Helpful Navigation Toolbar

Tuesday, June 16, 2015

How to Have that Awkward Conversation




Hello again readers!! Today's post is the first (but most certainly not the last) "guest post" in which friends and colleagues can share their experiences and insights and give alternate perspectives on digital forensics, incident response, and information security. 

Today's post is authored by my friend "Jack" who has much more experience (and an MBA) on the "business" side of forensics and incident response than I ever will (and let's be honest, I also will never have an MBA). "Jack" may or may not also be in the Witness Protection Program, but the OPM data breach might change that.....

(PS: Apparently cat memes are the number one attraction to blog posts, according to 87 out of 100 business professionals. The other 13 were no doubt scouring the internet for other pictures of cats.)





How to Have that Awkward Conversation

By: "Jack"


NO, not the “It’s not you; it’s me!” one.  The one where you tell your employees (or clients!) that you’ve been hacked, their information is who-knows-where, and oh by the way, you’ve got no idea how the bad guys even got in.  You know. THAT one.  

I’m not going to sugarcoat this.  It’s going to be painful.  It’s going to be embarrassing.  But just like adults always tell kids, it is better to hear it directly from you.   If the news media or banking institutions are notifying victims instead… oh boy; it’s a public relations nightmare.  

First rule of Data Breach Club: Talk first and say it loud.  No one likes being indoctrinated into Data Breach Club, but I’ll let you in on a little secret:  It’s not an exclusive membership.  You’re either in the club, or you don’t know you’re already in the club.    



    

If you are upfront and honest, chances are better that you might maintain the relationships your organization has with its employees, partners, and clients.  Further, you may not have a choice about public disclosure, or private disclosure, depending on contracts you have with clients.  Depending on the laws where you operate, you may be obligated to provide full disclosure within a certain time period.  Most state breach notification laws don’t specify what your notification should include; however there are some minimum guidelines which we attempt to cover in our samples below.   

In the State of Maryland for example, the Attorney General’s website says the following about data breach notifications:


Once a security breach is detected, a business must conduct in good-faith a reasonable and prompt investigation to determine whether the information that has been compromised has been or is likely to be misused, i.e. for identity theft. If the investigation shows that there is a reasonable chance that the data will be misused, that business must notify the affected consumers. 
In the event of a security breach, notice must be given to consumers as soon as reasonably practicable following the investigation. A business may delay notification if requested by a law enforcement agency or to determine the scope of the breach, identify all the affected individuals or restore the integrity of the system. Notice to affected consumer must be given in writing and sent to the most recent address of the individual, or by telephone to the most recent phone number. Notice may be sent via e-mail if an individual has already consented to receive electronic notice or the business primarily conducts its business via the Internet. The law also contains a provision for substitute notice, allowing a business to provide notice of a security breach by e-mail, posting on its website and notice to statewide media if the cost of notice would exceed $100,000 or the number of consumers to be notified exceeds 175,000 individuals.  (https://www.oag.state.md.us/idtheft/businessGL.htm)

Searching online for “data breach disclosure laws AND [your location]” should net you some relevant results.  When in doubt, call a lawyer that specializes in data breaches.  If the Google can’t find one, your local Bar Association should be able to assist you.  






So how do you begin that notification email?  Your letter should contain some version of the following:
[ ] denote areas where you should fill in the blank


Part I—Introduce the Problem and Accept Responsibility:  You need to be upfront and honest; if you have a lawyer advising differently, find a new lawyer (Preferably one you suspect has a secret identity and fights crime at night using heightened senses resultant from a hazardous chemical spill; but I suppose if you can’t find one, any ethical data breach lawyer will do.)  If you don’t know something, say so.  Trying to hide the fact that you don’t know something just makes you look like you are hiding something, which is usually assumed to be more sinister.  Also, please don’t place blame on nation-states for a mess of your own creation; you’ll end up looking ridiculous and becoming the Poster Child of “What NOT to do”.        

“We are contacting you because on [insert discovery date] we discovered a serious cyber-security incident that occurred between [Start Date] and [End Date] that involved a breach of your [personal information, such as medical records, credit card numbers, passwords, etc…].  At this time we do not believe that [other personal information] was accessed.  We know you have trusted us with your information and we take that trust seriously. We take full responsibility for this incident and we will work tirelessly to resolve it quickly and completely.”

And if you delayed in sending notifications to victims, say why:

“In accordance with applicable laws, we delayed notification of affected parties by 30 days, due to an official request by law enforcement.”


Part II—Here’s What Is Happening Now:  This is where you tell them what you are doing do fix this problem.  (Not diverting attention, not doing just enough to get regulators off your back, not putting on a show to restore stock prices, not doing the minimum for regulatory compliance or limiting your liability.  Actually fixing the problem.  Let me say it again for dramatic effect:  Actually.Fixing.The.Problem.)  





You’ll want to (or be required to) at least cover what you did to stop the attackers, what you are doing to clean-up the breach, and what changes you will make in the future.  Your notification should say some version of the following, pick and choose based on your circumstances:  

“Upon discovery we immediately blocked the offending IPs and shut down all out-bound traffic.  We have begun the process of finding compromised machines.”

“We brought in cyber-security experts to investigate and fix this problem entirely and to ensure that we are more secure in the future.”  

“We advised the credit reporting bureaus and banks of this incident. We are offering a free credit report to every affected party, and here’s how to do that. [Instructions here.]”  

“We are cooperating fully with law enforcement and an investigation is on-going.  There will be full participation and transparency during the investigation.  Employees will be contacted in person if their assistance is required.  Do not provide any personal information, account numbers or passwords to any unverified person via email or on the phone, now or ever.”

“We are currently dedicating money to invest in our IT infrastructure, our security personnel, and monitoring tools so that attacks in the future are thwarted.”


Part III—Here’s What the User Has to Do:  This is where you tell your employees, clients, customers, and/or Partners what they need to do.  You must be exceedingly firm about password changes and policy enforcement while at the same time making this VERY easy for them.  It’s a huge component of rebuilding trust and being transparent throughout the process.  You’ll want to take note of the inclusion of an attachment, which should detail cyber-security best practices that they can use at work or at home.      

“You will be required to choose a new password before you can log into your account.  Everyone must do this, from the newest employee to the CEO of the company—even every member of the IT team to include admin accounts.  It may NOT be the same password as last time.  Your password will be required to have upper and lower case letters, a number, and a symbol.  You cannot use dictionary words.  It must also be at least 8 characters in length.  We apologize for the inconvenience, but this is a very important part of information security.  It removes the attacker’s access to our network.  Thoroughness of this step is paramount. 




“You may wish to place a fraud alert or freeze on your credit report, which you can do by contacting the three major credit reporting bureaus, Equifax, Experian, and TransUnion [insert contact info here].  Be aware that you will not be able to borrow money or open a new credit card until you lift the freeze.”

“If your bank has not contacted you about replacing your cards, you may wish to proactively call them and ask for a replacement card.”

“We recommend following industry standards and best practices when it comes to cyber security.  The attached document details steps you can take to better protect yourself from online threats, both professionally and personally.  There is even a section included that focuses on online safety for kids and teens.”  



Part IV—We are Here to Help You:  This is where you point people to your public relations team, who in turn can run point between the employees/clients/partners and the legal team, technical team, management team, etc…  






What?  You don’t have a public relations team/person?  Didn’t anyone tell you that this is a key part of a data breach incident? This is one of those indirect costs of data breaches that no one ever considers during the risk management process.  Yes, it will cost money; you didn’t think data breaches were cheap did you?  Please note the inclusion of a toll-free number and the promise of regular updates.  We define “regular” as at least every two weeks.    

