BreachExchange mailing list archives
Top 10 data breach survival tips after eBay, Spotify and Office breaches
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 2 Jun 2014 19:31:56 -0600
http://www.v3.co.uk/v3-uk/news/2347211/top-10-data-breach-survival-tips-after-ebay-spotify-and-office-breaches With eBay, Spotify and even shoe seller Office all having suffered data breaches in the past few weeks it is clear hackers' interest in corporate data is growing all the time. These firms can't plead ignorance of the threat either, as recent research from security firm Symantec reported hackers managed to successfully compromise 552 million web users' identities over the past year, so the risk has already been well documented. Not only can a breach result in the victim losing customer trust and future business, the Information Commissioner's Office (ICO) can hit organisations with fines as high as £500,000 for data loss incidents. All in all, data breaches can be costly affairs. In light of all these recent incidents the need for IT managers and businesses as a whole to know how to handle a data breach is more essential than ever. So V3 has put together a survival guide that could help save the day. Read on. 10. Don't alert hackers you're on to them too quickly The temptation whenever you spot an intruder on your network is to act immediately and kick them out straight away. But, as noted by numerous security providers, including BAE Systems, this approach is fairly short-sighted. By acting rashly you can alert the hackers that you're on to them too early, meaning they can adapt their tactics to dodge your defensive measures. A rushed strike can also make it more difficult to understand the full extent of the breach as it gives the hackers time to hide their tracks and makes it harder for IT managers to do key things, like finding and fixing the attackers' point of entry. 9. Contact the relevant government bodies The Information Commissioner's Office (ICO) could well end up fining you for a data breach, but the organisation is far more likely to look favourably on you if you fess up and co-operate over an incident, rather than trying to cover it up. Furthermore, if your organisation is of critical importance to the UK, like a utility company for instance, it is definitely worth letting the relevant government departments know, so they can help you and warn others in the sector, with the necessary secrecy. It's never easy admitting you've done something wrong or made a mistake, but usually the repercussions of not doing so are far worse. 8. Talk to your security provider Despite efforts by the government to encourage disclosure, many companies enter into a shame spiral after a data breach and try to talk to as few people as possible about their predicament. Some even go so far as to freeze out their security providers, which considering the vast sums of money most spend with them, seems slightly bizarre. The days when security providers simply set up a firewall or antivirussolution and walked away are done. In today's threat landscapes, security providers act as experts and guides full of handy tips and advice about how to deal with a data breach after the worst has happened. So, contacting your security service provider should be one of your first actions following any successful attack on your networks. 7. Take advantage of government help schemes Security providers aren't the only sources of help out there when it comes to data breaches. Thanks to the UK's ongoing Cyber Security Strategy there are a wealth of government-sponsored initiatives that can help offer guidance and support following a data breach. These include the UK's newly launched Computer Emergency Response Team (CERT), which manages the country's large Cyber Security Information Sharing Partnership (CISP) and the ongoing Cyber Streetwise campaign. Make sure you take advantage of whatever help is out there. You pay your taxes, so you have every right to reap the benefits. 6. Honesty is the best policy Unless you’re absolutely certain you don’t need to go public, or for some legal or security reason, can’t go public, then fessing up and talking about what’s happened is the best policy. Letting users know what has happened, when, how and why, and what you’re doing about it not only shows a level of humility that businesses sometimes forget people like to see, but helps customers assess the situation for themselves. If you’ve been targeted by highly skilled hackers who went after your core data and can say you’ve contacted the police and the ICO, and are doing all you can to gather more information, people will be much more understanding. A company that tries to cover up a breach, or drip-feeds information slowly and without much clarity, will only exasperate and anger users, leading to more negative press coverage that could have easily been avoided. 5. Learn from your mistakes There are many lessons that can be learned from a security breach, and companies would be wise to take them on board and absorb them. You do not want to make the same mistake again, so shore up and fix your systems. Apply any and all patches that are available. Your customers need to trust you, give them two-factor authentication, earn their respect, and keep them informed about what happened and why. While eBay may not have immediately reacted to its password problems in the best way, it did react when users and industry told it things could be better, so at least it showed that it is willing to accept it did not get everything right straight away. 4. Make it easier for customers to change details When you do alert customers and partners to an incident, making sure they can easily follow the advice you give them is a must. The eBay incident showed that this is easier said than done. The firm was late sending out emails urging password changes and then its own information on how and where to change passwordswas confusing and hard to follow. If you’re going to advise users on changes they need to make, make it easy. Have a prominent ‘change password’ button on the front page of the website and ensure your systems have enough capacity to cope with the surge in demand this will create. Anything less than a hassle-fee experience will leave users all the more concerned and questioning whether they want to do business with a company that can’t make such a simple, everyday requirement easy to carry out. 3. Share attack data and best practice with other firms Not talking about data breaches only helps hackers. By taking a 'mum's the word' approach to data loss companies effectively give hackers free rein to reuse their hack tools and exploit the same vulnerabilities across a wide range of targets. As a result the need to share attack data with other companies is more important than ever as it can stop single attacks turning into wider campaigns. While the practice won't directly help you following a data breach, it can help entice other firms to take a quid-pro-quo approach in the future and give you a heads up about a new threat you may otherwise have missed, meaning in the long run, it's worthwhile. 2. Do a full systems check Hackers are a little like rats - and no we don't mean remote accesstrojans. Once inside your network hackers don't stay still, they spread like wildfire and will get into any system they can, even if it's not necessarily of direct use to them. This means you cannot afford to simply assume the hackers were only in the part of the network or system you initially spotted them in and should do a full systems scan and forensics work to understand exactly how far they got before being caught. If you don't you may soon find yourself falling victim to a second, potentially more dangerous attack from the same group. 1. Assume you will breached and have a strategy If the eBay breach has showed one thing it’s this: have a plan for dealing with the fallout from a hacking incident or breach, and make sure your staff know it by heart. The confusion and lack of clarify from the firm only made the situation worse. Everyone in the company, from the CEO to marketing, from the web team to the sales bods, should know what the strategy is for dealing with an incident. This way, when such a situation occurs everyone will know their role and be able to act effectively. For eBay this could have meant that emails urging password changes were sent out promptly, and that finding and changing passwords could have been made far more straightforward. As eBay, Target and countless other incidents have shown, assuming you won’t be attacked is naive and potentially dangerous. It may seem paranoid to get the whole company thinking about how they’d react to a breach, but just because you’re paranoid doesn’t mean they’re not out to get you.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Top 10 data breach survival tips after eBay, Spotify and Office breaches Audrey McNeil (Jun 10)