More than just your garden: Preparing for data breaches
1. More than just your garden variety data breach
Dave Sweigert, CISSP, CISA, PMP
October, 2013
10/24/2013
2. Alerting events:
• Call from the FBI concerning strange
connectivity with threat web-sites (e.g.
Eastern European)
• Self-identified within your organization
(e.g. based on network signatures, log
files, etc.).
• Discovering your organization’s data online unexpectedly at third party site
• Third party bounty hunters recruiting
“victims” (your organization’s customers)
10/24/2013
3. Alerting events:
• Average “slow and low” breaches can
transpire over 12-18 months
• Benign reconnaissance turning into
covert infiltration
• Bribed and compromised key employees
• FBI discovering data in non-related
cases (e.g. executing search warrants at
drug crime sites and finding your data).
10/24/2013
4. Pre-incident planning
• Establish legal counsel privilege for
discussions surrounding data breach issues
• Pre-arranged relationships with
appropriate triage vendor to handle
sophisticated technical issues
• Define scope of the incident early
• Incident scope extends beyond mere
governance and security issues (brand
damage, media relations, etc.)
10/24/2013
5. Knee jerk reactions:
• Pull plug, block unfriendly I.P. address, hide
(e.g. may be multiple paths of ex-filtration
– false sense of security to run and hide)
• Executives take charge with no plan
(possibly corrupting evidence and
alienation of law enforcement)
• No containment or eradication plan
developed, practiced, etc.
10/24/2013
6. Pulling plug operations:
• Is corporate e-mail system compromised;
are attackers reading your response action
plans?
• Will you have a defensible justification for
the business loss?
• Will you make the decision to call the FBI
Cyber Squad?
10/24/2013
7. Law enforcement priorities:
• L.E. may have desire to allow breach to
continue for investigative reasons
• Concern over brand damage with stigma
of “FBI investigation”
• Timing issues: evidence preserved,
situation stabilization, prepare
10/24/2013
8. Avoidance and mitigation:
• Data modeling (where is your data?)
• Information strategy (where is your key
data)
• Data breach response planning
• Pre-established relationships with
forensics vendors
10/24/2013
9. Avoidance and mitigation:
• Benchmarking your information
security team against standards
• Conduct a privileged security
assessment beforehand
• Pre-established incident response
• Disclosing risk (public companies)
10/24/2013
10. Pre/post incident conduct questions:
• Plan to deal with a data breach incident
• Planning with reasonable security measures
in mind (with justification)
• Deceptive claims made to public as to
security measures (vague/ambiguous)
• Breach of implied contract between users
• Misrepresentation of incident response
10/24/2013
11. Pitfalls:
• Don’t be too smart (too technical) for
your own good (clear marching orders)
• Basic, simple issues regarding incident
management (low hanging fruit)
• Beware of emotional appeal (health
records, children, minors)
• Over reliance on static security measures
• Not having a varsity forensics team
10/24/2013
12. Discovery issues:
• Justifications for not following consensus
driven industry standards
• Demonstration of reasonableness in
assessing risk, re-mediation, etc.
• Manifestations of poor practices;
engineering, security, storage, etc.
• Uniform Commercial Code issues
• Working from home, BYOD issues
10/24/2013
13. Modeling security risk:
• Assessment or evaluation of organization’s
incident response/management team
• Technical/response maturity of team
• In-place incident response plans & testing
• Independent verification and validation of
security processes, guidelines, etc.
• Risk management team’s visibility of IT risks
10/24/2013
14. About the author:
An Air Force veteran, Dave Sweigert acquired significant
security engineering experience with military and defense
contractors before earning two Masters’ degrees (Project
Management and Information Security).
He holds the Certified Information Security Systems
Professional (CISSP), Certified Information Systems Auditor
(CISA) and Project Management Professional (PMP)
certifications.
Mr. Sweigert has over twenty years experience in information
assurance, risk management, governance frameworks and
litigation support.
10/24/2013