Category: Incident Response

Now, More Than Ever, Enterprises Are Learning the Benefits of Preparing for Cyber Security Incidents

2020 isn’t likely to be on anyone’s list of “Best Years of All-Time” and the sentiment is double for anyone involved in cyber security: the year is barely halfway over, and it’s already been full of frustrations and headaches for cyber experts.

When you look at the cyber attacks costs to business and the continuing high rate of incidents in 2020, there’s only one conclusion: there’s a need for enterprises to demonstrate readiness and embark on a journey toward cyber security resiliency.

To start, let’s look at some numbers to help underline why proper cyber security is a value-add and can help a business protect against losses.

Cyber Attack Costs to Businesses

There’s no question that enterprises are being challenged to keep up with a security environment that is showing no signs of becoming friendlier any time soon. The highlights of the 2020 Cost of a Data Breach Report paint a picture that can be eye-opening for both enterprises and small businesses:

• $3.9 million average cost of a data breach
• Time to identify and contain a data breach averages 280 days
• $150 average cost per lost record
• 43% of all attacks target small businesses
• 86% of small businesses have no effective defenses against cyber attack
• 60% of all small businesses close their doors within 6 months following a cyber attack

[Source for all statistics: IBM, 2020 Cost of a Data Breach Report]

These statistics show larger enterprises typically have the resources to at least maintain (though they are certainly not immune, as we will detail later), while small businesses generally have more difficulty managing the proliferation of cyber threats, vulnerabilities, and incidents. The findings of the report definitely shed light on the risk to small businesses, though there is a lot of positive insight that can be distilled.

For instance, the fifth bullet calls out that 86% of small businesses have no effective cyber attack defenses. The conclusion that should be drawn is businesses with proper cyber security measures in place are far less likely to suffer a cyber attack. A high level of organizational preparation and sufficient investment in cyber security resources can create enhanced resiliency and diminish the threat of damaging incidents.

Two of 2020’s most noteworthy security stories – the hack of high-profile accounts on Twitter and the troubles that have plagued the Zoom app – demonstrate how an ounce of prevention is worth a pound of cure.

Twitter Gets Hacked

The most spectacular security event of the year is the recent Twitter hack. On July 15, 2020, 130 of the highest profile Twitter accounts – including those of Barack Obama, Joe Biden, Apple, Uber, Bill Gates, and Elon Musk – were hacked and used to push a bitcoin scam.

Federal and local law enforcement responded quickly and the investigation has led to several arrests in Florida, including a juvenile as the alleged ring leader. The actual monetary damages to victims are relatively small, probably less than $200,000. However, the implications of this breach are disconcerting.

The hack’s apparent lack of technical sophistication and small-potatoes level of ambition – prestigious Twitter handles were apparently more coveted than compromising sensitive accounts – leads to more questions. What if this was a more sophisticated operation, mounted by a genuine criminal enterprise and with more destructive goals? What if the private messages logs of the hacked accounts were shared with significant threat actors, including unfriendly nation states, corporate spies, and blackmailers?

Twitter has emerged from this relatively unscathed, but the accountholders appear unprepared for the future. If privileged information from those accounts is released, or if a similar attack is launched by someone with a more sinister agenda, the potential for damage is immense.

Lesson: With so many technology partners integral to operations, there are endless vulnerabilities outside of your control. Enterprises can’t rely solely on their own best efforts to maintain data security and must be prepared for catastrophic events that are external, unexpected, and unknowable. Align your behaviors, processes, operations, and strategies with the understanding that no amount of diligence can insulate against an incident that originates outside your organizational perimeter – disaster can strike and you must have a response framework and recovery process ready.

“Zoom Bombing” and Other Zoom Issues

Before March, Zoom was just a little-known teleconferencing app. When the pandemic hit, it was suddenly vaulted into the spotlight as the go-to choice for virtual work meetings, school classroom sessions, or just friendly gatherings. For a while it worked, and then all the attention and traffic made Zoom’s incomplete approach to security noticeable, and malicious actors launched a series of attacks that exploited the app’s shortcomings.

Insecure meetings were frequently crashed by uninvited “Zoom bombers,” in a wave of incidents that were serious enough to merit an FBI warning. More unsettling were the multiple security flaws discovered by sharp-eyed researchers, including UNC path injection and local privilege escalation and code injection. The icing on the cake was the discovery of privacy concerns regarding misleading end-to-end encryption protection claims and undisclosed sharing of data with Facebook.

Zoom responded by issuing practical instructions for making meeting rooms more secure against bombing, patching multiple flaws, clarifying its use of encryption (it doesn’t use “end-to-end encryption” in the commonly understood sense), and addressing privacy concerns by promising to review its “processes and protocols for implementing… features in the future.” In retrospect, these incidents point to the human element as a source of vulnerability and the need for appropriate security training and controls.

