[BreachExchange] Failed Incident Responses from 2017 Provide Important Case Studies

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 2 19:06:35 EST 2018


Professors in the field of cybersecurity often find themselves in an
interesting position when trying to provide relevant examples for failed
cybersecurity incident handling. Usually, when presenting real-world
scenarios in the classroom, examples are limited in their description, with
incomplete data leading to supposition, or aged in their relevance, and
instructors harkening back to big-splash events like the 2013 Target data

This makes for classroom experiences that can be interesting in theory, but
not as resonant as they could be in the current landscape. Instructors can
either leverage examples of smaller breaches with sufficient data, or wait
for the collective classroom groan from a tired discussion.

However, 2017 has come to the rescue in horrifying yet remarkable fashion.
With huge, multi-order effect breaches, such as the Equifax hack, and the
bribe-payoff Uber attack, instructors are armed with new, relevant material
that can provide excellent case studies on how not to respond to an

Indeed, 2017 is a year that will come up in many different classrooms,
especially considering the poor handling of the far-reaching Equifax data
breach. Never have so many Americans experienced such deep compromise of
their identities.

If you have credit, you have a problem – and there is very little, beyond
implementing credit freezing, that individuals can do to remedy the
situation. While the data breach itself is worth a semester of study, the
handling is worth another. Starting with the importance of patch management
and ending with proper communication to the public, the Equifax breach
checks all the boxes of a classic failure in incident handling.

For example, while WannaCry provided an illustration for proper patch
management as a rule of thumb, Equifax has testified, in Congress, that its
failure to secure customer information directly resulted from poor patch
management and communication. To make matters worse, Equifax proceeded to
highlight the importance of proper external communication to customers.

The company provided a tool which users could use to identify if their
information was compromised. However, in its initial form, the tool
contained a legal mechanism through which individuals self-limited their
legal response options, making it harder to pursue recompense.

To compound this poor handling, it was discovered that the organization
knew about the breach well in advance of announcing its existence, and
several insiders suspiciously sold stock before the announcement –
prompting an investigation by the Justice Department. No matter how
professors decide to present this information, they will not find
themselves wanting for examples of lessons that must be learned.

Another gift of 2017 was the revelation of the year-old Uber hack. In this
instance, instead of handling the compromise of information pertaining to
over 50 million people, including driver’s license information, Uber opted
to treat the incident like a ransomware infection and pay the attackers in
exchange for “proof” that the information was destroyed. Without disclosing
the methods of deletion verification, beyond stating that Uber “obtained
assurances,” there is no real indication that a copy of the data is
sitting, unsecured, awaiting nefarious usage.

Furthermore, multiple news outlets have opined that the cover-up stemmed
primarily from the negative press coverage Uber started receiving during
the time of the incident, with insiders dreading a compounding effect.
After analyzing the year Uber has experienced, any observer can realize
that proper incident handling appeared to be an organization-wide issue
that was not specific to its cybersecurity professionals.

While 2017’s “gift” of poor incident response examples is bountiful, and
will provide instructors and professors fodder for years to come, it is
important to remember that every failure provides opportunities to
highlight success.

These case studies will serve to emphasize the sound practices that
cybersecurity professionals should leverage and learn in training, such as
having an effective and well-defined incident communication procedure to
ensure that problems are effectively conveyed without leveraging trickery
or misdirection. Students will also learn the importance of proper patch
management and adherence to policy.

Organizations that hold these tenets close and adhere to proper process,
procedure, and planning experience less trauma and respond more effectively
to the inevitable incident. The struggles of 2017 prove that every cloud
has a silver lining.

No matter how it’s viewed, 2017 has been momentous for cybersecurity. This
year has brought the world a clearer view of the menacing threats and
difficult decisions faced every day by security professionals. However,
despite the compromise and concern, we can at least be thankful for the
gift of future case studies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180102/a9313e6a/attachment.html>

More information about the BreachExchange mailing list