Tag Archives: Breach Response

Security News for the Week Ending April 26, 2019

As Terrorists Blow Up Soft Targets, Sri Lanka Turns Off Social Media

As Sri Lanka is dealing with multiple bombs exploding at churches and hotels, the country’s solution to the inevitable use of social media to fan flames and release propaganda, in addition to news is to turn off social media.

At the current time, it appears that 8 bombs went off, 200+ people were killed and 400+ people were injured.  The target seems to be minorities and foreigners, which is often the case in terrorist attacks.

Facebook and other social media, in an effort to spin the news, said that they are working to remove content that does not meet their guidelines (which of course could be very different than the government’s guidelines), but as we saw in Christchurch, New Zealand, doing that effectively is very difficult.  Facebook and its cousins would like to be thought of as an important news source and not just a purveyor of trash and hate, so they are no doubt trying to figure out how to respond.

What is not clear is whether other governments (probably not in the U.S.) see this as an effective way to control the flow of information when they choose to (which could include any number of different situations, not just terrorist attacks) and follow Sri Lanka’s example.  If this does become more common, that will not be good for the social media brands.  (Source: CNN).

 

Businesses Continue to Ignore Contacts About Data Which is Exposed

In this case, it was the Mexican Embassy in Guatemala.  Thousands of documents including passports and birth certificates and also documents related to the embassy itself were accidentally made publicly visible on a cloud storage provider.

But that is not my big concern.

One more time, the researcher contacted Mexican officials but got no response.

If a researcher contacted ANY person in your company saying they found a security issue, does every single employee know what to do?   It is, after all, very simple.

CONTACT SECURITY and provide them the information that they received.  Don’t try to figure out if it is a scam or how to fix it.  Just contact security.  Let them deal with it.  That is what they do for a living.   Now, if security screws up, well, that is their fault.    My guess is that, in this case, the information never made it to the right people.  Eventually, it did get removed.  Source: Engadget).

 

China Has a New Export

China is the model of a surveillance state.  Now China has figured out that they can make a lot of money exporting that technology to other countries.  Ecuador is the prototype.  4,300 cameras.  16 monitoring centers.  More than 3,000 people watching those cameras.

Oh,  yeah, in addition to spotting crimes, the video feed also goes to Ecuador’s domestic intelligence agency.  Some of the other countries buying the Chinese spy gear include Zimbabwe, Uzbekistan, Pakistan, Kenya, the United Arab Emirates and Germany.

36 countries received training on topics such as censorship (politely called “public opinion guidance”.  Soource:  The NY Times.

 

North Carolina Unveils Changes to Privacy Law

An amendment to the North Carolina Identity Theft Protection Act was introduced earlier this month.  Among the changes are:  (1) requires businesses to implement reasonable security practices (where reasonable is undefined and left for the lawyers to argue over in case of a breach), (2) reduces the time to notify victims and the AG to 30 days, like Colorado, (3) expands the definition of protected information to include health and healthcare information (which may also be protected under HIPAA, depending on how the business received it), (4) clarifies that other information may be included as covered PII depending whether there is sufficient information compromised to abuse it (for example, an email ID is not covered, unless the email password is also compromised), (5) changes the definition of a breach to unauthorized access, without regard to whether the compromised information is used, (6) if the business determines that there was no potential harm due to a breach, they must now keep that proof for three years, (7) requires in cases of breaches at a CRA or any breach that involves Social Security Numbers, the company provides 24 or 48 months of credit protection, (8) expands the information that a business may be required to provide to the AG in case of a breach, (9) says that compliance with GLBA or HIPAA gives a business safe harbor FOR THOSE sections of the bill that overlap and (10) imposes other requirements on CRAs and businesses conducting credit checks.

The bill also allows a person to file a private right of action if they have been damaged.  Source: JDSupra  

What Do December Breach Announcements Point Out

First it was Marriott.  The breach of Marriott’s Starwood division systems exposed data on 500 million clients and triggered multiple lawsuits and investigations.

That breach was four years in the making and across two different management teams – first at Starwood and then at Marriott.