Lesson: Crisis situations, like the rapid and ubiquitous move to remote workforces, can deprioritize normal precautions that support proper vetting of new technologies and services, which might be incompletely understood or poorly secured. Vulnerabilities in these solutions will eventually be exposed, which can create a snowballing crisis chain. Don’t allow a disruption to your normal operations interrupt your procedures for evaluating change, understanding risk, and integrating new services or partners into your enterprise environment. Proper employee training in encryption protocols, password sharing, and link sharing outside of your enterprise can eliminate many common vulnerabilities and threats.

Why Enterprises Might Underinvest in Threat Mitigation

Many enterprises were caught flatfooted by 2020’s security incidents. Companies with hacked Twitter accounts worked to understand how they had been compromised and likely still don’t know the complete tally of damages. Organizations that relied on Zoom to conduct business as normally as possible during the pandemic are struggling to contain the fallout from operations disrupted by Zoom’s failures, while scrambling to find alternative solutions.

Many of these organizations – or more accurately, the people within the organizations – did not to invest in sufficient cyber security assessment, response and recovery resources. Why is that? One common culprit is prospect theory.

In short, prospect theory demonstrates that our decision making is weighted toward loss aversion: people are more fearful of losses then they are encouraged by equivalent gains, and therefore will choose the option of loss avoidance when all things are perceived equal.

In the context of whether or not to invest in enterprise cyber security, an organization’s decision makers might evaluate two possibilities:

1. the cost (immediate loss) of implementing more resilient cyber security (long-term gain), or
2. the savings (immediate gain) of not mitigating a potential cyber incident (long-term loss).

By prioritizing loss aversion (option 2), decision makers might overlook not only the likelihood that an event will occur, but also the potential value gains of being prepared and having a mitigation plan in place.

Here’s a Suggestion: Invest in Your Security Posture

The overall lesson here for enterprises is to make certain that, when deciding on a cyber security investment, you are properly evaluating the upside of hardening cyber security capabilities, preparing for security events, and having plans in place for response and recovery. Yes, this is an expense that shows up on the ledger as red ink. But it’s also an investment that returns its cost, and more: proper cyber security delivers value in the long term.

You can’t predict when an attack could happen and systems can be breached without you knowing you’ve been compromised, allowing malicious actors to thoroughly investigate your system and plan the most effective means of attack. The aforementioned IBM report demonstrates the precise value of preventing such a scenario.

Don’t let your only value determinant be loss (cost) aversion. Instead, perform a sensible risk analysis that spotlights the value benefit of a cyber security investment, and recommend the changes necessary to harden your defenses, install a response process, and create a recovery plan.

At SecurIT360, we are trusted advisors to small businesses and enterprises that are motivated to meet the security challenges of today’s digital environment. Contact us today to talk about your cyber security concerns and challenges.

It’s a common scenario and one every enterprise should be ready for: you’ve just learned your business has experienced a data incident, now what? However your data has been compromised, if it involves enterprise or customer assets (or both), regardless of the attack vector—which may be unknown at the outset of an incident—your response should be structured, efficient and rapid.

Here’s what your “Now what?” should look like.

Incident Response Basics – NIST Computer Security Incident Handling Guide

The National Institute of Standards and Technology (NIST) has respected and oft-emulated guidelines for incident response. Many organizations use NIST guidelines by the book, or similar guidelines developed using NIST as a basis for action. The NIST incident response life cycle includes four elements:

1. Preparation is a two-pronged operation: incident prevention works hand-in-hand with establishing an incident response capability, although typically different teams handle each program. Primary practices for both prevention and response include:

• Risk assessments
• Host security
• Network security
• Malware prevention
• User awareness and training

2. Detection & analysis determines the response strategies deployed in a given incident response. Understanding attack vectors can provide a basis for activating specific handling procedures, according to a pre-developed action plan. Some of the most common attack vectors include:

• External/removable media
• Attrition
• Web
• Email
• Impersonation
• Improper usage
• Equipment loss or theft

3. Containment, eradication & recovery strategies are activated according to analytic criteria: What is the potential damage? Can evidence be preserved? What services are available? How much time and what resources are required? What is the solution duration? All actions should be accomplished in a phased approach that prioritizes remediation steps.

4. Post-incident activity engages processes aimed at learning and improving, which are critical in creating a framework for continual improvement of security response. Collecting incident data allows for both subjective and objective assessment exercises, to better understand what worked and what didn’t. Preserving evidence is required for not only potential prosecution, but also compliance purposes. If notification of all stakeholders (including the general public, in most instances) has not already occurred, that should be completed now.

