When data disaster strikes, speed is of the essence and, in theory, as soon as the breach is discovered the response team should dust off the pre-rehearsed action plan and put it into practice.
Of course, we live in the real world where other priorities mean planning for future possibilities is often back-burnered by day-to-day business. In fact, most companies are so preoccupied that, according to Verizon’s 2008 Data Breach Investigation Report, three-quarters of breaches are not discovered by the victim company but by a third party, such as a supplier or banking card company.
Card issuers may spot a pattern of fraud, and then run software to find a common point of purchase across all compromised cards, and inform you, but by then much damage may have been done. If you don’t know you have a breach it is impossible to manage the incident – so network monitoring is essential to both spot and eliminate the problem.
According to Verizon’s report, evidence of events leading up to 82% of data breaches was available to the organisation prior to actual compromise, which suggests many are failing in their Data Protection Act (DPA) responsibilities as well as the credit card industry’s own PCI DSS[1] security standards.
Data logs should be systemically monitored and data managers should keep records to prove this work has been undertaken; a precaution which can prove invaluable in allocating liability.
Once a breach has been discovered it is a case of ‘all hands to the pumps’ in an attempt to analyse what went wrong and what data has been leaked.
There could be immediate action that can be taken – such as taking a leaky machine off the network, but this should by done in consultation with forensics experts to ensure that important details that may be useful in a future criminal investigation are not lost. Disconnecting the power to the offending hardware, for example, is better than turning the machine off, which could wipe important evidence.
The data breach assessment, according to PCI DSS guidelines, should look into various internal and external factors, such as the number of customers affected, whether systems have been damaged or infected with malicious software, whether social security numbers or PIN numbers were included in the lost data, and the projected amount of cost to repair the damage from the organisational perspective and, most importantly, the customer aspect.
Administrators need to consider whether the data was encrypted, and whether the records were even private. Many data records, such as dates of birth and addresses, are available on the electoral register in the UK and so are not considered sensitive.
According to regulators, during the first evaluation and determination period, companies must decide who should take the lead on investigating the breach, and ensure they have the appropriate resources.
Assuming there is no rapid response team already in place, one of the first steps has to be to create a team to deal with the incident, and this should represent all areas of the organisation, as well as external experts.
The team will need experts in IT, but also human resources, marketing people to draft notification letters and press releases, and legal experts to examine what you are obliged to disclose to the public. Security staff will need to check where the leak occurred, and a professional forensics team might be required. Human Resources may also need to be involved if employee information was involved in the breach, and risk management experts to ensure that any response doesn’t expose the company to further costs or security problems.
The decisions made during this period of evaluation will have profound effects on the company and the data breach fallout, and yet time is of the essence. The US state disclosure laws stress the urgency in informing authorities and public, stating that ‘The disclosure shall be made in the most expedient time possible and without unreasonable delay’.
The debate at this stage – over what has been lost and whether disclosure is obligated – must be thorough, but also rapid. Fines can quickly mount up in the event of delay.
Once you have spotted (or been informed of) a data leak, it is critical to find out as much about it as possible, as different breaches demand vastly different responses.
For example, a USB drive containing personal details that is lost down the back of an employee’s sofa is unlikely to be used by criminals to perform ID fraud. Conversely, credit card numbers that were deliberately stolen in a targeted hacking attack are ripe for exploitation.
In the UK, the first scenario would probably not need to be reported, while companies could face criticism from the Information Commissioner’s Office (the ICO)[2] if they failed to report the second, especially if the hack came as a result of weaknesses in the company’s systems. In the US, both would need to be reported, unless (depending on the state)[3] the information was encrypted or otherwise exempt.
In many cases, it’s impossible to know the motivation behind a simple theft, and the response team may need to make tough choices based on incomplete knowledge.
‘There’s far more risk if the laptop was stolen than if it was left in a taxi,’ says Neil Monroe, external affairs director at credit reference company Equifax. ‘But you still don’t know whether it’s been stolen for the hardware, in which case the data might be fairly safe, or stolen for the contents, which is more serious.’
