STE WILLIAMS

Intel has made much of its NUC and Compute Stick mini-PCs as a way to place computers to out-of-the-way places like digital signage.

Such locations aren’t the kind of spots where keyboards and pointing devices can be found, so Intel sweetened the deal by giving the world an Android and iOS app called the “Intel Remote Keyboard” to let you mimic a keyboard and mouse from afar.

But now Chipzilla’s canned the app.

The reason is three nasty bugs that let attackers “inject keystrokes as a local user”, “inject keystrokes into another remote keyboard session” and “execute arbitrary code as a privileged user.” The bugs are CVE-2018-3641, CVE-2018-3645 and CVE-2018-3638 respectively.

Rather than patch the app, Intel’s killed it and “recommends that users of the Intel® Remote Keyboard uninstall it at their earliest convenience.”

The app’s already gone from the Play and App Stores (but Google’s cached pages about it for Android and iOSin case you fancy a look).

The Android version of the app’s been downloaded at least 500,000 times, so this is going to inconvenience plenty of people … at least until they get RDP working on Windows boxes and VNC running under Linux. The greater impact may be on Intel’s reputation for security, which has already taken a beating thanks to the Meltdown/Spectre mess. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/06/rip_intel_remote_keyboard/

In January, a botnet based on Mirai was used to attack at least three European financial institutions.

Criminals, like carpenters, hate to see a good tool go unused. It’s no surprise, then, that the Mirai botnet has been in action once again, this time in concert with other botnets and with targets in the financial sector.

Insikt Group, the threat research group within Recorded Future, found that a Mirai botnet variant was used to attack a company, or companies, in the financial sector in January. And it might not have been alone; they found that it was possibly linked to the IoTroop or Reaper botnet.

Three financial companies were hit by DDoS attacks on Jan. 28: two at the same time, and the third a few hours later. On Jan. 29, ABN Amro, a Dutch bank, reported that they had been hit by a DDoS attack the previous day and that other Dutch banks had also been hit. Insikt Group says that the DNS amplification attack used against one of the first targets hit 30 Gbps – highly disruptive, but not the largest attack seen.

A Diverse Crew

According to the researchers, the botnet involved in the first company attack was 80% compromised MikroTik routers and 20% various IoT devices. Those devices range from Apache and IIS web servers to webcams, DVRs, TVs, and routers. Manufacturers of the recruited devices include companies from the very small up to Cisco and Linksys.

Irfan Saif is cyber risk services principal for Deloitte Risk and Financial Advisory. In an interview with Dark Reading he points out that the IoT devices brought into the botnets have processing, communication, and networking capabilities, so it’s not surprising that they’re being recruited for nefarious purposes. “It will be a continuing problem and the intricacies and complexities will continue to evolve,” he says.

“There’s an ever-increasing set [of IoT applications] in industries and for facilities management that will broaden the set of devices that can be taken,” Saif says, adding, “The complexity of devices that can be taken will continue to increase.”

The analysts at Insikt Group say that, while many of the devices used in the attacks were previously available for use in other botnets, many others were not known to be subject to existing botnet malware.

A Growing Concern

In Saif’s view, as companies increase the size of the IoT network within their network perimeter, the attack surface will increase more rapidly than just the number of devices. “A company may have different ages and generations of devices,” he explains. “This increases the complexity of management and broadens the threat surface that can be attacked.”

A survey just published by Deloitte says that 40% of professionals admit that managing increasing amounts of data and IoT security pose the greatest cybersecurity challenges to their organization in the coming year. Saif says that there are several reasons for their concern. “They don’t necessarily know the technology – it doesn’t have the track record, and the tools to mitigate the risk aren’t available as broadly as for the rest of IT,” he says. In addition, “The skill sets aren’t available as broadly, either. It doesn’t surprise me that it’s one of the two big challenges from the survey.”

