As every one of our readers outside of the IT security industry will be aware, there is absolutely no shortage of experts more than willing to tell us all how to secure and protect our systems against intrusion and data theft or compromise, not to mention the other lurgies and forces of darkness out there. But what happens when you have actually had a data breach? Funnily enough, most of the vendors of advice and precautionary systems have little to say. All will remind you that the industry standard small print says that nothing can be guaranteed 100% secure, while some will suggest that if you had been using their systems it might not have occurred. A much smaller number will assist your organisation in forensically examining exactly how the breach occurred and what should be done next.
Data breaches do occur regularly. There is the astonishingly persistent problem of laptops lost, strayed or stolen-which is really only a problem if the data they contain is not encrypted or not backed up. There is the similar and growing phenomenon of other devices that contain data, notably USB memory sticks and smart phones. A frustrating aspect of lost devices is that the data has to be regarded as compromised and the appropriate actions taken, even though you cannot know what exactly happened. Is that smart phone in criminal hands or just down a drain? Was that laptop lifted by an opportunist and sold on to someone with enough savvy to wipe all traces of previous ownership? Or is it in the possession of someone who knows how to exploit the fact that the data might be more valuable than the device?
Backed-up
The classic instance of this dilemma is the disappearance of back-up tapes. Clearly a rich mine of information for any deliberate attack (and fundamentally often easier and safer for a criminal than hacking) a missing tape has to be treated as a serious breach even though it is probably just mislaid. In 2008 one major US financial services company had to disclose that a missing tape (in a supposedly secure off-site security storage facility) compromised 150,000 social security numbers and credit card details of 650,000 retail customers.
But the biggest potential problem still is a data breach at the server and networks level, since almost by definition it opens up the possibility of comprehensive exposure of all corporate data. The most extreme known example in our 21st century cyber world is the 2009 breach at Heartland Payment Systems in the USA which saw 100 million credit cards compromised. That certainly surpassed the TK Maxx total of 47 million card details in 2007. Both were professional hacking jobs.
So, when an organisation learns that a data breach or compromise has occurred, it absolutely has to look at the worst case scenario as senior management decides what to do next. There are two clear paths of decision making-the IT technical side and the business actions. In some respects the IT response is easier. Systems and communications can be suspended and there are experts and forensic and other software tools available. The business response is potentially more complex. In the first instance, if the data breach involves personal data there are mandatory reporting requirements under the Data Protection Act. If the information is corporate but internal there may be the need for employee disciplinary action or civil or criminal legal action involving a report to the Garda. But there is also the possibility of business data involving customers or partner companies. In modern automated supply chains, there is a real risk that a breach in one organisation may be a back door into others. So the decisions about informing them immediately, with obvious fears of loss of confidence, have to be weighed against the risk of worse consequences than reputational damage if your data breach turns out to have affected others.
Data controllers
Most organisations today are broadly aware of their duties as ‘data controllers’ under the Data Protection Act. But smaller businesses may not fully appreciate their obligations while larger organisations, especially any with customer or client information routinely on file, are advised to have clear procedures in place in the event of any data compromise in relation to that personal information. The Act and similar legislation internationally applies solely to the personal data of individuals, explains Data Commissioner Billy Hawkes, and makes it a legal requirement to notify both the Office of the Commissioner and the individuals concerned is a data breach or compromise occurs. There are criminal sanctions for failure to comply.
“The key focus of our Act and personal data protection law generally is on the rights of the individual. People are entitled to their privacy and therefore are entitled to know if that privacy has been breached or endangered,” said Hawkes. “In the event of a data breach, however it occurred, the first priority is to think about how the people involved might be affected. Theft of credit card or bank information clearly poses an immediate risk whereas simple name and address data might be regarded as almost public. That sort of consideration will influence how and how quickly people should be notified.” Possibly most often the threat to individuals from a data breach may involve the potential for identity theft or a fraud against them. But in some cases the threat may be of embarrassment or public humiliation, nuisance phone calls or other contacts and even of physical safety were a current address to be disclosed.
