Imagine coming into work one morning to learn that your company’s customer data is for sale on the Dark Web. You didn’t even realize it had been stolen. Unfortunately, that’s not an uncommon scenario.
How you respond to a data security breach can determine how quickly your business can recoup losses and maintain customer goodwill. According to Shawn Connelly, TierPoint’s Senior Director of Digital Forensics and Security Infrastructure, it’s important to take the time to investigate what happened and how your organization can prevent it from reoccurring in the future. An in-depth digital forensics investigation may also be necessary if the data is regulated or the breach is sophisticated and difficult to detect. In this interview, Shawn discusses the important issues involved in a data breach response.
Data security breach red flags
Interviewer: How do organizations usually realize they’ve been breached, in your experience? What’s the typical red flag?
Shawn: People often realize they’ve been breached either because the data is leaked to the public, or they are sent a communication demanding money for the return of their data. I know of a reconstructive surgeon that was attacked by ransomware and the hacker threatened to release photos of patients if he didn’t pay up. Either way, it’s expensive to be the victim of a ransomware attack, or any data breach. The average cost per data breach in 2019 was $3.92 million, and $8.19 million in the U.S.
Also read: Don’t Be the Next Ransomware Headline
Ransomware security breaches: give in or give up?
Interviewer: If you are hit with ransomware, do you recommend paying or not?
Shawn: It’s a two-sided coin and you must decide which side is uglier than the other. The surgeon refused to pay, and they released all the photos. That might put you out of business. But if you do pay the attacker, you’ll be known as a good target for other attacks. You must look at the value of the data and your reputation. You might decide that the data itself isn’t such a big deal but if news of the breach gets out, your reputation will suffer.
The best response is to have a working backup, so you at least don’t lose your data. Even if the backup is 12 hours old, it’s still better than no data. But you must test your backups. That’s where a lot of companies miss the mark with their disaster recovery plan. If you don’t test it, you don’t know what data you’re going to get back.
Digital forensics and data security breaches
Interviewer: You conduct digital forensics investigation into cyber attacks and data breaches. Can you explain what that involves?
Shawn: Digital forensics encompasses the recovery and investigation of data or logs associated with electronic devices. When I’m called in to investigate a suspected breach, I look at the network traffic, such as DNS logs of devices such as smart phones, laptops, servers, virtual machines, intrusion detection systems (IDS), switches – even smart devices such as televisions. Smart televisions and multi-function printers can be attack vectors because they’re great places to grab data. Most multi-function printers have hard drives or some type of storage to process print jobs, faxes or scan in them, meaning someone could read every print job on it unless it’s been wiped. Think of the sensitive info that goes out on fax machines, traditional and electronic or the data left on a printer when someone forgets to pick up their print job.
What role can cloud providers play in security breach investigations?
Interviewer: I imagine most mid-sized and smaller companies don’t have the resources to conduct a forensic investigation after a data breach. Is it something that cloud services providers can do for their customers?
Shawn: Yes, but it depends on what services the client is using. If you’re a colocation customer who rents space and you manage all your own gear, then the provider can’t easily help because they won’t have access to your traffic patterns and logs. But if you’re a fully managed customer, then the provider has access to the operating systems, firewalls, network gear, etc. So then it’s a matter of how deeply the customer wants to investigate and how much time they have. It could take a couple of days to run a forensics scan on a laptop to several months to investigate an entire network with dozens of machines. Sometimes, we’ll even bring in third parties to do very deep level analysis.
When data security breaches should be investigated
Interviewer: When should a company consider a forensics investigation and what can you learn from one?
Shawn: Businesses in the financial services or healthcare industries will want to have a deep level analysis done of any suspected breach because they must report it to their customers and to regulatory bodies. If the data isn’t regulated data, then you have to decide what it’s worth to you or what your reputation is worth. You certainly don’t want to announce that you had a breach or didn’t have a breach until you’ve done a thorough analysis. There might also be potential legal ramifications for doing so.
You can learn quite a bit from a forensics investigation. We can often identify the sources of the breach based on the logs on the device or network gear, and we can identify a cause, such as a misconfiguration or a firewall rule that allows traffic in without filtering, or maybe an end user behavior like a successful phishing attack or ad click campaign.
Digital forensics can also help prove data leakage from internal sources, such as employees who may be sending out sensitive data to an external party, possibly intentionally or accidentally. Even when a user has wiped their hard drive or scrubbed their internet search history, often that data is still sitting there for me to grab. I just need to use the right tools and know which of Pandora’s boxes to open.
Secure your cloud environment before a data security breach
Have you evaluated your cybersecurity strategy to account for these threats? Are you implementing best practices to educate your employees, instituting strong password policies, and building not just a strong security perimeter but defense-in-depth? We can help you. Contact us to learn more and build the right cybersecurity policy for your IT infrastructure.