“If you have any questions or concerns, you may contact our offices at: [1-800-555-5555] or email us at [company@ourcompany.com].  Our website: [www.ourcompany.com] will be updated with the latest information as our investigation continues.”

“Again, we apologize for this incident and any inconvenience this causes.  We value your trust and we are committing all resources to resolving this incident quickly and completely, so we can get back to [insert mission statement or “what you do” here].

Sincerely,
[Highest ranking person in your company]


No, I’m not kidding.  Your lawyer should not sign this for you.  Nor should your 3rd party data breach management company.  Not your PR firm, not the head of IT, and definitely not something cutesy like your mascot (even if your mascot is one of the cats in this blog post).  And for crying out loud, I don’t care how big and high profile you are, don’t have the President of the United States address the nation for you either.   

Before you send out this letter, run it by your public relations team/person, your general counsel/lawyer, your data breach response team, and your CEO, who as we discussed above will be signing the letter.    









Friday, June 5, 2015

Post OPM Breach...let the phishing begin!!




Hello again readers! As you may already know, last evening the Office of Personnel Management (OPM) admitted they sustained a data breach where they "lost 4 million records". In reality the number is probably much higher than that and the attack probably did not actually possess a "never before seen level of sophistication" or use a "previously unknown zero day attack" or any of the other "it is not our fault" mumbo jumbo that is usually seen after a data breach is admitted publicly. 


However, this blog post is not going to cover any of that, instead it is going to focus on two phishing emails I received last night that were possibly related to my own information being compromised in the breach, as my personal information is held by OPM as I was in the DoD (as a member of the US Air Force) and still currently hold a security clearance. (NOTE: I have not been notified that any of my information was compromised, and it could be completely unrelated. But...I mean....come on)



The phishing starts....

Last night I received two phishing emails that were related to "my Navy Federal Credit Union account". This is interesting because although I have indeed served in the military, I do not have any accounts with Navy Federal Credit Union at all. 


Two emails received from "Navy Federal"


The first email was received at 19:05:07 and the second was received at 19:53:17, so in less than an hour I had two phishing attempts. Once again, I cannot definitively say that it is related to the OPM breach, but the timing is suspect, to say the least.



Email 1: Your Account Statements is Now Avaliable

This was the first email that I received, with typical spelling errors and grammatical mistakes. As I have stated many times in the past, a "sophisticated" phishing email is one with no misspelled words or grammatical errors. This is clearly NOT in the sophisticated category. The link redirects to the domain "http://rudivervoort[.]be/SP/", which clearly does not seem to be legitimate for the Navy Federal Credit Union website. The email address is listed as "navyfederal@usmc.com", which is also NOT the domain of Navy Federal Credit Union. UPDATE: The url in the email is now listed on virustotal as well!



Original email

Email with some grammar and spelling issues highlighted

Email header information

VirusTotal results from link in email





Email 2: Account Review Notice!

This email was sent later and is crafted a little bit better than the first. There are no spelling errors, although there are quite a few grammatical errors. Analysis of the email header shows it "originated" in the same Canadian IP addresses as the first phishing email, which may suggest they were related. The redirect link is a shortened URL, which should not happen in a legitimate email from your banking institution. In fact, the URL is shown on VirusTotal as malicious (already!). The email address this time around is listed as "Nfcu_navyfederal@net2.com". The first email address, in my opinion, was better.


Original email



Grammar highlighted

Email header information

VirusTotal results on link in email



Regardless of whether these emails are actually related to the OPM breach or not, it does highlight the importance of taking some safety precautions to avoid falling for phishing emails: 


  • Always ensure you read an email thoroughly. Look out for spelling and grammar issues; if it seems strange, it probably is
  • Hover over links before clicking on them
  • Better yet, do not click on ANY link from your bank, credit card company, shipping company, etc. Log into the website of your service provider directly if you get an "important message" from them



A very timely Dilbert comic strip. Retrieved June 5, 2015 from http://dilbert.com/strip/2005-08-12