How_Do

     … you know you’ve been breached?

 
In some reports, companies with breached security learned about it from outside the company. With good luck it is a white-hat security researcher. With bad luck it is from law enforcement telling you about the victims they already know.

Think of what is at risk

A modern business has a lot invested in their data. Day-to-day records include financial records, who owes you, who you owe, customer lists, their orders, deliveries and supplies in transit, confidential payroll, other protected human resource information, and more. The strategic, longer-term, data includes historical records, projections for the future, development on new products, secret research on the competition, and more.

Is it worth protecting? Would you just hand it to your competitors? Thought not. The cost of protection varies, but the cost of not protecting that information can be the life of the company. Everyone in the organization has to understand what is at stake. Why? Because anyone can be the weak link, the one person who gave up access credentials because they were social-engineered, or who clicked on an email attachment they were not expecting, unwrapped a virus and didn’t tell anyone.

What is protection?

There are many elements that can protect data and the best start is to make a comprehensive plan prior to implementation. It can get very expensive to find out down the road that your work has generated conflicts or part-A was included in part-F. Create a security policy as a guideline to follow. Make sure users have all the access they need, and no more. If you’re connected to the internet words to think about include quality routers, firewalls, power protection, data encryption (even for internal data) and, when everything obeys Murphy’s Law, disaster recovery.

What do crooks do?

Start with some facts and give up wishful thinking: Crooks are not stupid. Because they don’t have committee meetings they are often much more efficient. The legal and social restrictions that bound your actions don’t affect them.

Brute force attacks still work, but crooks have moved to more subtle and sneaky. Why? Brute force attacks are noticed faster and the longer an intrusion is unobserved the longer crooks have to get what they want. Like any burglar, alarms are things to be avoided.

What can you do?

Protection is the start. Do security assessments. Get a trusted someone to try and hack your system. Don’t be alone! It is axiomatic you can’t check your own work. Large companies can use one department to test another. Challenge assumptions, take nothing for granted, test and document. If you don’t have in-house talents get an experienced security firm to help.

Signs of a breach

The last step is for more people to be aware of some what may be present as the result of the breach. Train people to communicate what they see to someone who can authenticate it and protect from further damage.

Signs from the inside

 
Resources disappear or change
Email isn’t available, servers are absent, printers aren’t, data you access regularly isn’t available, you can’t access the Internet, your website is not responding, system response is very slow, etc. Make sure it isn’t you. Ask someone else to try. Still wrong? Time to communicate!

Unexplained data changes
Some data for which you are responsible looks different. New vendors appeared and you don’t remember them. Tables appear corrupted. Your website has changes you didn’t authorize. Again, make sure it wasn’t you, get someone else to confirm and if still wrong, time to communicate!

Overt Action
Your laptop won’t work and is asking for ransom to allow access. Internal monitoring is reporting high levels network activity when no one is in the office. You get a notice that your account fails to log in remotely while you are in the office. You notice your email sent files to people you don’t know and you don’t remember doing. Similarly, before you empty it, check the trash to see if something is there along those lines. Crooks might delete the outgoing files and miss the trash.

Signs from the outside

 
The public calls about spam
The public communicates (loudly) they are unhappy with the spam apparently coming from you. Don’t think you sent it? Maybe your machines actually did.

Your website is dispensing malware
Did you put up something that had malware? It happens. Not you? Then who did? Maybe your web site was hacked. Time to communicate!

Law Enforcement, 60-Minutes or Brian Krebs are calling
If you find out you’ve been hacked from law enforcement you’ve lost a lot including time to craft an effective response. One of the worst ways a morning can start is with the message that 60-Minutes is in the lobby. At least there is time before that hits the air. If security researchers like Brian Krebs are on the phone even that is gone. Their news hits the internet pretty quickly.

Summary

Realize what is risk, don’t underestimate the opposition, start with a plan, educate everyone on what is at risk, don’t review your own work, train everyone how to recognize a sign of a possible breach.

Don’t be the company that sends letters with

“… the security of your information is important to us …”

More Resources

These are just a very few of the many resources available.

Corporate Data: A Protected Asset or a Ticking Time Bomb

Ponemon Institute, December 2014, 34 page PDF, no registration required

Useful Resources for CISOs:

Digital Guardian, 1/21/2015, web site, no registration required

Penetration Testing Guidance

Payment Card Industry (PCI) Security Standards Council, 3/26/2015, 43 page PDF, no registration required, guidance for adhering to PCI Data Security Standards

 

Return to References page