Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Patch Management

5 steps to respond to a security breach

Is your organisation equipped to deal with potential financial and reputational damage following an attack? 

Has your organisation established an incident management plan that covers data breaches? Recent evidence shows that organisations are ill-equipped to deal with an attack.

Australian bulk deals website, Catch of the Day, suffered a security breach in 2011, with passwords and other user information stolen from the company’s databases. It took until 2014 to notify customers, suggesting there was no response plan in place.

The backlash was very severe for global retail giant, Target, which fell victim to the second largest credit card heist in history. Many customers were outraged about the retailer’s inability to provide information after the breach, and its failure to assure customers that the issue was resolved.

Consequences included settlement payouts of up to $10 million and the resignations of its CIO and CEO.

Organisations should have established and tested incident management plans to respond to data security breaches sooner rather than later. A solid response plan and adherence to these steps can spare much unnecessary business and associated reputational harm.

Here’s a five step plan to ensure you give your organisation the best chance of minimising financial and reputational damage following an attack. 

Step 1: Don’t panic, assemble a taskforce

Clear thinking and swift action is required to mitigate the damage. There is no time for blame-shifting. You need a clear, pre-determined response protocol in place to help people focus in what can be a high pressure situation and your incident management plan should follow this protocol.

Having the right team on the job is critical. Bear these factors in mind when assembling your team: Appoint one leader who will have overall responsibility for responding to the breach. Obvious choices are your CIO or chief risk officer. This leader should have a direct reporting line into top level management so decisions can be made quickly.

Include representatives from all relevant areas, including IT, to trace and deal with any technical flaws that led to the breach; and corporate affairs, in case liaison with authorities is required, to manage media and customer communications.

Don’t forget privacy (you do have a chief privacy officer, don’t you?) and legal, to deal with regulators and advise on potential exposure to liability).

If you anticipate that litigation could result from the breach, then it may be appropriate for the detailed internal investigation of the breach to be managed by the legal team. If your organisation doesn’t have these capabilities, seek assistance from third parties at an early stage.

Step 2: Containment

The taskforce should first identify the cause of the breach and ensure that it is contained. Steps may include:

  • Installing patches to resolve viruses and technology flaws. The ‘Heartbleed’ security bug identified in April 2014 at one time compromised 17 per cent of internet servers. Although a security patch was made available almost immediately once it was discovered, some administrators were slow to react, leaving servers exposed for longer than necessary.
  • Resetting passwords for user accounts that may have been compromised and advising users to change other accounts on which they use the same password.
  • Disabling network access for computers known to be infected by viruses or other malware (so they can be quarantined) and blocking the accounts of users that may have been involved in wrongdoing.
  • Taking steps to recall or delete information such as recalling emails, asking unintended recipients to destroy copies or disabling links that have been mistakenly posted. Take care to ensure that steps taken to contain the breach don’t inadvertently compromise the integrity of any investigation.

Step 3: Assess the extent and severity of the breach

The results will dictate the subsequent steps of your response. A thorough assessment involves:

  • Identifying who and what has been affected. If it’s not possible to tell exactly what data has been compromised, it may be wise to take a conservative approach to estimation.
  • Assessing how the data could be used against the victims. If the data contains information that could be used for identity theft or other criminal activity (such as names, dates of birth and credit card numbers) or that could be sensitive (such as medical records), the breach should be treated as more severe. If the data has been encrypted or anonymised, there is a lower risk of harm.
  • Considering the context of the breach. If there has been a deliberate hacking, rather than an inadvertent breach of security, then the consequences for the relevant individuals or organisations could be much more significant. This should inform how you respond to the breach.

Step 4: Notification

For serious data security breaches, proactive notification is generally the right strategy. A mandatory notification scheme has been proposed in Australia, with the government promising implementation by the end of 2015.

In any case, there are good reasons to consider voluntary notifications, which include:

  • Victims may be able to protect themselves, for example by changing passwords, cancelling credit cards and monitoring bank statements.

E-Bay was roundly criticised in 2014 for not acting quickly enough to notify users affected by a hacking attack, and only doing so by means of a website notice rather than by sending individual messages. Notices should be practical, suggesting steps that recipients can take to protect themselves.

