction, monitoring for correlated events, and determining what triggers and alerts should be built into investigation policies.”
The idea is to have a plan that will enable parallel motion, and if done right, there’s a chance an organization can emerge stronger from the situation, Kinney
“While it is tempting to focus on the public aspect and put the best possible face on the situation, there’s an overriding requirement to maintain integrity in doing so,” he said. “Having performed due diligence in planning for events such as a security breach, you can come out and say, ‘This is what happened, this is what have we done about it and this will be our operational posture moving forward.’”
What this translates to, Kinney said, is having some standby resources — redundant equipment and/or a standby agreement with a service provider that can work alongside the affected organization.
“It also means bringing in the best available talent to assist in developing plans, exercising various scenarios and standing ready to fight through when something happens,” he noted.
Over time, we’ve become data hoarders, and organizations hold onto as much data as they can, Lapidus said.
“Really looking through and only keeping what you need is something that is a best practice that we see a lot of organizations take post-event in terms of just reducing what they have and only keeping what they need,” he added.