The Insikt Group has a set of suggestions for companies wanting to prevent their IoT devices from becoming part of a future botnet. Their hands-on suggestions include:

• Always replace default manufacturer passwords immediately upon use.
• Keep the firmware for devices current and up-to-date.
• For IP camera and similar systems that require remote access, invest in a VPN.
• Disable unnecessary services (e.g. Telnet) and close ports that are not required for the IoT device.

Deloitte, in the release announcing their survey results, shared strategic pointers for organizations concerned about botnets in their IoT networks.

• Rethink the approach. Consider the end-to-end process and evaluate cyber risk at the earliest stages of innovation to drive business transformation.
• Utilize automation, robotics and analytics to manage velocity and scale in domains such as IoT and mobile.
• Use digital identity to manage human and machine credentials. Focus on user experience and usability to drive adoption and simplify design, mitigating cyber risk at the outset.

Related Content:

• New Android Cryptojacker Can Brick Phones
• Gartner Expects 2018 IoT Security Spending to Reach $1.5 Billion
• The Mirai Botnet Is Attacking Again…
• IoT Botnets by the Numbers

Join Dark Reading LIVE for an intensive Security Pro Summit at Interop IT X and learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/mirai-variant-botnet-takes-aim-at-financials/d/d-id/1331472?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Another day, another data breach.

More precisely: another day, another multibreach, caused by a common point of failure.

That’s a bit like what happened recently when hundreds of government websites ended up cryptojacked because a shared service provider – in that case, a web-based text-to-speech system – got hacked, and “passed on” the hack to all its customers.

This time, at least Sears Holdings, owners of brands such as Sears and Kmart, and Delta Airlines were affected by a breach at a chatbot company that both companies use.

The company that spilled the data is the curiously-named [24]7.ai, a company whose website leads with the question, “Ready to Join the Chatbot Revolution?” and follows up with a free white paper entitled, “Why Delighting Customers is a Waste of Time and Money.”

Unfortunately for both Sears Holdings and Delta, at the same time that [24]7.ai was saving them money by not delighting customers, the company was also costing them reputation points (and perhaps getting them into regulatory trouble) by leaking personal customer information.

According to Sears Holdings:

[24]7.ai, a company that provides online support services to Sears and Kmart, notified us, as well as a number of other companies, that they experienced a security incident last fall. We believe this incident involved unauthorized access to less than 100,000 of our customers’ credit card information. As soon as [24]7.ai informed us in mid-March 2018, we immediately notified the credit card companies to prevent potential fraud, and launched a thorough investigation with federal law enforcement authorities, our banking partners, and IT security firms.

According to Delta:

Last week, on March 28, Delta was notified by [24]7.ai, a company that provides online chat services for Delta and many other companies, that [24]7.ai had been involved in a cyber incident. It is our understanding that the incident occurred at [24]7.ai from Sept. 26 to Oct. 12, 2017, and that during this time certain customer payment information for [24]7.ai clients, including Delta, may have been accessed – but no other customer personal information, such as passport, government ID, security or SkyMiles information was impacted.

We have to imagine that the customers of [24]7.ai are surprised – if not incensed – that the company took so long to pass on news of the breach, given that the ultimate accountability for safeguarding the information lies with those customers, not with [24]7.ai itself.

Of course, we also have to assume that [24]7.ai may not even have realised they’d been hacked until well after the event.

It’s surprisingly common for credit card breaches to be picked up by the card issuers themselves, after the data has been sold on the underground and actively abused, because of what are called CPPs, or common points of purchase, amongst defrauded card holders.

(With apologies to Oscar Wilde, to lose one credit card number may be regarded as a misfortune; to lose two looks like carelessness; to lose hundreds of thousands is a large-scale compromise.)

The reaction

Well done to Sears Holdings and Delta for providing prompt public commentary on their websites, and for setting up dedicated web pages where customers can track the breach investigation as it goes on.

Even better is that both companies avoided “doing an Equifax” – after its 2017 megabreach, Equifax infamously set up a brand new domain name as a landing page for updated information.

Being brand new, this one-off domain, equifaxsecurity2017 DOT com, had no reputation with any search engines, looked like a scam itself, and as good as begged typosquatters to register similar names to trap unwary visitors.

Equifax went on to compound that blunder when its PR company tweeted out an incorrect version of the new “security incident domain”, making a bad thing even worse.

The PR company wrote securityequifax2017instead of equifaxsecurity2017 – fortunately a security researcher registered the misnamed domain before the crooks could do so.

This is a blunder that simply wouldn’t have happened if Equifax had stuck to a URL that was part of its regular website.

Sears Holdings has gone for searsholdings.com/update and Delta has chosen delta.com/response, thus taking advantage of their already-known domain names and the HTTPS certificates associated with those domains.

Just two notes, though, as we write this [2018-04-05T15:00Z]:

• Sears Holdings officially linked to the http:// version of its page. Because the page is also available by using https://, why mention the unencrypted HTTP version at all?

Hey, @Sears @SearsHoldings – well done making your breach response URL part of your existing domain (not like Equif… twitter.com/i/web/status/9…

—
Paul Ducklin (@duckblog) April 05, 2018

• Delta’s page didn’t exist yet and gave an error. The error page confusingly said, “THAT PAGE ISN’T ON OUR RADAR”. Why not create the page with a “coming soon” message instead, rather than reporting an error and inadvertently encouraging customers to go looking elsewhere?

What to do?

We don’t yet know what really happened, except that an online support company ended up creating a whole host of unwanted support issues for its customers.

In the meantime: watch those credit card statements; consider requesting a new card if you think you might be affected; and remember…

…you can outsource your work, but not your accountability.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tRC9oKWnpog/

When you think of phishing, you probably think of email – for better or worse, email was invented so that anyone could easily send a message to everyone, assuming they had a long enough list of email addresses.

But cybercrooks have figured out how to use closed messaging ecosystems for phishing, too, including WhatsApp.

We’ve dubbed this sort of attack Whishing – short for “WhatsApp phishing” – and we went on Facebook Live with Sophos expert Matt Boddy to explain how it works, and how to avoid it:

(Can’t see the video directly above this line, or getting an error such as “no longer available”? Watch on Facebook instead.)

Note. With most browsers, you don’t need a Facebook account to watch the video, and if you do have an account you don’t need to be logged in. If you can’t hear the sound, try clicking on the speaker icon in the bottom right corner of the video player to unmute.

LEARN MORE ABOUT WHISHING

For details and hi-res images of of the scam described in the video, see:
Free Virgin Atlantic tickets? No, it’s a WhatsApp scam.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/__b0Z1GVICA/

Hackers have moved away from simple point-of-sale (POS) terminal attacks to more refined assaults on corporations’ head offices.

An annual report from security firm Trustwave out today highlighted increased sophistication of web app hacking and social engineering tactics on the part of miscreants.

Half of the incidents investigated involved corporate and internal networks (up from 43 per cent in 2016) followed by e-commerce environments at 30 per cent. Incidents affecting POS systems decreased by more than a third to 20 per cent of the total. This is reflective of increased attack sophistication, honing in on larger service providers and franchise head offices and less on smaller high-volume targets in previous years.

In corporate network environments, phishing and social engineering at 55 per cent was the leading method of compromise followed by malicious insiders at 13 per cent and remote access at 9 per cent. “CEO fraud”, a social engineering scam encouraging executives to authorise fraudulent money transactions, continues to increase, Trustwave added.

Targeted web attacks are becoming prevalent and much more sophisticated. Many breach incidents show signs of careful planning by cybercriminals probing for weak packages and tools to exploit. Cross-site scripting (XSS) was involved in 40 per cent of attack attempts, followed by SQL Injection (SQLi) at 24 per cent, Path Traversal at 7 per cent, Local File Inclusion (LFI) at 4 per cent, and Distributed Denial of Service (DDoS) at 3 per cent.

Last year also witnessed a marked increase, up 9.5 per cent, in compromises at businesses that deliver IT services including web-hosting providers, POS integrators and help-desk providers. A breach of just one provider opens the gates to a multitude of new targets. In 2016 service provider compromises did not even register in the statistics.