  • The Privacy Commissioner may also be involved, particularly if personal information has been stolen. The Commissioner may take a more lenient approach to organisations that proactively address problems when they arise.
  • Other third parties may also need to be notified. For example, if financial information is compromised, you might notify relevant financial institutions so that they can watch for suspicious transactions.

Step 5: Action to prevent future breaches

Having addressed the immediate threat, prevention is the final step. While customers may understand an isolated failure, they are typically less forgiving of repeated mistakes. Carry out a thorough post-breach audit to determine whether your security practices can be improved.

This could include:

  • Engaging a data security consultant, which will give you a fresh perspective on your existing practices, and help to reassure customers and others that you do business with.
  • Promptly remedying any identified security flaws – changes should be reflected in data security policies and training documents (and if such documents don’t exist, create them.)
  • Rolling out training to relevant personnel to ensure that everyone is up to speed on the latest practices.
  • Reviewing arrangements with service providers to ensure that they are subject to appropriate data security obligations (and, if not already the case, make data security compliance a key criterion applied in the procurement process).

Written by Cheng Lim is a partner at global law firm King & Wood Mallesons. Cheng leads KWM’s Cyber-Resilience initiative and has assisted clients over many years in dealing with privacy, data security and data breaches. Originally produced for CIO Australia.

BYOD, Cloud and the Internet are the top areas of concern for security threats.

A Dell global security survey reveals “the majority of IT leaders say they do not view these threats as top security concerns and are not prioritizing how to find and address them across the many points of origin”.

Key findings of Dell’s research include:

  • 37% ranked unknown threats as a top security concern in the next five years
  • 64% of respondents agree that organizations will need to restructure/reorganize their IT processes, and be more collaborative with other departments to stay ahead of the next security threat. Of those surveyed in the United States, 85% said this approach is needed, contrasting with Canada at 45% followed by the U.K. at 43%
  • 78% in the Unites States think the federal government plays a positive role in protecting organizations against both internal and external threats, which underscores the need for strong leadership and guidance from public sector organizations in helping secure the private sector
  • 67% of survey respondents say they have increased funds spent on education and training of employees in the past 12 months
  • 50% believe security training for both new and current employees is a priority
  • 54% have increased spending in monitoring services over the past year; this number rises to 72% in the United States

Among the IT decision-makers surveyed, BYOD, cloud and the Internet were the top areas of concern for security threats.

BYOD. A sizable number of respondents highlighted mobility as the root cause of a breach, with increased mobility and user choice flooding networks with access devices that provide many paths for exposing data and applications to risk.

  • 93% of organizations surveyed allow personal devices for work. 31% of end users access the network on personal devices (37% in the United States)
  • 44% of respondents said instituting policies for BYOD security is of high importance in preventing security breaches
  • 57% ranked increased use of mobile devices as a top security concern in the next five years (71% in the U.K.)
  • 24% said misuse of mobile devices/operating system vulnerabilities is the root cause of security breaches

Cloud. Many organizations today use cloud computing, potentially introducing unknown security threats that lead to targeted attacks on organizational data and applications. Survey findings prove these stealthy threats come with high risk.

  • 73% of respondents report their organizations currently use cloud (90% in the United States)
  • 49% ranked increased use of cloud as a top security concern in the next five years, only 22% said moving data to the cloud was a top security concern today
  • In organizations where security is a top priority for next year, 86% are using cloud
  • 21% said cloud apps or service usage are the root cause of their security breaches

Internet. The significance of the unknown threats that result from heavy use of Internet communication and distributed networks is evidenced by

  • 63% of respondents ranked increased reliance upon internet and browser-based applications as a top concern in the next five years.
  • More than one-fifth of respondents consider infection from untrusted remote access (Public Wifi) among the top three security concerns for their organization
  • 47% identified malware, viruses and intrusions often available through web apps, OS patching issues, and other application-related vulnerabilities as the root causes of breaches
  • 70% are currently using email security to prevent outsider attacks from accessing the network via their email channel

76% of IT leaders surveyed (93% in the United States) agree that to combat today’s threats, an organization must protect itself both inside and outside of its perimeters.