“The method of notifying individuals will depend on different factors which should be considered in the light of the best solution in the interests of the individuals whose data has been breached. If the data was originally supplied electronically, that might be the obvious medium for notification-assuming that is going to be secure.” Hawkes points out that there have been instances where notification to an e-mail list of customers have failed to use the ‘blind copy’ option, so compounding the offence by exposing the entire list to all recipients!
GAA-ga
A differentiated approach may be appropriate in some cases, he adds. For example in the recent GAA memberships data breach, public statements were complemented by communication through the clubs. The general rules and principles are clearly stated in the Code of Practice and Notification Guidance documents on the Data Commissioner’s web site (www.dataprotection.ie). “But we would also like organisation to know that we are more than happy to be consulted for advice. Our general approach is to help organisations to comply rather than punish breaches. Where there are unusual or special aspects to a data breach we are willing to help and advice on the best solution to informing the individuals affected.” While the Data Commissioner certainly has an enforcement role, Hawkes makes it clear that organisations acting in good faith and doing their best have nothing to fear. Any attempt to conceal a data breach that has occurred is, however, a serious offence.
Boarded
A very good Irish example of what can happen and dealing with the aftermath is Boards.ie, the leading online discussion forum across a wide range of topic areas for many years. In January 2010 some technicians noticed an unauthorised access to a subscriber database using a valid administrative user name and password. “We are over 11 years old and as a result there were just over 20 viable access permissions with just 10 in active use,” explained Darragh Doyle, communications manager. “The user name and password used in this attack had been inactive and were being used to access an inappropriate area-downloading the user table.” The key to the relatively successful Boards.ie handling of the attack was that action was taken very promptly-access to the site was disabled within minutes. “That was not an easy decision, given that we have over 1.6 million users accessing [the site] monthly. We also sought expert advice immediately from Brian Honan of BH Consulting. On his advice, we literally did nothing else on the technical side for a little while in order to gather as much data on the attack as possible. We were then able to offer the Garda technical investigators some valuable information and it was established that it was an external attack from outside the country. In fact a number of other compromised web sites were identified as a result, some of which either did not notice or did not report.”
From the time of the attack through identifying and checking the apparently legitimate access to shutting down access to the Boards.ie web site just 14 minutes elapsed. “We were perhaps fortunate to have two capable technical guys on duty at the time,” Doyle said. “Of course a lot of data can be compromised in minutes, but we did essentially the right things as quickly as possible. Luckily, we do not have financial or personal information, just the chosen user names and passwords but matched to e-mail addresses.”
48 hours
Boards.ie decided very quickly to communicate the news of the attack so that its users would be alerted, using public media. It contacted as many of its users as possible using a separate internal messaging service rather than the e-mail server. Its web site was down for a total of almost 48 hours.
Boards.ie is still dealing with some after effects of the attack. Doyle’s overall advice to IT administrators and organisations generally is to be careful not to react too quickly, in order to preserve enough information to be able to identify at least the general nature of the attack, and to get expert help. “We notified the authorities promptly, Garda and the Data Protection Commissioner, and we went public with the fact of the attack. It is hard to judge how much reputational damage we suffered but it is certain that it would have been much worse if we had not done the right things openly.”
The unanimous view of the experts we talked to is that any organisation should have at least guideline procedures in place. An external attack such as on Boards.ie is one real and under-appreciated danger, but there are many other data breach possibilities including unauthorised internal access. Both the IT people and management need to know at least broadly the proper steps to take. The second piece of unanimous advice is to call in expert help-which suggests that every organisation should know who to call. The other key thing is to notify the relevant authorities as soon as possible.
Incident nature
“The action to be taken will of course depend on the nature of the incident,” explained Colm Murphy, technical director of Espion. “If a laptop is lost or stolen the response will be along different lines from the immediacy of an external systems intrusion. The fundamental consideration is the nature of the risk and then the degree. That will dictate the appropriate response. But it all needs to be thought through in advance and policies established. An ad hoc response is in danger of compounding the problem or consequences by doing the wrong things in the wrong way.”
He identified a set of stages in dealing with an apparent data breach, beginning with the identification of the systems directly affected or relevant. “In large and complex systems, especially when the nature of the breach is not yet known, that can be a difficult challenge. The second stage is preservation, ideally taking no actions that will affect the analysis of those systems at a future stage. The final analysis stage includes the decisions on how to restore operational systems or capabilities for users.”
