Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Messaging for a Security Breach

Messaging for a Security Breach

Security breaches have become more common but many organizations are challenged when it's time to make the announcement. This presentation includes examples and steps that may be taken before the breach to streamline the announcement and notification process.

VerSprite, Inc

May 04, 2018
Tweet

More Decks by VerSprite, Inc

Other Decks in Technology

Transcript

  1. Messaging for a Security Breach How to Avoid Adding Fuel

    to the Dumpster Fire Ray Strubinger, Managing Consultant DFIR
  2. Our Goal Gain a basic understanding of what’s necessary to

    help prevent a significant security incident from becoming a memorable, epic, disaster.
  3. Let’s set the stage… • Imagine a company that has:

    • Collected vast amounts of sensitive personal data on people from many countries • Systems connected to the internet running a variety of software • Software with a publicly announced flaw • Time passes • The vulnerable internet facing systems are found by attackers • Attackers (hackers) exploit the system and obtain data
  4. Houston, we have a problem • Company announces a breach

    • Indicates the breach is limited • States they have known about the breach over a month • Company is investigating and has retained external experts • Reiterates a commitment to security and its customers • Promises to do better
  5. Are you feeling lucky? • A breach announcement may not

    attract much attention • Why? • People have become desensitized • Frequent breach announcements • Several large breaches • Minimal personal impact • Little pain from the exposed data – “It was just my email address and password” • My data was exposed last month and the month before that • May perceive there’s personal information left to expose
  6. Any media attention is good, right? • Let’s imagine in

    our scenario • The breach announcement draws attention • Recall the business had vast amounts of sensitive data • The company did not anticipate the amount of interest • The nature of the business, its image, the type of data exposed & the impact of the exposure will determine the level of interest in the breach announcement
  7. A comedy of errors • Let’s imagine a call center

    that struggles under a flood of calls • Have a plan to increase capacity quickly • Use scripts to stay on message • Web sites created to handle inquires are lampooned • Creating special “breach sites” can be problematic • Avoid this style of name - companyname2017event.com • Better approach – companyname.com/2017event • Carve out a portion of your existing website for breach information • Strive to minimize confusion for those impacted by a breach • Victims should not need to be a lawyers to comprehend the message
  8. A comedy of errors • Let’s imagine that a company

    Tweets a rogue website believing it to be its own • Have a communications plan • Consider additional controls on the use of social media • Validate all external resources before including them in announcements, Tweets, websites or other notices • Executive profiles scrubbed from the net • While this may be deemed necessary for some incidents, remember the internet rarely forgets • Removing profiles from corporate websites may be okay depending on previous practice • Removing content or profiles may increase the level of attention
  9. The situation turns grim • Let’s imagine that company executives

    are summoned to speak before Congress • Factors to consider • Actual or potential impact of the incident • Perception of the way the incident is being handled • Prior history with incidents • Messages create a public uproar • Complex wording used on websites (legalize) • Variations in information from call centers • Casual or insensitive messages on social media • Avoid Tweeting messages like “Have a nice day” on the heels of a breach announcement
  10. The situation turns grim • Let’s imagine the scope of

    the incident expands • Incidents evolve – watch the language used to avoid doing further harm to the corporate image • Resist the urge in the early phases to use language that makes it sound like the incident has been thoroughly investigated • Consult experienced incident responders, legal & PR firms to help avoid this pitfall • Members of senior leadership “retire” • Somewhat common practice • Public demands it - psychological need to “blame” • Typical way to bring about technical & cultural change
  11. Dumpster Fire Definition (US, informal) an utterly calamitous or mismanaged

    situation or occurrence : disaster https://www.merriam-webster.com/dictionary/dumpster%20fire
  12. This doesn’t apply to me • My company is: •

    Not interesting to attackers/hackers • Too small • Not regulated • Not collecting sensitive data • In denial • Experts in crisis management
  13. Why incidents matter to organizations • Conventional wisdom on breaches

    • Not “if” but “when” • Defenses have to be perfect at all times to avoid breaches • Few, if any, perfect defenses exist that are highly functional for most businesses • Is your company regulated by the SEC? • Ask, “Is this incident material?” • SEC guidance suggests that material breaches must be disclosed
  14. Common Challenges with Incidents • Issues with Planning, Messaging, Perception

    & Execution • What is inferred by the company’s actions & statements? • Consider impact on credibility, confidence & competence • Could this be considered a foreseeable event? • “Less technical” businesses may be given a pass • Extremely unusual incident circumstances may get a pass • Common cause incidents or previously identified (and ignored) issues will been seen less favorably • Was there an established response plan? • Was there an ability to competently execute the plan?
  15. How do you start? • Raise awareness & gain understanding

    • Learn from others • Regularly discuss publicly announced security events • What would your organization do if in that situation? • What type of reception did the announcement receive? • How did the company manage the event? What could be better? • Include technical, operations, legal or executive level staff. • Include external parties when relevant.
  16. What can be done? • Understand the business & the

    risks it faces • Types of data collected • Is any of the data sensitive? • How & where is data stored • Is the data a collection of well known file types, stored a database, or captured in a proprietary format? • Is the data in the cloud, a company data center or a co-lo facility? • Is sensitive data encrypted? • Encryption is not a silver bullet – often only useful when a physical device is lost • Who has access to the data • Employees, customers, 3rd parties or anyone? • How is the data accessed • BYOD, corporate owned and managed devices, any device located anywhere? • Are there technical audits or assessments? • What’s the audit or assessment frequency? Who did the assessment/audit? • What were the findings? How did we respond to the findings?
  17. What can be done? (cont.) • Incidents are stressful –

    be ready before the crisis • Use this information as the basis for templates • Develop customized templates for various incident types the organization is likely to experience • Manage things responsibly & properly – fix things or be prepared to take a hit • Is there an existing response plan that needs revision? • Some of this work may have already been done. • What’s in the plan? • Has the plan been tested recently?
  18. Templates • Review the information collected from a risk perspective

    • Develop scenarios & determine the likelihood & severity from different ways of losing or exposing data • Compromised web site • Unprotected cloud storage • Lost or stolen laptop or backup • Exposure due to phishing – at least 90% of incidents start with a phish • Build templates to fit your scenarios • Work with counsel to review templates • Engage specialists
  19. Prepare for “When” • Practice using the templates to identify

    potential issues • Avoid learning curve challenges during the crisis • Conduct table top exercises • Simulate incidents • Respond to the simulation with the templates • Identify opportunities for improvement