The full Dell report can be found here.

Database security and SIEM are the top Risk and Compliance concerns

Image representing McAfee as depicted in Crunc...

The McAfee report Risk and Compliance Outlook: 2012, has been published and has discovered Database Security and Security Information and Event Management (SIEM) were among the top priorities due to an increase in Advanced Persistent Threats (APT).

Database hold the valuable data the criminals are searching for, it therefore follows that Database Security is a growing issue and one flagged as the biggest concern. The report indicates that over one quarter of those surveyed had either had a breach or did not have the visibility to detect a breach. This is a huge concern when considering that most compliance requirements are concerned with knowing if a breach could or has occurred for example Payment Card Industry Compliance (PCI DSS) and the pending European Wide Data Protection Act.

The other major was Security Information Event Management (SIEM) which correlates well with the fears over Database Security with approximately 40% of organizations planning on implementing or update their SIEM solution.

Key findings of the report:

  • Similar to the 2011 survey, there is a positive trend in security budgets for 2012 with 96% of the organizations indicating same or more expenditure on risk and compliance
  • Organization state ‘Compliance’ as the driver for almost 30% of IT projects
  • Software and Appliance are the top choices for Risk and Compliance products. On average, one-third of all organizations prioritized the upgrade/implementation of unique risk and compliance products to address vulnerability assessment, patch management, remediation, governance, risk management, and compliance
  • Survey data showed rapid uptake towards Hosted SaaS and Virtualization. Nearly 40% organizations claim to be moving towards these deployment models in 2012
  • Patch Management frequency is a challenge – almost half of the organizations patch on a monthly basis with one-third doing it on a weekly basis. Just like last year’s analysis, not all companies are able to pinpoint threats or vulnerabilities, as a result, 43% indicate that they over-protect and patch everything they can

“Managing risk through security and compliance continues to be a leading concern for organizations the world over,” said Jill Kyte, vice president of security management at McAfee. “Meeting the requirements of increasingly demanding regulations while reducing exposure to the new classes of sophisticated threats and having an accurate understanding of risk and compliance at any point in time — can be challenging. To address this issue, organizations are looking to ‘best-of-breed’ solutions to manage all aspects of their risk and compliance needs and reduce the amount of time spent managing multiple solutions.”

Some other headline findings of the survey show:

  • Visibility is a pervasive challenge organizations continually face in managing their IT risk posture. The issues revolve around having the visibility to see vulnerabilities within their processes and controlling the ever-changing internal and external threat vectors
  • 80% of the survey respondents recognize the importance of visibility; more than 60% have about the same visibility they had in 2010; 27% improved their visibility since 2010; and 8% now have less visibility compared to 2010
  • The top two controls that respondents have implemented to manage risk and subsequently their compliance postures are the monitoring of databases and of configuration changes for the entire enterprise environment/ infrastructure
  • Approximately 60% of surveyed organizations view SIEM solutions as an important solution to provide real-time visibility into their applications, databases, system performance, and event correlation

A summary of the whole report is below along with a link to the full report.

Risk and Compliance Posture

During 2011, over 60% of the respondents implemented and updated existing tools to improve the visibility and control of their IT processes in an effort to minimize organizational risk. Product groupings include:

  • Risk Management
  • Application, Database and Network Vulnerability Assessment
  • Log Management and Security Information Event Management (SIEM)
  • Database Activity Monitoring
  • Policy Compliance Assessment and Governance Risk and Compliance (GRC)

Respondents indicate that their 2012 implementation and upgrade priorities include

  • Risk Management at 19% and 18% respectively
  • Vulnerability Assessment at 18% and 19%
  • Patch Management at 16% and 21%
  • SIEM at 16% and 21%
  • Further, 48% of the respondents (an increase of 8% over last year) indicate that their organizations have updated/deployed a GRC solution in 2011 in an effort to aggregate and monitor organizational risk and compliance status

Overall it appears that enterprises recognize that they cannot efficiently address risk unless they understand what they are up against and can apply the appropriate controls. Without this knowledge and insight, the effectiveness of any security and compliance efforts cannot be effectively measured against the risks there are:

  • 39% of incidents involved a negligent employee or contractor
  • 37% concerned a malicious or criminal attack
  • 24% involved system glitches including a combination of both IT and business process failures

Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets. Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack. Given this, it’s not surprising that most breaches were avoidable (at least in hindsight) without difficult or expensive countermeasures

Patch Management

At the time they wrote the report McAfee believed there are over 49,000 known common vulnerabilities and exposures (CVE’s) as reported by US-Cert National Vulnerability Database (NVD).

During 2011 the NVD reported 3,532 vulnerabilities, which translates to about ten new security vulnerabilities being discovered each day. While the rate of newly discovered vulnerabilities is impressive, the good news is that the trend is on a descending path: 4,258 vulnerabilities were reported in 2010 and the peak was in 2008, when almost 7,000 vulnerabilities were reported.

More than half of the surveyed companies indicated they know precisely which assets need to be patched when new threats materialize to prevent the threats from impacting their businesses. Conversely, 15% of the surveyed indicate they are not confident in their ability to know which assets to patch when new threats materialize.

Comparison of patch cycle (weekly, monthly, and quarterly) to confidence levels shows that that as the patching frequency declines so does an organization’s confidence. Specific analysis shows:

  • Organizations with weekly patching practice – 53% feel confident about patching of assets
  • Organizations with monthly patching practice – 49% feel confident about patching of assets
  • Organizations with quarterly patching practice – 43% feel confident about patching of assets

SIEM

Ever changing threats, data breaches, and IT complexity add additional burdens to the already difficult tasks associated with having the visibility necessary to monitor security events, detect attacks, and assess real and potential damage.

Near real-time visibility is critical to any risk management program in today’s complex and diverse computing environments. Without it, organizations are flying blind.

Similar to last year,

  • approximately half of the respondents spend 6 to 10 hours per month on risk management activities that assess and correlate the impact of threats on their organizations
  •  7% of small organizations (1,000 or less employees) spend 15-20 hours on risk and threat activities
  • 16% of organizations with more than 1,000 employees spent 15-20 hours on risk and threat activities

Policy Compliance and Configuration Challenges in Achieving Compliance

Regardless if an organization views industry standards and compliance mandates as a way to improve their practices or as a necessary evil, implementing standards is just the beginning of the road to compliance.

The real challenge often lies in maintaining compliance over time, especially as compliance standards and mandates evolve and increase in number. Organizations need to recognize:

  • Business and technology boundaries are constantly changing, expanding
  • New technology brings new risks, new processes and thus new compliance issues
  • Businesses require flexibility to maintain competitiveness – rigid controls can hinder flexibility, thus hurt operational effectiveness.

According to the Ponemon Institute

“True Cost of Compliance” study: “…while the average cost of compliance for the organizations in our study is $3.5 million, the cost of non-compliance is much greater. The average cost for organizations that experience non-compliance related problems is nearly $9.4 million.”

Database Security When asked about sensitive database breaches,

  • 12% of the organizations stated that they have experienced a breach
  • 15% “are not sure”

These results indicate weakness in security control effectiveness and a lack of visibility. Conversely, three-fourths of the respondents overall and in particular those from North America, Germany and the UK, indicate that their databases have never been breached.

According to Forrester Research analyst Noel Yuhanna in his most recent database security market overview report:

“The database security market is likely to converge with the overall data security market in the future, as DBMS vendors extend the security features that are bundled with their products”.

Mr Yuhanna’s market insight closely corresponds with our respondents’ use of database security solutions:

  • 49% of the organizations use dedicated database security solutions; McAfee, followed by Oracle, tops the list of database security solution providers
  • 42% of the organizations use DBMS vendor security features to protect their databases
  • As compared to 34% organizations from Brazil, a higher number of organizations from France (66%) and the UK (58%) have dedicated database security solutions. Regional analysis shows 61% of Brazil-based organizations use DBMS vendor security features compared to 36% of the North American organizations. IBM holds a strong market share in North America, France and Germany as compared to its share in APAC and the UK.

The link to the full McAfee report is here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: