Incident Response: All Getting Scary For Executives in Cyber Security

Introduction

In business, everyone makes mistakes, especially at executive-level, but Cyber Security is exposing C-level executives more than any financial irregularity or breach of practice has ever done. The response to security incidents is perhaps exercising executive more than anything else in the area, and companies must have strategies in place to cope with brand damage, and be honest with the details of the breach. Overall the must be honest and, if possible, learn from any mistakes learnt.

Military-style approaches to incident response

The increased risks around executives responses to data breaches is highlighted at JPMorgan Chase & Co, with Greg Rattray, the former US Air Force commander and cyber security expert at the National Security Council, being reassigned from his chief information security officer role to a non-front-line role as the head of global cyber partnerships and government strategy.

Greg had previously been in charge of the security of the company's computer networks, and which has been involved in controversy over a massive data breach, and where many of the security team had left their posts. His post has now been filled by Rohan Amin, who was a cyber security lead at Lockheed Martin Corp.

In August 2014, JPMorgan Chase & Co were breached for the details of the names, addresses and e-mail addresses of 83 million individuals and small businesses (Figure 1). 

Rattray's military background came to the fore when he argued that the breach was the work of the Russian government, and argued that JPMorgan Chase & Co should be able to secure a waiver from the Justice Department, in order to delay notifying their customers. Most, though, could see that the breach was motivated by cyber-criminals and not government agents.

Rattray's new position, with a staff of one-tenth of his previous position, will perhaps aim to improve relationships with federal agencies, where his stance on controlling the information on the data breach was likened to a military approach, with few details being released to investigators, and who eventually threaten to seize the evidence.

Several have said that the Russian involvement was also a smoke screen for weak security practices, and where the intruders entered the network through a server that had weak security controls (as it used just a simple username and password to gain access, and did not support multi-factor authentication).

Figure 1: Data breaches in size (JP Morgan Chase are one of the most recent)

Let's blame that bad country...

While nation-state hacks and Hacktivism do exist, many of the data breaches are motived by financial gain, or by insiders. A credit card number for example, with full details, can gain $100, and can be seen from the Home Depot hack which resulted in a large number of credit and debit card appearing on the credit card clearing house site: rescator.cc .

Also from the Target attack, there have been batches defined as “American Sanctions” and “European Sanctions”, and some speculate that it was retribution on penalties imposed by the West on Russia for their actions in Ukraine, but again it is more likely that it is motivated by financial gain .. as data is valuable.

Stolen card data on Rescator.cc (Figure 2) can now command prices up to $100 for each credit card details, and it has become one of the largest clearinghouse for breaches, with many hundreds of thousands of cards being sold in a single batch. It can be seen from the meta details from the site, that they buy and sell credit card details, including CVV details:

<title>Rescator.CC - Buy Dumps Shop & Credit Cards with cvv2</title><meta name="keywords" content="dumps shop, credit cards cvv, credit cards cvv2,  dumps, dumps with pin, cvv2, buy dumps, buy credit cards, buy creditcard, buy cvv,
buy cvvs, d+p, sell dumps, buy dumps, buy cvv, buy cvv2, sell dumps, sell track2,  buy track2, buy cards, cheap cvv, buy cvv, sell cvv, fresh cvv, good cvv, buy  good cvv, sell good cvv, best cvv, check cvv, cvv2 dump, buy cvv online, sell cc,  dump shop" /> <meta name="description" content="Buy Dumps Shop of Superior Quality.  Track1 & Track 2. Valid rate of %90. Feedbacks on many forums."> <script type="text/javascript">

Figure 2: Recator.cc

Increasingly data on individuals is often worth more than their credit card details. Stealing medical records, for example, is an attractive criminal business, as the data gained could be worth at least ten times the value of credit card data on the black market. The number of healthcare data breaches rises at a worrying pace. Since last year, medical identity theft incidents increased 21.7%, and there are forecasts that healthcare breaches will keep increasing in the near future, due to the potential economic gain and digitization of records. Forbes, too, have recently reported, that, in less than one year there has been nearly 96 million records were stolen (Community Health Systems (4.5 million), Anthem (80 million), and Premera (11 million)).