Evidence trade-off
There is always going to be some level of trade-off between forensic preservation and business continuity, Murphy pointed out. “The analysis is essential because you can take systems offline but you also have to be sure you do not revert to an insecure system. A business has to keep trading, so one answer might be to revert to a backup from the last known good state of the systems.” Calling on expert help is very often the key to ensuring the best outcome. There are specialist software tools, for example, that can ensure a mathematically perfect replica of systems at a certain state giving a forensic copy that can be analysed at leisure and will have evidential value in legal terms.
The plan or procedure following a data breach alert will have technical and business elements, Murphy stresses. The first step will be to freeze or isolate systems according to the pre-decided technical rules, followed by making the prescribed contacts to the ISP, Garda, IT security experts and the Data Protection Commissioner if personal data is involved. Like our other experts, Murphy accepts that informing business partners will be commercially sensitive. “But if some of their information is in your systems there really is not much choice. If you are part of an automated supply chain it is probably contractually essential.”
Benign internal
There is some reassurance for business from Rowan O’Donoghue, director of innovation and development in Origina. “It is reckoned that 67% of all data breaches are internal and not malicious. So when they are spotted there is a positive result because the organisation can learn from them and tighten up its security." Similarly, he pointed out, encryption and proper procedure can minimise the danger from laptops and other devices that go walkabout for whatever reason. “All too often the real problem is not the fact of the disappearance of the device but the fact that the organisation does not know accurately what information it contained. Therefore the level of risk is unknown and action has to be taken that is quite likely disproportionate but essential for legal or best practice reasons.”
“The key advice when a data breach has been spotted is to avoid knee jerk reaction without a risk assessment. A simple example would be e-mail notification of all of the individuals apparently involved. You could literally be giving hackers a second chance to get the entire list-with total accuracy!” O’Donoghue is particularly firm about having written procedures in place. “You need an ongoing policy and set of procedures which are assessed and checked regularly. In dealing with the serious malicious cyber threats it is essential and the direct equivalent of disaster recovery. Like DR, it is of little value unless it is tested.”
He pointed out also that in joined up modern business and communications an attack on one organisation may affect others, passing through to other systems. “That certainly means that prompt notification of partners will be essential, over and above the legal obligations like Garda or Data Protection Commissioner. In, fact we have noticed a new clause appearing in business insurance policies that will invalidate coverage if the appropriate third parties are not notified of data breaches or other compromises of sensitive systems.”
Formal procedures
One of Ireland’s senior experts in cyber threats is Paul C. Dwyer, security principal for governance, risk and compliance (GRC) in eircom and chief advisor to the International Cyber Threat Task Force, a non-aligned professional body based in Ireland. “The one option that is never open is to do nothing,” he said. “Personally identifiable information (PII) has literally become the stock in trade of criminals globally, so any database that might contain such data is a target. It is not just the obvious credit card details or identity theft, which are always targets. Personal health information, for example, has become a valuable commodity because it can be used for highly targeted and complex scams such as phoney medical treatments and cures, a particularly nasty crime that can be lucrative when people and their loved ones are desperate.”
Reinforcing the message that every organisation of whatever size should have a formal procedure in place, Dwyer said the key things are what to do and who to call. “Sometimes it can be the IT people who react too quickly and do the wrong things. Re-booting systems, for example, may destroy or compromise the evidence of what actually transpired.” Responding to a cyber attack, which always involves the risk of a data breach, should be in the charge of an incident handling person or team. Escalating procedures according to a pre-set sequence, logging everything, calling the experts and notifying authorities should all be as planned and tested as any business continuity or other emergency planning measures.
Independent analysis
Dwyer strongly recommends starting with an independent analysis of the organisation’s ability to handles a malicious attack. “That will enable an immediate and exponential response to be put in place that will cut off access very quickly and enable the e-discovery process that will establish the nature and extent of the incident. That in turn will inform the next steps and decisions to be taken, from the relevant notifications to the forensic analysis of what happened and what damage or data breach resulted.”
Subscribers 0
Fans 0
Followers 0
Followers