One of the most difficult decisions a CISO has to make is the one that says the organization suffered a data breach.
A data breach starts a chain of events that could eventually result in loss of company reputation, financial expenditures for credit monitoring of affected individuals, and possible regulatory and legal fines.
Not surprisingly, the CISOs want to ensure they have the latest information before they begin the long journey to the CEO’s office.
Let’s break down the sequence of events that have to happen.
1. It’s not a breach unless it leaves your network :-). While this may sound silly, this simple statement implies a lot of things that should be done ahead of time before it gets to this point. Here are some of the things that you should have in place in order to mitigate your data leaving your network:
- Do you have an efficient software patching system(s) that is implemented on all assets? In particular, why is this important? A successful malware installation depends on a couple of things: 1) a software package with vulnerability present on the target 2) the software isn’t patched. Patching reduces the attack window.
- Does your defense strategy focus on what leaves your net rather than what enters your net? There are 3 phases to a successful compromise:
- Initial compromise: this phase is completed by exploiting a known weakness in a software package that usually hasn’t been patched.
- Maintaining access to the compromised host: attackers need to maintain control of the victim machine by setting up local accounts, rootkits and covert communications channels.
- Causing damage: this is where attackers damage the organization by stealing, altering, or destroying information, impairing the system’s functionality to jeopardize its business effectiveness or mission, or using it as a jumping-off point for compromise of other systems in the environment. (source: James Tarala, Eric Cole)
- A compromised system has to communicate with an external site in order to let the attackers know the malware installation was successful. Building a profile of where your systems that handle PII communicate (this isn’t easy) is an important step in this detection process. A communication to an “unusual” site could be an indicator of a compromise.
- Do you know where your PII is stored? There are freeware (Find_SSN, Spider, SENF) and commercial (IdentityFinder) PII search tools that hunt for PII on your computers. The adage “you can’t protect it if you don’t know where it is” rings true in this case. Are your PII machines spread out all over your net or are they concentrated in protected enclaves?
- Is your PII encrypted? The recent controversy with TrueCrypt caused a lot of turmoil in the security community. There are 2 fairly straightforward encryption solutions that can be adopted across most enterprises. Microsoft Office’s encryption feature actually works in versions 2007 and newer. It requires a password but it solves the email attachment issue and doesn’t require anything extra on the receiver’s side. See http://office.about.com/od/MicrosoftOffice/ht/Encrypt-A-Microsoft-Office-Document-With-A-Password.htm for details. The disadvantage of this solution is that it only works with Microsoft Office documents. PDF Portfolio provides another encryption solution and it’s able to handle just about any file type. It can use passwords or certificates for encrypting/decrypting files.
There are certainly more things that an institution can implement in their security architecture but I believe the ones mentioned above are critical.
Here’s a sample process for determining if a breach has occurred provided the steps above are implemented.
- Monitor your net for suspicious outbound traffic.
- Sensors detect an outbound transmission to a suspicious domain. It determines the infection is an info-stealing class of malware.
- The target machine is located and isolated from the net.
- Was there any PII on the machine? No: wipe and reinstall the machine with updated software. Go to step 1. Yes: Was the PII encrypted at the time of the infection? Yes: wipe and reinstall the machine. Go to step 1 No: Go to step 5.
- Determine the size of the files containing PII. Determine the number of outbound packets from the infected machine. PII file size > # of outbound bytes? Yes: good chance there was no exfiltration. No: Good chance there was an exfiltration so start the data breach notification process.
We’ll talk about these steps in more detail in subsequent posts.