Messaging for a Security Breach How to Avoid Adding Fuel to the Dumpster Fire Ray Strubinger, Managing Consultant DFIR

Our Goal Gain a basic understanding of what’s necessary to help prevent a significant security incident from becoming a memorable, epic, disaster.

Let’s set the stage… • Imagine a company that has: • Collected vast amounts of sensitive personal data on people from many countries • Systems connected to the internet running a variety of software • Software with a publicly announced flaw • Time passes • The vulnerable internet facing systems are found by attackers • Attackers (hackers) exploit the system and obtain data

Houston, we have a problem • Company announces a breach • Indicates the breach is limited • States they have known about the breach over a month • Company is investigating and has retained external experts • Reiterates a commitment to security and its customers • Promises to do better

Are you feeling lucky? • A breach announcement may not attract much attention • Why? • People have become desensitized • Frequent breach announcements • Several large breaches • Minimal personal impact • Little pain from the exposed data – “It was just my email address and password” • My data was exposed last month and the month before that • May perceive there’s personal information left to expose

Any media attention is good, right? • Let’s imagine in our scenario • The breach announcement draws attention • Recall the business had vast amounts of sensitive data • The company did not anticipate the amount of interest • The nature of the business, its image, the type of data exposed & the impact of the exposure will determine the level of interest in the breach announcement

A comedy of errors • Let’s imagine a call center that struggles under a flood of calls • Have a plan to increase capacity quickly • Use scripts to stay on message • Web sites created to handle inquires are lampooned • Creating special “breach sites” can be problematic • Avoid this style of name - companyname2017event.com • Better approach – companyname.com/2017event • Carve out a portion of your existing website for breach information • Strive to minimize confusion for those impacted by a breach • Victims should not need to be a lawyers to comprehend the message

A comedy of errors • Let’s imagine that a company Tweets a rogue website believing it to be its own • Have a communications plan • Consider additional controls on the use of social media • Validate all external resources before including them in announcements, Tweets, websites or other notices • Executive profiles scrubbed from the net • While this may be deemed necessary for some incidents, remember the internet rarely forgets • Removing profiles from corporate websites may be okay depending on previous practice • Removing content or profiles may increase the level of attention

The situation turns grim • Let’s imagine that company executives are summoned to speak before Congress • Factors to consider • Actual or potential impact of the incident • Perception of the way the incident is being handled • Prior history with incidents • Messages create a public uproar • Complex wording used on websites (legalize) • Variations in information from call centers • Casual or insensitive messages on social media • Avoid Tweeting messages like “Have a nice day” on the heels of a breach announcement

The situation turns grim • Let’s imagine the scope of the incident expands • Incidents evolve – watch the language used to avoid doing further harm to the corporate image • Resist the urge in the early phases to use language that makes it sound like the incident has been thoroughly investigated • Consult experienced incident responders, legal & PR firms to help avoid this pitfall • Members of senior leadership “retire” • Somewhat common practice • Public demands it - psychological need to “blame” • Typical way to bring about technical & cultural change

Merriam Webster has a definition for this type of event

Dumpster Fire Definition (US, informal) an utterly calamitous or mismanaged situation or occurrence : disaster https://www.merriam-webster.com/dictionary/dumpster%20fire

This doesn’t apply to me • My company is: • Not interesting to attackers/hackers • Too small • Not regulated • Not collecting sensitive data • In denial • Experts in crisis management

Why incidents matter to organizations • Conventional wisdom on breaches • Not “if” but “when” • Defenses have to be perfect at all times to avoid breaches • Few, if any, perfect defenses exist that are highly functional for most businesses • Is your company regulated by the SEC? • Ask, “Is this incident material?” • SEC guidance suggests that material breaches must be disclosed

Common Challenges with Incidents • Issues with Planning, Messaging, Perception & Execution • What is inferred by the company’s actions & statements? • Consider impact on credibility, confidence & competence • Could this be considered a foreseeable event? • “Less technical” businesses may be given a pass • Extremely unusual incident circumstances may get a pass • Common cause incidents or previously identified (and ignored) issues will been seen less favorably • Was there an established response plan? • Was there an ability to competently execute the plan?

How do you start? • Raise awareness & gain understanding • Learn from others • Regularly discuss publicly announced security events • What would your organization do if in that situation? • What type of reception did the announcement receive? • How did the company manage the event? What could be better? • Include technical, operations, legal or executive level staff. • Include external parties when relevant.

What can be done? • Understand the business & the risks it faces • Types of data collected • Is any of the data sensitive? • How & where is data stored • Is the data a collection of well known file types, stored a database, or captured in a proprietary format? • Is the data in the cloud, a company data center or a co-lo facility? • Is sensitive data encrypted? • Encryption is not a silver bullet – often only useful when a physical device is lost • Who has access to the data • Employees, customers, 3rd parties or anyone? • How is the data accessed • BYOD, corporate owned and managed devices, any device located anywhere? • Are there technical audits or assessments? • What’s the audit or assessment frequency? Who did the assessment/audit? • What were the findings? How did we respond to the findings?

What can be done? (cont.) • Incidents are stressful – be ready before the crisis • Use this information as the basis for templates • Develop customized templates for various incident types the organization is likely to experience • Manage things responsibly & properly – fix things or be prepared to take a hit • Is there an existing response plan that needs revision? • Some of this work may have already been done. • What’s in the plan? • Has the plan been tested recently?

Templates • Review the information collected from a risk perspective • Develop scenarios & determine the likelihood & severity from different ways of losing or exposing data • Compromised web site • Unprotected cloud storage • Lost or stolen laptop or backup • Exposure due to phishing – at least 90% of incidents start with a phish • Build templates to fit your scenarios • Work with counsel to review templates • Engage specialists

Samples of Actual Breach Announcements

Good artists copy, great artists steal –Pablo Picasso https://www.oag.ca.gov/system/files/Sample%20Notice_0.PDF

Good artists copy, great artists steal –Pablo Picasso https://content.myfitnesspal.com/security-information/notice.html

Prepare for “When” • Practice using the templates to identify potential issues • Avoid learning curve challenges during the crisis • Conduct table top exercises • Simulate incidents • Respond to the simulation with the templates • Identify opportunities for improvement

Questions? Ray Strubinger rays@versprite.com