After the Breach (Part 1)
As I suggested in my CSA Privacy Heat Index post, the extraordinary volume of privacy abuses in the U.S. may be due not only to its permissive regulations on personal data sharing, but also to its dominance of online services (creating a higher threat level) and its long-standing breach disclosure rules at the state level. This article discusses the breach aspect of privacy encroachment, provides individuals advice on how to cope personally and offers recommendations to enterprises on what to do “after the breach.” Finally, it closes with a brief discussion of cyber-insurance implications.
Source: Articles from Bloomberg and Other Sources
The figure above was adapted from a BloombergTop Data Breaches article. Notably, 4 of the 6 biggest breaches recorded in the last ten years came in 2013 and 2014. This phenomenon reflects an explosion of cybercrime enabled by underground crimeware markets and tools such as botnets and the Blackhole Exploit Kit described in this KrebsOnSecurityarticle on a Russian criminal.
The breaches aren’t slowing down. We’ll probably soon even hear of more losses yet to be discovered, or still under investigation in the current year. This CreditUnion Times top 10 2014 article highlights still more breaches in 2014 (so far). They tend to be smaller than those in the monster breach table above, mostly affecting the retail industry sector.
And while there’s a gap in the table between 2009 and 2013, cyber-attackers were not idle. The NSA was deploying PRISM, Chinese hackers were infiltrating corporations and governments worldwide and plenty of smaller breaches that didn’t make the table also occurred. It was during this 2010-2012 “APT” (or advanced persistent threat) period that I worked as a malware and cybercrime analyst at Gartner and was one of the analysts that warned: “You have to assume your organization has already been penetrated and plan your defense accordingly.”
Does Size Matter?
If you use a credit card or live in the United States, breach size matters. Just do the math. Some of your personal information, even your social security number (SSN), is probably floating around somewhere in the lands of cybercrime.
On the other hand, the breaches vary widely in qualitative terms. I hadn’t even heard of the CourtVentures (an Experian subsidiary) breach until today for some reason, but the fact that a Vietnamese criminal allegedly had access to SSNs, dates of birth and other records on more than 200 million Americans (and resold access to others) is a really bad thing. However, the entire database may not actually have been downloaded.
The eBay 2014 breach was massive but according to the company, there is “no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats.” However, according to my friend Raj Samani quoted in this Washington Post article, “”If you have my name, address, date of birth, telephone number … there’s really no way to try to determine what the overall impact of that will be.”
The 2013 Abobe breach also reportedly only leaked credit card information in an encrypted form, and JP Morgan claims that no card information was leaked in its recent breach.
Recommendations for Individuals
If we assume our personal and financial information may be out there for the taking, what to do? I recommend:
- Minimizing your financial profile by reducing your use of credit and debt instruments
- Changing credit card numbers approximately once a year
- Maintaining deniability by avoiding the use of online outgoing wire transfers from your account (that is, I always go into a brick and mortar bank to wire money)
There remains a risk that someone out there will take matters beyond financial fraud and into the realm of identity theft. They would just need your SSN – as fictionalized in the very bad movie “Identity Thief” – to do that. Enter credit monitoring services, described in this NYTimes article as a last line of defense. These services could help customers detect identity theft earlier.
Credit monitoring services can also help customers close down multiple fraudulent accounts created in their name, and that may be their most important function as a kind of insurance for individuals. A friend of mine who was victimized had no such service and told me: “It’s a good thing my spouse wasn’t working outside the home, because cleaning this up took months.”
Another thing you can do in the U.S. is to freeze your records with the credit bureaus to make it impossible for businesses to check your credit, and thus make it less likely that a fraudster could set up a new account in your name. The NY Times article discusses this, as does another article from KrebsOnSecurity.
Neither of those articles, however, mentioned an important tip I got a few years ago from my lawyer. That is, when you inquire about your credit, or request a freeze, do it by snail mail. Otherwise, as when you do just about anything online with a company these days, you may have to click “I ACCEPT” to various terms and conditions – thus signing away rights you’d otherwise retain under consumer law. If you send a written request, however, you may be able to get your information without having to agree to anything in return.
Recommendations for Enterprises
Enterprises should prepare for the likelihood of large or small breaches happening, sooner or later by:
- Deploying effective security monitoring: Meet the challenges of building an architecture conducive to security monitoring at the technical layer (application, identity, network and data), process layer (defined policies covering monitoring requirements and operations) and people layer (duties). Deploy a monitoring infrastructure using log management and/or security information and event management (SIEM) tools.
- Readying investigative capabilities: If your enterprise is under a high threat level consider deploying a fully staffed 24×7 security operations center (SOC) with some managed security services in the mix. Depending on the threat level, assume you are (or may be) already penetrated by adversaries and constantly investigate your environment through your security monitoring infrastructure. Understand that SIEMs don’t spring out of the box fully baked, they tend to require a high degree of tuning from skilled staff. And when you find indicators of compromise, investigation has to go into the high gear, or forensic phase. You need to have (or be able to obtain) people and processes for doing forensic analysis.
- Developing an incident response plan: This plan needs to consider different types of incidents, how are they identified, investigated, escalated to management, responded to and reported. It needs to include IT, HR, legal, and business unit level resources – depending on the type of incident.
Finally, Enterprises Should Consider Cyber-Insurance
In Securing Insurance for Cyberbreach Investigations, Risk Management Magazine notes that “This process includes the costs of your internal breach investigation, but an even larger burden can come from external investigations and inquiries by regulatory authorities such as State Attorney Generals, the Security Exchange Commission (SEC) and others.
Conclusion
“After the breach” is never a pretty picture, but it’s one that any of us could be seeing some day. Don’t ignore these recommendations! An ounce of preparation could be worth a pound of cure.
Other Related Posts