Although down from the previous year, payment card data at 40 per cent still reigns supreme in terms of data types targeted in a breach. Surprisingly, incidents targeting hard cash was on the rise at 11 per cent mostly due to fraudulent ATM transaction breaches enabled by compromise of account management systems at financial institutions.

North America still led in data breaches investigated by Trustwave at 43 per cent followed by the Asia Pacific region at 30 per cent, Europe, Middle East and Africa (EMEA) at 23 per cent and Latin America at 4 per cent. The retail sector suffered the most breach incidences at 16.7 per cent followed by the finance and insurance industry at 13.1 per cent and hospitality at 11.9 per cent.

Trustwave gathered and analysed real-world data from hundreds of breach investigations the company conducted in 2017 across 21 countries. This data was added to billions of security and compliance events logged each day across the global network of Trustwave operations centres, along with data from tens of millions of network vulnerability scans, thousands of web application security scans, tens of millions of web transactions, penetration tests and more.

All the web applications tested displayed at least one vulnerability with 11 as the median number detected per application. The majority (85.9 per cent) of web application vulnerabilities involved session management allowing an attacker to eavesdrop on a user session to seize sensitive information.

The number of vulnerabilities patched in five of the most common database products was 119, down from 170 in 2016. 53 percent of computers with SMBv1 enabled were vulnerable to MS17-010 “EternalBlue” exploits used to disseminate the WannaCry and NotPetya ransomware attacks.

The 2018 Trustwave Global Security Report is available here. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/05/trustwave_security_sitrep/

North Korea maintains a hacking base in China, the UK Parliament’s Defence Select Committee has been told, while government snooping body GCHQ struggles to retain “cyber-staff”. Then there’s the slightly greater concern that the communist nation could nuke Britain “within a few years”.

The House of Commons’ Defence Committee published its latest report, Rash or rational? North Korea and the threat it poses today. As well as setting out the Norks’ nuclear, cyber and chemical weapons capability, the committee called for greater funding for British cyber-defences – while staunchly insisting that cutting funds from conventional armed forces is not the way to do this.

A number of intriguing nuggets were included in the report (PDF, 38 pages), though they should be read with care. The committee has also previously faced criticism that its members, elected MPs, may lack the technical insight needed to hold their brief up to rigorous scrutiny.

NCC Group, a British cybersecurity consultancy, sent Nigel Inkster – its director of transnational threats – to give evidence to the committee.

“Inkster told us that one of the North Korean cyber units has an operational base in a hotel in China, and that its activities must be known to the Chinese, given the bandwidth required and the close monitoring of web usage by the Chinese government,” stated the report.

China’s role in either facilitating or turning a blind eye to North Korean activities, given the two nations’ land border and historical ties, has long been a bone of contention for academics and analysts. Inkster appears to have convinced the MPs that China permits these activities.

The Government’s formal list of occasions when North Koreans hacked the UK

North Korea was also blamed for the Wannacry ransomware attack that KO’d most of the National Health Service last year, as the official postmortem explained in detail. Unpatched, obsolete systems and poor infosec practices allowed the ransomware to run riot, crippling vital NHS infrastructure across the nation. Though the attack was attributed to the Norks by British authorities, no evidence was ever put into the public domain to support this – a policy that has backfired on Britain and given unscrupulous sources plenty of ammunition in the aftermath of the chemical weapon attack carried out by Russia in Salisbury.

Countering the Norks’ nefarious hacking activities is something that the UK is putting money into, according to the report. Though the government has “opened a new Defence Cyber School to help develop specialist cyber-staff [sic] within both defence and the wider government,” the committee noted that GCHQ and its public-facing offshoot, the National Cyber Security Centre, is struggling to retain suitably skilled staff.

The committee also concluded, in spite of the Ministry of Defence formally telling it otherwise, that North Korea could nuke Britain “within a few years” once it manages to shrink its warheads enough to fit them on its homegrown intercontinental ballistic missiles. For now, it warned, the Norks probably haven’t reached that stage.

