Preface
It’s a nightmare: One day, your IT team discovers that you’ve been hacked. Data has been trickling out of your organization—but for how long? Days? Weeks? Turns out it’s been years. All of your most sensitive data has been stolen—databases of personal information, terabytes of email, financial details—and that’s only the beginning.
What happens next? What do you do? The decisions you make in the first hours after you discover a data breach are never easy, but they may affect your organization for years to come.
Data has become the lifeblood of our modern society, as well as a huge liability. Big companies and small companies, governments and nonprofits collect and generate increasing amounts of sensitive information—often simply as a by-product of everyday operations. For a while it seemed as though there was no down side to mass data collection, aside from the expense of storage and processing. The more data you had, the better. Why bother getting rid of it?
Over time, the true cost of data collection began to emerge. Stolen credit-card numbers embarrassed merchants and frustrated consumers. Hacked hospitals leaked medical records, frightening patients. Massive electronic data leaks exposed secret government programs and upended presidential campaigns. Questions about security practices caused CEOs to resign, destroyed reputations, and sparked years’ worth of litigation.
Entire industries have arisen to manage the fallout from data breaches: identity theft protection companies, digital forensics firms, data breach attorneys, credit monitoring services, and more. New regulations have emerged, like wildflowers after a rainstorm, creating new job responsibilities, reporting requirements, and liabilities. All over the globe, IT staff work through the night applying patches and worrying about vulnerabilities. Data breaches are on the minds and the agendas of boards, CEOs, auditors, legislators, constituents and consumers, in every kind of organization imaginable.
Why do some organizations emerge from a data breach unscathed while others are badly damaged or even go under? How can we all make smart choices to protect our organizations before—and after—a data breach?
The purpose of this book is to shine a light on the unmapped world of data breaches and provide a practical foundation for managing and responding to them. Not only is “data breaches” a new field of study, the term itself did not even exist until 2005. Like scientists watching a volcano rise from the sea, we are challenged both to understand the new environment we are seeing and simultaneously manage the potentially devastating social consequences.
The good news is that there are effective ways of reducing the risk of data breaches. Looking back at landmark cases, we can clearly identify tactics that reduce the damage caused in the wake of a breach. We can also see common mistakes that can cause a data breach to spiral out of control. Our case studies will include published data breaches such as those affecting Equifax, Target, Google, Yahoo, and more, as well as stories and insight from private professionals who have spent years handling data breaches quietly, from the inside. Along the way, we will unveil a new framework for data breach response and use famous data breaches to illustrate critical turning points and lessons learned.
Who Should Read This Book?
This book will be valuable to any of the following individuals who play a part in breach response:
Managers, executives, and IT staff concerned about data breaches
Employees of organizations that have suffered data breaches
Digital forensic investigators and incident response team members involved in data breach preparation and response
Information security professionals
IT consultants involved in cybersecurity incident prevention and response
Students taking data breach management classes
Anyone who is worried about getting hacked or has been affected by a data breach
How This Book Is Organized
This book provides a strong, practical foundation for data breach management and response. Here is a summary of each chapter:
Chapter 1, “Dark Matters”: The number of data breaches that actually get reported represents just a small fraction of the number of data breaches that actually occur. Even the definition of a data breach is up in the air, defined differently depending on jurisdiction, industry, and other factors. In this chapter, we will establish a common terminology for discussing data breaches and explore the challenges involved in detecting and measuring the problem.
Chapter 2, “Hazardous Material”: Data is hazardous material. Storing, processing, or transmitting data creates risk for an organization. In order to effectively manage the risk, security professionals must know the specific factors that contribute to the risk of a data breach. Here, we will introduce the five data breach risk factors and discuss how the rise of the modern data economy has caused the risk of a breach to skyrocket. Finally, we will provide high-level tips for reducing risk through minimizing and controlling data.
Chapter 3, “Crisis Management”: Data breaches are crises and should be managed accordingly. The traditional NIST incident response model has limited value when a data breach rears its ugly head. Instead, we introduce a crisis management model and show how it applies to data breaches. We will use the Equifax breach as a case study to illustrate the importance of crisis communications and discuss strategies for minimizing reputational damage in the event of a breach. Finally, we will examine issues surrounding notification, using the Uber breach as an example, and conclude with a handy list of crisis communication tips.
Chapter 4, “Managing DRAMA”: The term “data breaches” was born in 2005, when the then-infamous ChoicePoint breach burst into the public spotlight. Using the ChoicePoint breach as a case study, we introduce a data breach response model known as DRAMA. This provides a flexible, easy-to-remember framework for data breach response.