Undetected.

This week 1-800-Flowers announced that it too was breached.  The Canadian division’s web site was breached.  In 2014.  They detected the breach in September 2018, four years into it.

Undetected.

How do hackers remain inside the systems of large companies for four years?

Were the hackers targeting Marriott or 1-800-Flowers?  Probably not, but once they got in they probably thought they went to hacker heaven.

If hackers can do that to large companies, what about small companies?

Bottom line is that smart hackers want to stay in your system for as long as possible to maximize the “value”.

If you are stealing only credit cards, you can’t wait too long because credit cards expire.  In the Marriott case, which is now linked to hackers working for the Chinese, they stole a lot of other useful information for identity theft that has a much longer shelf life.

Also, it seems to be taking Marriott a long time to figure out what was taken.  I am not clear that they even really know now.

Big companies already know that they are target of attackers, but so are small companies.

As companies increase the use of cloud based systems, detecting the attacks could be harder. 

Are you asking your cloud providers – all of them – who is responsible for detecting breaches?  I bet for many providers, they will say it is you.  And who responds to them?

Are you ready to respond to an incident.  Including figuring out what you are going to say on social media and how you are going to respond to social media chatter.  Sometimes that chatter can get pretty brutal.

Companies need to prepare for and test how they are going to respond.

Small companies say it won’t happen to them, but, while the Marriott and 1-800-Flowers type of breaches get lots of press, the vast majority, by numbers, of breaches happen to companies with a few employees up to a couple of hundred employees.

Both of these breaches were outed when the companies reported the breaches to authorities, so if you think you are going to keep your breach quiet, that is likely impossible unless it is really small.

Get prepared, stay prepared and be thankful if you don’t have to activate that preparation.

Information for this post came from Threat Post.

Cathay Pacific is Beginning to Fess Up and it Likely Won’t Help Their GDPR Fine

As a reminder, Cathay Pacific Airlines recently admitted it was hacked and lost data on over 9 million passengers.  Information taken includes names, addresses, passport information, birth dates and other information

They took a lot of heat for waiting 6 months to tell anyone about it (remember that GDPR requires you to tell the authorities within 72 hours).

Now they are reporting on the breach to Hong Kong’s Legco (their version of Parliament) and they admitted that they knew they were under attack in March, April and May AND it continued after that.  So now, instead of waiting 6 months to fess up, it is coming out that they waited 9 months,

They also admitted that they really didn’t know what was taken and they didn’t know if the data taken would be usable to a hacker as it was pieces and parts of databases.

Finally, they said after all that, they waited some more to make sure that the information that they were telling people was precisely accurate.

Now they have set up a dedicated website at https://infosecurity.cathaypacific.com/en_HK.html for people who think their data has gone “walkies”.

So what lessons can you take away from their experience?

First of all, waiting 6 months to tell people their information has gone walkies is not going to make you a lot of friends with authorities inside or outside the United States.  9 months isn’t any better.

One might suggest that if they were fighting the bad guys for three months, they probably either didn’t have the right resources or sufficient resources on the problem.

It also means that they likely did not have an adequate incident response program.

Their business continuity program was also lacking.

None of these facts will win them brownie points with regulators, so you should review your programs and make sure that you could effectively respond to an attack.

Their next complaint was that they didn’t know what was taken.  Why?  Inadequate logs.  You need to make sure that you are logging what you should be in order to respond to an attack.

They said that they wanted to make sure that they could tell people exactly what happened.  While that is a nice theory, if you can’t do that within the legally required time, that bit of spin will cost you big time.

Clearly there is a lot that they could have done better.

While the authorities in Europe may fine them for this transgression, in China they have somewhat “harsher” penalties.  Glad I am not in China.

Information for this post came from The Register.

 

 

FDIC Likely Breached 54 Times in Two Years – Has Sloppy Breach Response

The Federal government has demonstrated its inability to keep its own house in order at the same time that it expects citizens and businesses to trust it with very sensitive information.

From the SEC’s EDGAR breach, the OPM breach and others, add the FDIC.