In its written evidence, the Ministry of Defence stated that: “We do not judge that North Korea’s nuclear programme and other military capabilities are directed at the UK. North Korea has stated on several occasions that it does not consider the UK to be its enemy. It cites our official state relationship as evidence of this.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/05/north_korea_defence_committee_report/

Security researchers have uncovered 1.5 billion business and consumer files exposed online – just a month before Europe’s General Data Protection Regulation comes into force.

During the first three months of 2018, threat intel firm Digital Shadows detected 1,550,447,111 publicly available files across open Amazon Simple Storage Service (S3) buckets, rsync, Server Message Block (SMB), File Transfer Protocol (FTP) servers, misconfigured websites, and Network Attached Storage (NAS) drives.

This included documents spanning payroll data, tax returns, medical records, credit cards and intellectual property. A staggering 64,176,425 files came from the UK alone.

The trove amounts to more than 12PB (12,000TB) of exposed data – more than 4,000 times larger than the Panama Papers leak, which weighed in at a measly 2.6TB.

The most common data exposed was payroll and tax return files, which accounted for 700,000 and 60,000 files respectively. However, consumers were also at risk from 14,687 instances of leaked contact information and 4,548 patient lists. A large volume of point-of-sale terminal data – transactions, times, places, and even some credit card details – was publicly available.

Although misconfigured Amazon S3 buckets have hogged headlines recently, in this study (registration required) cloud system leaks accounted for only 7 per cent of exposed data. Instead it is older, yet still widely used, technologies – such as SMB (33 per cent), rsync (28 per cent) and FTP (26 per cent) – which have contributed the most.

Business-critical information also leaked. For example, a patent summary for renewable energy in a document marked as “strictly confidential” was discovered. Another case included a document containing proprietary source code submitted as part of a copyright application. This file included the code that outlined the design and workflow of a site providing software Electronic Medical Records, as well as details about the copyright application.

Third parties and contractors were identified as one of the most common sources of sensitive data exposure. The leaked information included security assessment and penetration tests. In addition, Digital Shadows identified consumer backup devices that were misconfigured to be internet-facing and inadvertently making private information public. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/05/billions_files_exposed_aws_ftp_wide_open/

Hackers have swiped sensitive personal information held by two of the best known companies in the US – after malware infected a customer support software maker.

Both Sears and Delta Air Lines said Wednesday that hundreds of thousands of customers’ payment card numbers, expiration dates, and CVV security codes, were extracted by the malware and siphoned to its masterminds.

The cyber-heist was traced to an infection at [24]7.ai, a Silicon Valley biz specializing in chat and customer service bots that help punters perform, among other things, credit card purchases.

“The incident began on Sept 26, and was discovered and contained on Oct 12, 2017,” [24]7.ai said in its confession on Wednesday.

“We have notified law enforcement and are cooperating fully to ensure the protection of our clients and their customers’ online safety. We are confident that the platform is secure, and we are working diligently with our clients to determine if any of their customer information was accessed.”

Sears says crooks got their hands on under 100,000 of its customers payment card details, while Delta estimates that “several hundred thousand” flyers probably had their payment card details lifted.

Impacted

“While we believe we have identified with some precision the transactions that could have been impacted, we cannot say definitively whether any of our customers’ information was actually accessed or subsequently compromised,” Delta said.

So far, no other personal information was believed to have been accessed. Sears notes that customers who made online purchases during the infection period (September 27 to October 12) using a Sears-branded credit card were not impacted. Brick-and-mortar store purchases were also safe from the intrusion.

The incident underscores what has become an overlooked, but very important, risk factor for enterprises; partners who have access to customer data. In addition to securing their own systems, companies are increasingly going to have to do their homework on the third-parties they choose to handle customer information.

Perhaps the best example is the disastrous 2013 data theft at Target, in which the sales terminal malware that stole details on 40 million customer payment cards was eventually traced back to credentials stolen from the chain’s air conditioning provider. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/05/sears_delta_customer_payment_cards_hacked/

New studies show how patching continues to dog most organizations – with real consequences.

Nearly 60% of organizations that suffered a data breach in the past two years cite as the culprit a known vulnerability for which they had not yet patched.

Half of organizations in a new Ponemon Institute study conducted on behalf of ServiceNow say they were hit with one or more data breaches in the past two years, and 34% say they knew their systems were vulnerable prior to the attack. The study surveyed nearly 3,000 IT professionals worldwide on their patching practices.

Patching software security flaws by now should seem like a no-brainer for organizations, yet most organizations still struggle to keep up with and manage the process of applying software updates. “Detecting and prioritizing and getting vulnerabilities solved seems to be the most significant thing an organization can do [to prevent] getting breached,” says Piero DePaoli, senior director of marketing at ServiceNow, of the report.

“Once a vuln and patch are announced, the race is on,” he says. “How fast can a hacker weaponize it and take advantage of it” before organizations can get their patches applied, he says.

Most of the time, when a vuln gets disclosed, there’s a patch for that. Some 86% of vuln reports came with patches last year, according to new data from Flexera, which also tallied a 14% increase in flaws compared with 2016.

The dreaded zero-day flaw that gets exploited prior to an available patch remains less of an issue, according to Flexera. Only 14 of the nearly 20,000 known software flaws last year were zero-days, and that’s a decrease of 40% from 2016.

Even so, organizations typically first must undergo a patching rollout process, which includes testing out a patch before going live with it. Nearly three-fourths of organizations recently surveyed by 0patch say they worry that software updates and patches could “break” their systems when applied. Then there are the usual challenges of any downtime, legacy system patching, and compatibilities with existing applications and operating systems.

And according to the findings in the Ponemon report, most organizations believe adding more staff is the solution to their patching problems: 64% plan to hire additional dedicated staffers to support their patching operation in the next 12 months, which represents a 50% increase in headcount for half of those organizations.

Organizations spend some 320 hours a week on vulnerability response, the report found, which is equivalent to eight full-time people. “But it may not be practical to hire” more people, especially given the shortage of security talent, he notes.

About 37% of the breached organizations say they don’t even scan for vulnerabilities. “That was one of the most surprising results. In order to detect vulnerabilities, you need to scan for them” at the least, DePaoli says.

ServiceNow recommends that organizations assess the effectiveness of their vulnerability response process; prioritize patching based on risk of exploitation; unite security and IT staffs so they have a common view of vulnerabilities and IT configuration data; automate as much of the process as possible; and retain existing staff with a “high-performance” and optimized operation.

Related Content:

• Windows 10 Critical Vulnerability Reports Grew 64% in 2017
• Vulnerable Mobile Apps: The Next ICS/SCADA Cyber Threat
• Supply Chain Cyberattacks Surged 200% in 2017
• 7 Deadly Security Sins of Web Applications

 

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/unpatched-vulnerabilities-the-source-of-most-data-breaches/d/d-id/1331465?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Being hit by a cyberattack is going to be painful. But it can be less painful if you’re prepared, and these best practices can help.

When it comes to corporate cyber incidents, there’s no debating the facts: attacks are more sophisticated, frequent, widespread, and costly than ever. In 2015, cybercrime cost companies $3 trillion. By 2021, that number is expected to double. At that point, cybercrime will become the most profitable criminal enterprise in the world.

Smart business leaders understand a cyberattack isn’t a possibility — it’s an inevitability. And yet, even in a climate of awareness about the threats posed by cybercrime, businesses aren’t doing enough to prepare for these incidents.

Having a well-protected corporate infrastructure with the requisite safeguards is vital —  and not just in technology but in the people and processes, too. What happens when attackers breach these defenses? How do companies handle an incident and its fallout? When every second counts, previous preparation increases the speed at which organizations can respond, avoiding hastily made decisions because the pros and cons already have been weighed. Preparation also cuts through the paralysis that can come with such an event.   