Chapter 5, “Stolen Data”: In order to effectively prevent and respond to data breaches, industry professionals need to understand what types of data criminals seek, and why. Fraud and resale (via the dark web) fueled the early epidemic of data breaches and subsequent regulations, which still impact us today. In this chapter, we will explore the inner workings of the dark web, including key technologies such as public key cryptography, onion routing, and cryptocurrency. We will enumerate popular data products that are bought and sold on the dark web, including personally identifiable information, payment card numbers, medical records, passwords, and more.
Chapter 6, “Payment Card Breaches”: Payment card breaches can be very complex and result in years of litigation. The impact is often widespread, affecting merchants, consumers, banks, payment processors, card brands, and the wider community. In this chapter, we will explore the liabilities and impacts of payment card breaches and discuss the influence of the Payment Card Industry (PCI) standards, using the TJX breach as a case study. At the close of this chapter, we will provide important tips for navigating the tricky waters of a payment card breach.
Chapter 7, “Retailgeddon”: The Target breach was one of the most famous in history, largely because it marked a paradigm shift in breach response best practices. Retailers at that time were under siege, and payment card breaches were common. Criminals had developed sophisticated tools for exploiting networks and targeted retailers so they could steal payment card data from point-of-sale systems. We will investigate the lessons learned from the Target breach, both on a technical level and with respect to crisis communications. Finally, we will explore the impacts, including the subsequent rollout of chip (EMV) cards.
Chapter 8, “Supply Chain Risks”: Technology underlies every aspect of our global society, connecting suppliers and their customers in a massive, complex web. Supplier security risks can trickle down to customers, at times resulting in widespread data breaches. In this chapter, we will discuss how risk is transferred as a result of service provider access to customers’ IT resources and data. Then, we will analyze the risks introduced throughout the technology supply chain, including software and hardware vendors, and provide tips for minimizing the risk of a breach.
Chapter 9, “Health Data Breaches”: Health information is highly sensitive and prized by criminals, who can use it to commit identity theft, insurance fraud, drug fraud, extortion, and many other crimes. Because of this, healthcare providers and business associates are subject to some of the most stringent data breach regulations, including HIPAA. In this chapter, we will delve into the relevent parts of the U.S. HIPAA regulations, which define prevention and response requirements for certain types of health-related breaches. Then, we will analyze challenges specific to the healthcare environment, and will discuss the ways data can escape from HIPAA/HITECH regulation or bypass it in the first place. Finally, we’ll enumerate the negative impacts of a breach and show how lessons learned from handling medical errors can help us resolve data breaches, too.
Chapter 10, “Exposure and Weaponization”: Data exposure has become a major risk for all kinds of organizations. Stolen data is deliberately exposed for a variety of purposes, including hacktivism, whistleblowing, politics, and more. In this chapter, we will discuss important tactics and technologies that evolved to facilitate exposure. In particular, we will show how WikiLeaks introduced a new model for hosting and distributing large volumes of leaked data, paving the way for “megaleaks.” We also outline key response tactics, including verification, identification, data removal, and public relations.
Chapter 11, “Extortion”: Cyber extortion is widespread. Criminals around the world threaten to damage the integrity or availability of information unless they receive a payment or other desirable outcome. In this chapter, we will discuss the four types of cyber extortion (denial, modification, exposure and faux), and provide tips for response.
Chapter 12, “Cyber Insurance”: Cyber insurance has emerged as an important new market—but it is fraught with challenges, both for insurers and consumers. Breach response insurance, in particular, has fundamentally changed industry best practices, giving the insurer an important (and often very beneficial) role. The goal of this chapter is to share a clear description of different types of cyber insurance coverage, provide guidance for selecting cyber insurance, and discuss strategies for maximizing the value of your organization’s policy.
Chapter 13, “Cloud Breaches”: The cloud is the emerging battlefront for data breaches. Organizations are migrating sensitive data to the cloud at a rapid pace, while visibility and investigative resources lag behind. In this chapter, we outline common reasons for cloud breaches, including security flaws, permissions errors, lack of control and authentication issues. We delve into key response issues such as lack of visibility, using business email compromise (BEC) breaches as an example. The good news is that if cloud providers improve visibility and access to digital evidence, cloud-based monitoring and breach response has the potential to become highly scalable and efficient.
Stay Up-to-Date
For regular updates and commentary on the latest data breach developments, visit the author’s website: hackeralien.com.
In the coming pages, we will cover fundamental, root issues in data breach management that will help all of us understand how to better protect ourselves and the communities we serve.
Register your copy of Data Breaches on the InformIT site for convenient access to updates and/or corrections as they become available. To start the registration process, go to informit.com/register and log in or create an account. Enter the product ISBN (9780134506784) and click Submit. Look on the Registered Products tab for an Access Bonus Content link next to this product, and follow that link to access any available bonus materials. If you would like to be notified of exclusive offers on new editions and updates, please check the box to receive email from us.