Security Breach Planning and Response
By Robert Risk, Seth Danberry, Rob Kleeger and Ryan Cooper –
May 4, 2016
Thieves are everywhere these days. You read about data security breaches every day from Target, Home Depot, Anthem, Sony, to American Express. These are the big companies but did you know that 94% of all breaches occur in companies with fewer than 100 employees. So what are small and midsize companies to do? The answer to this question is assume you will be breached and plan for it. The worst thing you can do is not be proactive because from a reactive position you risk permanently damaging your company brand and setting your company up for lawsuits and compliance issues.
Security Breach Planning and Breach Response Plan
Implementation of an effective information security breach response plan enables companies to fulfill their responsibilities to those individuals, entities that entrust the organization with personal information and maintain overall Federal/State/Agency compliance. Companies that preemptively create and follow a security breach response plan will be able to:
- Comply promptly with legal requirements that apply to the company as an owner or custodian of personal information
- To reduce the risk of a data security breach that causes serious harm to the organization’s reputation and finances
- React quickly to Security Breaches and not give the appearance of an inadequate response
The planning process should identify:
- All of the personally identifiable information (PII) and sensitive data
- All Organizational Compliance Requirement
- A breach response team:
a. Office of General Counsel
c. Information Technology
d. Security- Forensics and Remediation
e. Human Resources
f. Communications/Media Relations
- Procedures for analyzing and containing a potential data security breach
- Remediation measures to be taken following a data security breach:
- Plan for notifying affected individuals
- Credit bureau information
- Insurance information
In summary, the plan should be comprehensive and maintained annually. The planning process should include proactive measures such as security testing and employee security training, The plan should cover a Security Breach Response, define when you need Legal Help and a plan for remediation.
Proactive Preparation - Mitigate Your Level of Risk
Proactively discovering and remedying your information security risks is critically important. The most effective method is to bring in an outside professional security firm to perform some level of security audit, such as a Vulnerability Assessment or Penetration Test. It is difficult for day-to-day I.T. staff to objectively look at the systems they build and maintain. Issues may be overlooked by even the most talented employees. Also, I.T. staff are typically pressured to make things easy-to-use and functional, which are the opposites of security. Many companies do not maintain IT staffs or have completely outsourced the IT function making the security risks even greater. An independent audit helps an organization find its security gaps before the bad guys can and will ensure budgets are spent in the right place.
Another extremely important measure is to hire a professional security firm to train all staff on information security best-practices, and have them test their susceptibility to human-based attacks, such as Social Engineering and Phishing. You can have the best technical defenses in the world, but a hacker can bypass those measures if they can compromise a user on the inside. Among others, they may attempt to get them to click a link in an email, visit a malicious website, or initiate a wire transfer. Hackers are increasingly attacking end-users, so it is imperative that they are routinely trained, tested, and made aware of their role in information security. This training should be performed annual as the security risk and threats are constantly evolving.
The bottom line, properly assessing your risks, understanding your vulnerabilities, and taking steps to remediate them is the most cost effective solution to protect against security threats.
Security Policy and Liability Planning
Business’ exposure to losses due to a data breach can be mitigated by taking relatively simple steps to identify and address security vulnerabilities. Every business should, at least annually, conduct a risk assessment of their information systems, including retail point-of-sale systems, update those systems and address any identified vulnerabilities, and review their insurance program to increase the likelihood that they will have coverage when the inevitable happens.
Most businesses believe their information systems are up-to-date and compliant with the necessary security standards; and at one time they likely were. But security standards are changing regularly, and many businesses are not regularly reviewing and updating their information and point-of-sale systems.
Security policies are written living documents that should be updated annually and issued to all employees. Security policies are definitions of what it means to be secure for a system, organization or other entity. Organizationally security policies address the limitations on behavior of employees as well as physical measures and barriers such as doors, locks, keys and walls. System security policies address constraints on functions and flow among them, limits on access by external systems and other threats including programs and access to data by people.
Security Breach Response
Although many business executives agree that data is among their most valuable assets, it often takes a breach—or, at least, an attempted breach—to convince executives to beef up data protection. As we’ve seen over the past few years, no one is safe from data security attempts.
Unfortunately, most organizations are not aware a breach has occurred until it’s too late. In a recent case, a small third party medical billing company who has additional staff outside the United States had migrated from a Microsoft 2003 Exchange environment to a newer Microsoft Exchange server environment. Within two weeks of that migration, a camera crew and well known investigative news reporter shows up at the company asking the CEO to provide a statement on how nearly one hundred thousand patient records have been publically available (i.e. PHI breach).
The incident response team was dispatched onsite that afternoon. They began the forensic preservation of the old server and the new servers, capturing various system log files, interviewed the clients manages IT services firm, the CEO, and began conducting an analysis within a few days.
In the end, it was discovered that the cause of the data breach was from the migration which had caused the FTP setting to default to an anonymous login, therefore it was publically facing and cached by Google’s bot. The IT firm had simply forgotten to “check the box” to close the publicly facing FTP port.
Getting hacked is never a good thing, especially when the result is stolen or compromised customer data, PII, or PHI. But how a company reacts to the attack can make all the difference in the long run. A prompt and effective reaction can minimize the damage or at least paint the organization in a fairly positive light with customers, business partners and the public at large.
The initial step is to keep calm, prioritize what is happening and what needs to be contained. Preserving evidence and identifying what has occurred is important, but the investigation can't begin until the scene is secured. Depending upon the incident (i.e. passive network intruder, malicious attack, rogue employee, etc.), the primary objective is to provide intelligence about the technical skill-set and the motivation of the attacker, along with immediate steps to remediate and protect critical assets. This includes initial damage assessment, initial vector of compromise, indicators of compromise, preservation of forensic artifacts, and further forensic analysis of information collected.
Often, a critical step is to identify the incident by reviewing errors, log files and other artifacts from firewalls, intrusion-detection systems, and other digital assets. Once the response team has identified the incidents, they will work on stabilizing or containment of the network to “Stop the bleeding”.
Forensic preservation is a very critical step, due to the potential legal notification and state data breach requirements, reputational risks, and possible litigation. The earliest stage of any investigation is the most important one to get right. In emergency medicine, there is a "golden hour" at the very outset, during which there is the highest likelihood that prompt expert response with a clear head and well thought out plan can make or break the best defensible position to support investigation or litigation needs.
When Do I Need Legal Help?
Legal counsel should get involved from the minute you suspect there has been a breach. Almost every state has a data breach notification statute, and counsel should be consulted to determine whether your breach will require notification of the affected parties. Where such statutes do apply, state Attorneys General typically expect notification to begin within 48 hours of the breach becoming public.
Counsel will also need to be involved to promptly determine the availability of insurance, whether to notify certain contractual counter-parties. Counsel’s early involvement is also critical when dealing with law enforcement and regulators. Although businesses who have been breached are victims of a crime, they are also subject to increased scrutiny from regulators and other law enforcement who may fault the business’ security practices for allowing the breach to occur. For businesses in regulated industries such as healthcare and finance, the scrutiny, fines, and reputation damage can be ruinous.
As time is of the essence, when a company has been breach to bring in legal assistance, it’s important to have that legal counsel at your company’s finger tips. It is wise to pre-plan your representation in advance. You don’t want to be in a breach position and then start interviewing law firms to find the one with certified experts in breach security, litigation and compliance to help. Companies should do this planning in advance with the time to seek out the proper legal firm to represent you while there is no emergency and no panic situation. Not all legal firms have the experience you will need.
Whether you have been proactive and discovered your vulnerabilities through an exercise like a Penetration Test, or had the unpleasant experience of discovering your weaknesses at the hands of a malicious entity who created a breach, the next step is to remediate the discovered vulnerabilities. Regardless of how you have discovered where your issues are, it is important to rank them according to their risk factor so you can work through them in the proper order.
The equation 'Risk = Threat x Vulnerability x Impact' will help you properly prioritize and remediate the items in a logical order. You can simply apply estimated values of 1-5 for each of the three factors to come up with risk scores for each issue. So, a likely threat that can exploit a glaring vulnerability that would have significant impact is an emergency item that needs immediate attention. Conversely, a discovered vulnerability whose threat is uncommon and whose impact is minor is not as urgent, and can be dealt with after more severe issues are solved.
Once you feel the issues have been remediated, it is a good idea to recheck and ensure that the vulnerability is no longer present. It is also important to reassess your systems on a regular basis in order to find any new vulnerabilities and remediate them as well.
In conclusion you best defense is to be proactive. Your company should have a breach plan in place that is reviewed annually. Testing and employee training help protect the company from outside cyber attracts and create a security savvy work environment. If you do get breached you should have a solid forensic partner to help you identify what data has been compromised and set up your remediation team with the information needed to fix the problem and know who needs notification. Finally, make sure you have the correct level of cyber insurance and experienced legal representation.
Robert Risk, MSCIS, is director of
technical advisory services at Wiss
Security Partners; Seth Danberry is
president of Grid32; Rob Kleeger
is founder and managing partner at
Digital4nx Group Ltd; and Ryan Cooper
is director of the Privacy and Information
Governance Group at Pashman Stein.
This article appeared in the May/June 2016 issue of New Jersey CPA magazine. Read the full issue.