[BreachExchange] Alternative communications planning and cybersecurity incident response

[Audrey McNeil]

https://www.csoonline.com/article/3268227/data-protection/alternative-
communications-planning-and-cybersecurity-incident-response.html

There seems to be no end in sight for ransomware and malware attacks after
the spike in high-profile incidents last summer. This includes the Wannacry
ransomware strike in May 2017; PetWrap/NotPetya attacks in June; the
identification of “BlackOasis” through an Adobe Flash vulnerability in
October; the explosive revelations of the Equifax breach; wireless security
protocols that need to be patched; the Meltdown and Spectre bugs in
processor chips; and most recently the Cisco Adaptive Security Appliance
vulnerability, among others.

Many companies are now rightfully revisiting their incident response (IR)
protocols to prepare themselves for future attacks. More and more
regulatory requirements dictate that organizations must have a written IR
plan. While an IR plan is just one piece of a larger, more complex
cybersecurity program, it is nevertheless a critical component and one that
many regulators are closely scrutinizing. Apart from the legal,
reputational and regulatory risk, ransomware attacks can disable entire
global businesses for several days making IR plans business critical.

One key but often-overlooked component of an IR plan is a backup
communication method. If attackers completely disable a corporate email
server or are even simply monitoring those emails, alternate forms of
communication become crucial for managing the incident, attempting to keep
the business functioning and minimizing the productivity lost as a result.

A few years ago, cybersecurity professionals might have been labeled as
agitators or just plain paranoid for proposing the communications version
of a storm shelter emergency kit. Even though this arguably goes above and
beyond routine practices, it is exactly prudent given recent system-wide
ransomware attacks. These protocols, if properly executed, will also help
bolster a company’s defense posture if facing civil legal actions and
regulatory investigations following a ransomware attack.

Cyber emergency response kit: first steps

Implementing a robust plan for alternative communications has many
benefits: (i) assembling a core team quickly at a moment’s notice – even if
email is temporarily inaccessible; (ii) triaging to implement protocols to
handle the intrusion; (iii) ensuring that senior leadership remains
apprised of the situation; and (iv) complying with any sector-specific or
EU General Data Protection Regulation (GDPR) mandatory notice obligations
as soon as possible, not only for breach notification requirements under
various new pieces of legislation but also to engage assistance from law
enforcement. Another potential benefit is the ability to communicate with
customers or clients in real time about the impact of the breach, being
mindful of the balance of keeping customer contact information secure while
intentionally storing them outside of the company’s systems.

There are many important steps to take well in advance of drafting the
exact protocol. Firstly, forming an IR team. In the same way that any other
emergency situation will have a designated team to guide others within the
company, so should a cybersecurity response team be created. Secondly, an
assessment should be undertaken to identify the most immediate needs the
business will have after a cybersecurity attack, which will obviously range
from business to business and industry to industry (not to mention between
breaches depending on their severity). Having an external party with an
arms-length view of the potential threats and business risks could be
beneficial. Third, more general response protocols should be in place and
tested through mock exercises (sometimes referred to as “tabletop”
exercises). Plans and mock exercises should include meeting locations where
for senior leadership and staff should meet in the case of a breach.

Once these steps have been taken, an ancillary alternative communications
strategy should be created and shared to the small core IR team that had
already been identified and trained. This, unlike the more general plans,
should not be stored on the company’s network or computers that could not
be reached if corporate systems are down. Attackers may have access to
emails, intra-company messaging services, control over computers or other
devices including smartphones that employees access, so alternatives will
need to be in place for each for the core response team.

Cost-efficient options

An alternative communications ‘emergency kit’ does not have to be
sophisticated – in fact, the more user-friendly and basic, the better.
Many relatively low-cost options exist for purchasing basic laptops or
tablets. Attacks may also intercept corporate network traffic, so consider
hotspots that are not on the regular ISP service accounts that are
preloaded onto the backup laptops or tablets.

In addition, there are numerous free email accounts that offer two-factor
authentication. This requires a user must input a second secret phrase or
number in addition to his or her password.  Frequently, free email services
enable user to have a code texted to a number that the user would input
after the password. The added security benefit is that the email account
can only be accessed by someone who knows the password and also has the
phone associated with the account.  Generally, even if an attacker has
stolen a user’s email password, he or she would still not be able to access
the email account without access to the phone as well.

Email accounts created solely for this limited purpose should only be
shared among the core team and the list distributed in hard copy or
handwritten cards (or, better yet, pre-loaded onto the backup computers).
Core IR team members and senior leadership should consider purchasing
inexpensive non-smart phones with prepaid service or well-reputed
phone-call apps with encrypted call options. The best option will depend on
a company’s landline phone system and existing mobile phone devices. It
will be important to seek advice from security experts to determine the
best alternative communications plans and equipment.

Litigation and regulatory enforcement

Future litigation regarding data breaches is possible, especially if a
company did not take necessary precautions. Counsel will advise a company
on litigation hold requirements, but in general it is important not to
destroy anything following a breach. Alternative communications would be
subject to the same litigation hold requirements as regular company
communication methods and can help a company to demonstrate that they had
taken measures to counter any potential breach.

In addition, a company may be subject to many legal and regulatory
requirements regarding breach notification. For many in the security
community, one of them more concerning aspects of the GDPR, which has
extra-territorial reach outside of the EU, is that notification to relevant
regulators must normally take place within 72 hours of when the company
(either the data controller or processor) becomes aware of the breach.
While many who have worked on breach responses are rightly concerned by the
ability to meet this sort of timeline, having alternative communication
methods will at least allow for the possibility of doing so.

Taking these steps now will ensure that a company is well-prepared if the
worst happens. In an age where attacks can happen for a whole variety of
reasons, no company is entirely safe. In a digital age when digital
communication is so vital to the basic operations of a company,
incorporating an alternative communications strategy that takes into
account business, legal and regulatory requirements should be a priority.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180410/93253a05/attachment.html>