It wasn't our fault ... it was bad people!

One thing that companies need to understand is the posture on data breaches. With Sony we saw the North Korean's being blamed, without any real evidence at the time. This is obviously a good approach from an organisation, as it can deflect flack from the real reason ... sloppy security practices ... and in Sony's case this has been well documented, with hundreds of data breaches over the years. Overall there  is still a lack of evidence that it was motivated by a nation state, as all of the pointers from the past has focused on hacking organisations having a running battle with the CEO of Sony.

In Figure 3, we see just a few of the hacks over 2011 (many with simple SQL injection attacks or with passwords in clear text). In the end, Sony had three serious adversaries on its back: Anonymous, Lulzsec and Lizard Squad, and their CEO was a continual focus for their attention.

Figure 3: Examples of Sony hacks in 2011 (showing problems in the run-up to the recent hack)

Sony's lack of a proper response to the data leak has not really help in understanding the actual cases of it, and they are still being targeted, with large-scale leaks on WikiLeaks. 

Understanding threats and incident response

So in understanding incidents companies need to develop a taxonomy to clearly articulate the methods that they are using (Figure 4). An important element is to understand the threats and their objectives, without these, companies cannot properly plan, and setup their security infrastructure. So one method is:

A [Threat] is achieved by [Attack Tools] for [Vulnerabilities] with [Access] with [Results] for [Objectives] 

The understanding of the last two elements ... "Results" and "Objectives", allow the others to fall into place. As we have seen, the pinpointing the objectives of an incident is key to properly understanding why someone has been motivated to do it.

Figure 4: Security incident taxonomy

Executives pin-pointed ...

This week Katherine Archuleta, the director of the US Office of Personnel Management (OPM), resigned after a data breach involving more than 20 million people. At present, it is being pinpointed at Chinese-based hackers (but this has not yet been proven). The breach was first announced with a scope of 4 million affected people, but has now reached 20 million (including current and previous employees).

As yet, two months after the discovery of the hack, the individuals involved in the May 2015 breach have not been informed of that they have been involved, and it is likely to be a few weeks before they are. Most of the people involved in the previous hack in April 2015 (4.2 million people) have been informed, though, and each has been invited into an identity protection program.

The Target breach has been well documented, where more than 40 million customer credit and debit cards used with Target's stores were compromised. In the end the buck ended with Target’s CEO Gregg Steinhafel, who resigned on the back of the breach, and their CIO was quickly replaced by Bob DeRodes - an executive with a strong background in information security. Shareholders have since put significant pressure on the company, including trying to oust many of the existing board members.

The responsibility focusing on Director level is highlighted too by the hack of 13,000 email addresses in Edinburgh Council. It was up to Alistair Maclean, Director of Corporate Governance, to report to the citizens involved, and he was also the source of flack around the security breach. There was no talk about sloppy practices in the support company who run the Web systems for the council or any employee not setting things up properly.

And last week, Darren Grayson, chief executive of the East Sussex NHS Trust, announced that they had lost non-encrypted memory stick containing the details of over 3,000 patients. There was no mention of the person involved, and the reasons that had led to the breach of policy. With health care data worth at least ten times the value of credit card data on the black market, the Chief Executives of health trusts have other things to worry about than their budgets, their staff and their patients. 

Conclusions

Companies need to understand that an incident is going to happen - it is not if, it is when - and need to make plans for it. This should include how the company responds to event, and how it investigates it, and then its reporting. The knee-jerk of:

We were hacked by a bad nation state!

happens all too often, but really often a smoke screen for weak computer security. At-risk companies, especially banks, need to ramp-up the logging and auditing of the network, in order to detect malicious activity. These logs then need to be analysed on a continual basis, in order to detect when something happens, and also to detect things from the past. A company cannot learn if is has no history of the past, and in computer security, the history is your logs.

Companies also need to understand that the response often has to be 24x7, as many breaches happen outside normal office hours (for obvious reasons).

For us, in The Cyber Academy, we're hosting a conference on Data Loss Prevention (DLP), and sharing expert knowledge:

https://thecyberacademy.org/events/symposium-on-data-loss-detection-and-prevention/