The seriousness of the breach needs to be put into context, and this can only be done by examining the situation as a whole, pondering both what data has been lost, and its potential impact.
According to Dave Martin, security consultant at IT services company Logica, there are six areas to consider when weighing up the importance of a breach, all of which, along with legal consideration should determine the initial reaction.
Damage to brand: Where is this going to be reported? Are we talking about a few benign details, or could this snowball into an Enron-scale disaster?
Financial fallout: Is this going to cost money as a result of the incident?
Legal and regulatory: A breach of the Data Protection Act could be punishable by imprisonment, as when an airport worker was selling passenger details from check-in to burglars. Failure to disclose is illegal in most US states – it is vital to understand exemptions that could save millions.
Privacy: Is the data sensitive enough to cause financial or reputational damage for the person whose details have been lost? If so, the ICO urges that people are informed.
Safety: You may be obliged to alert police if personal safety is at risk. For example, compromised ex-directory phone lists have been used by violent criminals to track down victims.
Breach of strategy: Is the data important only to your company; could it be sold to, or have been stolen by, a competitor? Publicising this could exacerbate the problem, but partners may need to be informed.
One of the daunting issues of data breach prevention is the sheer variety of potential problems. From hackers and disgruntled former employees to careless cleaners and inebriated executives, everyone is a potential weakness, and how the data loss occurred will, to a large extent, govern how it should be handled.
The most common cause of data leakage remains lost or stolen laptops or other devices, which, according to ID Analytics research, account for 28% of incidents. The only option here is to try to recover the hardware, via the police and other sources, hope that all data was encrypted and, if using remote ‘kill’ software, ask the IT admin staff to decommission the laptop as soon as possible.
Nervous managers should bear in mind that destroying the data even an hour after it’s been lost doesn’t mean the data remains secure. Modern software allows users to send a text message to kill a lost or stolen PC within minutes of the event.
Insider theft, which accounts for 16% of all breaches, requires a thorough internal audit, examining the systems with a forensic fine-tooth comb to discover the perpetrator, the content of the theft and, ideally, where any information was sent. Hacking attacks represent one in ten breaches and require similar detective work.
One in eight leaks, meanwhile, is blamed on third parties such as contractors and business partners. Complex investigation of contracts and other liabilities by the corporate legal counsel will be essential to determine who bears responsibility for notification, costs and remediation.
Hacking or stealthy employee attacks need a completely different approach to that, say, of lost CDs containing sensitive data. There could be criminal proceedings to follow, and it is critical to discover exactly who has been leaking information, as well as exactly what information has left the premises. It could have strategic implications for the company, and the correct procedures must be followed if a prosecution is to be secured.
Such an attack, like those from external hackers, requires deploying forensic security professionals, so in-house staff should be advised not to rush into shutting down systems willy-nilly. If your network is a crime scene, it needs to be treated as such, with proper collection of evidence.
‘Most security advisers would agree that the essential first step is an effective investigation,’ says Rosemary Jay, a data protection expert with law firm Pinsent Masons. ‘It may be necessary to carry this out without providing notice to anyone to ensure that nobody is “tipped off” and able to cover their tracks or hide what has occurred. There are circumstances, for example, if there has been a breach of security which left the system open for a time, where notifying could make it difficult to investigate properly.’
Companies going crashing in, hoping to put out the fire, may do more harm than good, destroying key evidence that can actually help discover how the breach occurred in the first place and bring the miscreant to account.
‘Making sure you have forensic teams available is imperative,’ says Martin. ‘You have to hold your evidence in legally acceptable form, and that means using experts in the field. If you try to investigate yourself, you stand very little chance of winning it in court.’
‘The key is to image the hard drive, as this captures all the information, and you need to maintain continuity of evidence, taking photos of hard drives in situ, with serial numbers.’
Most forensics experts are typically certified to use Guidance Software’s Encase®, and Access Data’s Ultimate Forensics Toolkit®. Every time there is a change to the IT environment, the IT team should document it.
[1] For more information, go to: http://www.itgovernance.co.uk/pci_dss.aspx
[3] For more information on the various state breach laws: http://www.itgovernance.co.uk/products/1615