The Office of Inspector General (OIG) found that the Federal Deposit Insurance Company’s (FDIC) policies for responding to a breach were not being followed, even as the FDIC may have been breached as many as 54 times in the last two years.

The OIG reviewed 18 of those breaches and reported their findings.

In the wake of those failures, the FDIC has taken steps to better comply with Federal Law (FISMA) by implementing a breach response plan.  Very impressive for an organization that is responsible for ensuring the safety and security of trillions of dollars of your and my money.

The auditors found that the organization often failed to implement key components of this plan for the majority of the security incidents reviewed.  For example, they are supposed to notify breach victims within 10 days, but it took them, on average, 288 days.

The plan designates who is supposed to be responsible for responding to breaches, but in many cases, those positions were either unfilled or staffed by employees who were not trained.

The breach notification plan established a data breach management team, however the team lacked a charter and an effective governance structure.

The FDIC says not to worry, they will have all of this fixed by September 30th, 2018.

These are the foxes that are guarding the hen house.  Are you as impressed as I am?

Information for this post came from Federal Computer Week.

How Long Should It Take You To Disclose A Breach?

Whenever I read the news that a data breach has occurred, my first two questions are “how big is it?” and “How long did it go for”.

For example, the Omni Hotel chain announced a breach this week and they said it affected 49 out of their 60 hotels, affected 50,000 customer cards, was detected on May 30th and it ran between Dec. 23, 2015 and Jun. 14, 2016, but many hotels had a shorter time when they were affected.

On the other hand, Wendy’s, which I have written about a lot, first denied the story, then said 300 stores, then more than 300 stores, now says 1,025 stores and has never said how many cards were compromised, even though the banks have said it is really big.

So what is a business to do?

The first question is how long after the breach did you detect it?  Nortel Networks,  which filed for bankruptcy in 2009 and was sold off in parts, did not detect a breach at the very highest levels of the company for 10 years.  While this is not the record, it is close to it (the longest running breach I know of was in Europe and lasted 12 years before it was detected).

Now that you have detected the breach, the next step is to take out your cyber incident response plan – the one that is well thought out and periodically tested – and follow what it says.  Advisen says that 75% of organizations have a response plan and that 58% have never tested it.  I think both numbers are way too high.  WAY too high.

The next question is figuring out what the bad guys got.  For most companies, Wendy’s included, that is the biggest challenge.  Even for what I think is the few that have a well done and tested incident response plan, they don’t have the log data in order to figure out what happened.  This was confirmed yesterday by a friend who works for a three letter agency who helps very large companies deal with breaches.  And if the very large companies can’t do it, how could the small companies do it.

The next question, which MUST be done in conjunction with counsel who understands the cyber domain, is legally, how long do you have to disclose it and to whom.  For example, if you are a Department of Defense contractor, you have 72 hours to notify DoD, but that doesn’t mean that you have to notify the public at the same time.  Under HIPAA , for breaches of more than 500 people, you have 60 days to notify the Secretary of HHS.  Every oversight body has it’s own rules, but typically, it is 30-90 days.  But don’t assume.  Not notifying in a timely manner has it’s own problems.

At the same time, you are trying to figure out what was taken, you want to activate your crisis communications plan.  Since you have already engaged a crisis communications expert, you pick up your phone and hit Speed Dial 2 (Speed Dial 1 is reserved for your cyber knowledgeable attorney) and activate the plan.  Oh, wait, most companies don’t have a crisis communications plan – which becomes a crisis of it’s own.

Bottom line, there is no “answer” to how long, but the better prepared you are, the better plan that you have, the more log data that you can actually use, the more experts that you can rely on, easier that answer will be to find.

Wendy’s discovered that they didn’t do so good in that department.  In part that is likely because they thought their business was feeding people.  While that is certainly true, most companies are information companies.  The reason Wendy’s has those fancy POS systems is so that company executives know, hour by hour, how many hungry people they fed.  That is an information company.

So as you review your already written and well tested incident response plan, think about the above and see if you need to update that plan.

Information for this post came from ID Experts.