NIST Incident Handling Checklist

NIST guidelines helpfully condense incident handling into a convenient checklist of actions to be engaged across the process spectrum, from detection through to lessons learned. This is an invaluable tool to help guide response preparation, planning, handling and resolution.

Action

Detection and Analysis

Determine whether an incident has occurred

Analyze the precursors and indicators

Look for correlating information

Perform research (e.g., search engines, knowledge base)

As soon as the handler believes an incident has occurred, begin documenting  the investigation and gathering evidence

Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.)

Report the incident to the appropriate internal personnel and external organizations

Containment, Eradication, and Recovery

Acquire, preserve, secure, and document evidence

Contain the incident

Eradicate the incident

Identify and mitigate all vulnerabilities that were exploited

Remove malware, inappropriate materials, and other components

If more affected hosts are discovered (e.g., new malware infections), repeat  the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then  contain (5) and eradicate (6) the incident for them

Recover from the incident

Return affected systems to an operationally ready state

Confirm that the affected systems are functioning normally

If necessary, implement additional monitoring to look for future related activity

Post-Incident Activity

Create a follow-up report

Hold a lessons learned meeting (mandatory for major incidents, optional otherwise)

Study in Incident Response Success: Chili’s

What does a NIST-guided approach to incident handling look like? Chili’s might be famous for its baby back ribs and Awesome Blossom’s, however it’s equally deserving of merit for its response to a potentially devastating data breach in 2018. What did they do right? Just about everything:

• Brinker International, the Chili’s chain operating entity, discovered the breach on May 11. They made an announcement to the public on May 12, sharing what they knew and (importantly) what they didn’t yet know – that level of swiftness and transparency established an immediate relationship of trust with potential victims and the public.

• “We immediately activated our response plan upon learning of this incident,” Chili’s said, which included a forensics audit that revealed the incident took place more than a month earlier and “may have resulted in unauthorized access or acquisition of [customer] payment card data.” Mishandled discovery and investigation can cripple an effective response effort, so this created a strong foundation to build on.

• Brinker contracted a third-party forensics specialist to manage the response and notified law enforcement immediately. Where many enterprises try to go it alone in these situations, typically in a misguided attempt to keep a lid on the situation, Brinker recognized the need for a diverse, expert, highly structured response and valued communication and collaboration in their process.

• Recommendations and continuous action were accomplished as part of the remediation process. Chili’s recommended customers review their credit reports and notify relevant agencies and organizations of suspicious activity. Brinker filed a Form 8-K with the US Securities and Exchange Commission, which is used to notify shareholders of a significant event. They also set up a notification site dedicated to sharing news, information about the incident and their response, and a customers/potential victims FAQ.

Brinker’s successful incident response ensured that damage was minimized, especially to the Chili’s brand and customer loyalty, recovery was rapid, and baby back ribs with a side of Awesome Blossoms were back on the menu.

Study in Incident Response Failure: Equifax

Analyzing a bungled response can be more illuminating than reviewing a success story – hello Equifax! Let’s take a look at the low lights of how that company managed response to its notorious breach of November 2017:

• The full scope of the breach – exposure of the personal data of up to 147 million Americans – was withheld from customers, regulators and the media. Instead, a slow drip of increasingly dire revelations created the impression of a snowballing catastrophe and a crisis the company was unable to get ahead of.

• Company officers who knew the details of the breach and its potential severity sold their stock in the company before the incident was announced.

• A separate support website outside the corporate domain was created to inform potential victims and connect them with remediation resources. This website was itself riddled with serious security flaws, and relocating outside the corporate domain spotlighted a lack of trust and accountability.

• Equifax mistakenly tweeted a phishing link four times, instead of the correct support website.

• When the company finally revealed that the breach had been caused by an unpatched server targeted by a pervasive security flaw, the company lost its final chance to rally trust in its security and response processes.

Equifax botched its response from the outset, which has led to an endless cycle of lawsuits, prosecutions, bad press, a $425 million settlement, and irreversible reputational damage (assuming that credit bureaus have positive reputations capable of sustaining damage, which is not an iron-clad argument). Other than those issues, everything went fine!

It’s Not If, It’s When You Will Suffer an Incident

The threat environment for enterprises is perilous and relentless: most organizations understand that experiencing a data breach incident is not something that’s a matter of bad luck or circumstance, it’s a given.

Preparation is crucial to meeting these moments: planning your response in the midst of a crisis is exponentially more challenging and prone to failure than having a response procedure and resources ready when the time is at hand. Having that response procedure ready can enable you to make informed, sound decisions that pay off and return you to a baby back ribs state-of-mind.

As NIST points out, preparation is everything. For a limited time, SecurIT360 is offering a free cyber security scorecard to provide businesses a snapshot of their cyber security posture. Your organization can use its scorecard results to understand if some basic vulnerabilities exist and make adjustments before a breach occurs.