Mistakes to Avoid
Given the sheer volume of breaches that have hit enterprises of all sizes and industries, it’s easy to find notable examples of less-than-stellar corporate responses. Case in point: Equifax. After the credit monitoring firm experienced the largest cyberattack to date, it wasn’t the breach itself that drove headlines; it was the company’s disorganized and problematic response, which began by directing potential victims to a bug-ridden site and continued with the company repeatedly tweeting out phishing links after the breach had occurred. 

Here are a few of Equifax’s mistakes from which we can learn.

●Too much time spent in denial. Once an incident is detected, every second counts. Yet too many enterprises fall into the denial trap, where they either overlook anomalous activity or downplay the magnitude of the activity once discovered. This state of denial almost always backfires by fracturing customer and employee trust — and losing precious time — as it did in Equifax’s case.

●Unstructured chain of command. Getting hacked can be a source of embarrassment for enterprises. But companies that project competence, organization, and control in the wake of an attack can positively affect its future. The blunders described above in Equifax’s case pointed to a lack of structure within the enterprise.

●Lack of foresight. Alongside an absence of a chain of command comes a lack of foresight, which can manifest in companies acting too hastily, overcorrecting, or implementing “fixes” that create new problems. No, you cannot predict the future or the decisions that will need to be made. But you can agree ahead of time on the process for making those decisions and who is going to make them. When you do this, you minimize the influence of emotion and personality differences that can derail a cyber response in an instant.

Incident Response Plan Best Practices
For enterprises, having a comprehensive and strategically designed cybersecurity incident response plan is the single most important step to mitigate the fallout of a malicious intrusion. These are the best practices for designing, testing, and implementing such a plan.

●Secure participation from key stakeholders. A security breach affects many groups within an organization. As a result, cross-departmental support and buy-in is needed during the ideation and development phase. Human resource leaders, compliance officers, legal representatives, external vendors such as technology providers and public relations firms, and management liaisons all need a seat at the table.

●Delineate roles. Once you have key stakeholders in the room, it’s important to clearly layout their specific responsibilities in the event of a breach. Perhaps HR leaders are on point for internal communications when a breach happens, while the PR team handles external communications. At the same time, legal representatives should be ready for any regulatory implications of a breach, while IT experts should familiarize themselves with the back-end work they’ll need to handle. Specifying these roles in advance of a breach prevents the kind of high-level confusion that ensued in the wake of the Equifax incidents.

●Run tabletop exercises. As companies flesh out an incident response plan, the true litmus test is a breach simulation. The best way to conduct this exercise is with a third party, since that eliminates the possibility of bias in designing the mock attack. In terms of tabletop objectives, the goal should be to validate that your plan considers all actions and activities that need to occur during a breach. It can also validate whether each function understands their role and more importantly reveal how various personalities may affect the breach response.

●Communicate effectively. When a cybersecurity incident occurs, chaos is inevitable with multiple workstreams, competing priorities, and the number of people involved. The investigation aspect is only one part to the response, competing with executive briefings, legal notification, HR, regulatory concerns, and public relations, to name a few. It is imperative for companies to understand how to communicate effectively amid the chaos. Companies should create a viable incident response plan that touches every part of the organization and then communicate the plan —  in a simple and digestible way —  to all employees.     

When it comes to cyberattacks on companies, there are two parts: the incident and the response. Companies often cannot always control the former, but they have significant control over the latter. By designing and implementing incident response plans that are cross-departmental, carefully designed, and endorsed by all key stakeholders, companies can strengthen public trust and brand reputation in a situation that could otherwise be ruinous.

Related Content:

• 7 Takeaways From The Equifax Data Breach
• Is Security Accelerating Your Business?
• 780 Days in the Life of a Computer Worm

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Wayne Lee is a Senior Architect with West Monroe Partners, responsible for the firm’s cybersecurity practice on the West Coast. He is a proven information security leader with nearly two decades of experience providing strategic and tactical cybersecurity expertise to … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/how-to-build-a-cybersecurity-incident-response-plan/a/d-id/1331435?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple