October 28, 2013 by Brad Garnett
In this short three (3) part series, we are going to look at the data breach. In this first part, we are going to look at an overview of the data breach. In series two (2) and three (3), we’ll discuss response, remediation, and critical security controls.
A data breach occurs when secure information that is stored in a trusted environment becomes insecure, due to being moved to an untrusted environment. Data breaches occur daily and can be very costly to your business. According to the 2013 Verizon Data Breach Investigations Report, in 2012 there were 47,000 reported security incidents, 621 confirmed data disclosures, and at least 44 million compromised records. A common data breach that occurs is when a company laptop is lost or stolen. If disclosure laws are applicable, the company must then disclose the data breach due to the laptop containing secure, sensitive data. As an example, if the laptop contains HIPPA patient information, the number of incidents is not derived from the single laptop, rather the number of patient data present on the laptop. In other words, a single laptop computer containing 1,000 records of patient information would be considered 1,000 incidents. Most businesses have a policy to minimize this form of tangible data breach and how to respond to it. What about an intangible data breach from a network intrusion? Do you have a policy and resources in place to detect, respond, and remediate this form of data breach? What personnel are in place? What are you doing now to prepare? Do you have a plan for remediation?
The data breach involving the stolen company laptop computer was used earlier as an example of the tangible data breach. This series is going to primarily focus on the intangible data breach around the network intrusion. Would your company know if you had a network intrusion? If so, how long do you think it would take to detect the network intrusion? In the 2013 Verizon Data Breach Investigations Report, 66% of data breaches took months or even years to discover. 76% of network intrusions exploit weak or stolen credentials. Do you have a policy in place to ensure passwords are changed on a regular basis? Does this policy conform to strong password standards? Do your users have administrative privileges? If so, why? What can be done to ensure only a single or select few have full administrative privileges on your network? 75% of attackers are opportunistic and not directly targeting a single individual or company. Most attackers will break into systems where the attacker was easily able to bypass weak security controls. Training and awareness of computer security issues is key! What are you doing to create a computer security aware culture amongst employees? Over 95% of all state-affiliated espionage attacks rely on phishing in some way. The user is still the weakest link in the security chain. Attackers understand this and realize that targeted phishing e-mail is very successful to compromising the victim system. Once a user opens the malicious e-mail, a backdoor is then established from the victim computer to the attacker’s system giving the attacker “command and control” over system. Once a single system is compromised, that initial system (or initial infection vector) will become the pivoting point from one system to the next within the network.
Contrary to belief, 86% of data breaches have no internal element. The 14% that are internally related often had lax internal controls. Over 50% of those were former employees and were a result of the former employee taking advantage of an old account or backdoor that was not disabled when that employee’s employment ended. Over 70% of intellectual property theft cases involving employees took place within 30 days of the employee announcing their resignation. Do you have a written policy to address IT issues related to an employee being terminated? Do employees have to sign an IT agreement as a condition of employment?
Understanding what is normal in your environment is critical. If you do not know what is normal in day-to-day business, how are you going to spot an anomaly? Understanding what data you have and what you are required to keep is also important. Do you have a policy for eliminating old, unnecessary data? Are you performing regular network and system backups? In closing, the scope of data breaches is complex; however, there are tools and resources to minimize the exposure of becoming an easy target. Published reports continue to support that most data breaches can easily be prevented, even though the attacks continue to grow in complexity and sophistication. Remember, the best defense is good offense!
Brad Garnett, CCE®, GCFA is a Digital Forensic Consultant with Kemper Technology Consulting, a division of Kemper CPA Group LLP. Prior to joining the Kemper team, Garnett spent the last decade in law enforcement, where he specialized in digital forensics. If you have a situation where forensic technology is needed to help you find an answer or make a tough business decision, please contact Brad at 812-421-8000.
Kemper CPA Group LLP publications should not be construed as legal advice or legal opinion on any specific facts or circumstances. The content is intended for general informational purposes only. You are urged to consult your own advisor on any specific legal questions concerning your situation.
2013 Data Breach Investigations Report, http://www.verizonenterprise.com/DBIR/2013/
Carnegie Mellon University, http://www.sei.cmu.edu/library/abstracts/reports/12tr012.cfm