WIXLIB

in a separate, unlinked database to name a few.Anthem needs to take advantage of the veritablecornucopia of cutting edge security options tocover themselves from a technical vantage point orrisk having disaster occur again.Home Depot had similar issues and problems withtheir security policy. Once the attackers gainedaccess to one of their vendor environments, theycould use the login credentials of a third partyvendor to then open the front door. Once on thenetwork, it was easy for the hackers to exploit aknown zero-day vulnerability in Windows. Thevulnerability allowed the hackers to pivot fromthe vendor environment to the main Home Depotnetwork. It was then possible to install memoryscraping malware on the point of sales terminals.Eventually 56 million credit and debit card data wasstolen. The Home Depot vulnerability could havebeen prevented. While the network environmentdid have the Symantec Endpoint Protection, theNetwork Threat Protection feature had not beenturned on. While this may not guarantee security,it would have certainly made life more difficultfor the hackers. Moreover, the policy seemed tobe deficient in terms of a proper vulnerabilitymanagement program.Policy ConsiderationsThere are a variety of technical and human factorsthat contribute to the inevitability of a breach. In amajority of the cases, fingers have been pointed tothe technical inadequacy of the enterprise. In thecase of Anthem, it was the lack of encryption. ForHome Depot, it was the lack of technical controls toprevent malware from collecting customer data. AtTarget, there was a basic networking segmentationerror.Occasionally we hear issues related to policyviolations. In the case of Anthem, the USDepartment of Health and Human Services mayimpose a fine of some 1.5 million because ofHIPAA violations. In many instances efforts aremade to ensure security policy compliance throughrewards, punishment or some behavioral changeamongst employees. Rarely do we question theefficacy of the policy. Was the policy createdproperly? Was it implemented adequately?Were various stakeholders involved? Were thereany change management aspects that wereconsidered? These are some fundamental issuesthat need consideration.Unfortunately, these questions never getaddressed. Security policies keep gettingformulated and implemented in a top-downcookie-cutter manner. Organizational emphasisremains on punitive controls. And little attentionis given to the content of the policy and how it isrelated. So, how can organizations ensure thata coherent and a secure strategic posture bedeveloped? Security education, training, and awarenessprograms need to be established andmonitored on an ongoing basis All constituents are given access tocybersecurity strategic goals, which helps ininculcating ownership and hence compliance Various stakeholders should be involved andencouraged to participate in cybersecuritydecision-making, which helps with increasedcompliance.Reputation andResponsivenessReputational damage is significant following adata breach, particularly if a company fails torespond promptly. Following the Anthem, Sonyand Home Depot breaches various social mediaoutlets criticized the companies their delayed orinadequate response regarding the breach. Interms of crisis management, a three-day delay isconsidered significant. Post-crisis communicationand a response strategy are essential to ensurethat the right message gets through. Transparencyin how the breach is being handled has its addedimportance.Another well publicized breach was that ofJP Morgan, were hackers were able to stealconfidential data for nearly 76 million UShouseholds. The author and a colleague statedcollecting twitter data following the JP MorganChase breach in order to undertake a sentiment3

analysis. Our objective was to assess how howindividuals reacted to the breach. 39,416 tweetswere collected during the month of October 20146.Analysis of the results suggests that more thanhalf of the tweets expressed negativity. Othersignificant findings included: When a data breach responsibility is attributedto a company, it results in negative emotions,which in turn translates to negative word ofmouth and even severing relationships withthe enterprise. If the negativity related to the breach is high,it results in a quicker spread of the negativeword of mouth sentiment (in our case, Twitterposting exhibited a shorter re-tweet timelatency). The initial security breach responsibilityshapes the reputation of the firm. Hence, it isimportant to frame the message and securitybreach responsibility since it has a directreputational impact.Risk and ResilienceWhen a data breach occurs, post-crisiscommunication is perhaps the only opportunitythat a company has to repair its reputation. Crisissituations can potentially have many negativeconsequences, ranging from losing customers,profitability, and market share to declining stockprices and job losses. A much less explored, butvery important factor, is the impact of a crisis onorganizational reputation. Corporate risk andresiliency planning are important for organizationsto be able to bounce back from disruptionsand thus retaining stakeholder confidence.Understanding and identifying potential adverseevents in computerized networks is important forplanning and implementing resilient mechanismsto defend, detect, and remediate from suchthreats. The risk reduces when organizationsimplement both resilient technical and socioorganizational mechanisms. There is a need tointegrate risk and resilience mechanisms into theorganizational culture to prevent security breaches.There are four key characteristics of any risk andresilience approach:4 The approach should provide a holisticframework, which assesses the systems andtheir interactions – from a system to thenetwork; from the network to the organizationand subsequently the societal impact The approach should emphasize capacity tomanage the range of hazards. There need to be options for dealing withuncertainties, surprises, and any potentialchanges The focus should be on proactive managementHence a system that effectively reduces risks isgoing to be more resilient to the security breaches.Risk reduction means a deflection of risk andrisk sharing. Also an ability of an organizationto prepare for the surprises and effectivelyresponding to the breach incidents characterizesorganizational resilience.GovernanceWell-considered governance is at the core ofany successful cybersecurity program. Manyimportant aspects require consideration - policy,best practices, ethics, legality, personnel, technical,compliance, auditing, and awareness. Weakgovernance is often considered to be the causeof organizational crisis. Over the past severaldecades, we have observed that in institutionswhere governance was poor or the structures ofaccountability and responsibility were not clear,they have been susceptible to cybersecuritybreaches. For instance, the multi-billion dollarloss experienced by Société Générale because ofviolation of internal controls by Jérôme Kerviel.Similarly, the case of Barings Bank where NickLeeson circumvented established controls. SociétéGénérale and Barings Bank showcase a lack ofgovernance as the prime reason for the securitybreaches. Key principles for a sound and robustsecurity governance include: Senior leadership commitment to cybersecurity is essential for good securitygovernance Cyber security is considered strategically withdue consideration of risk management, policy,compliance and incident handling

Clear lines of communication are establishedbetween strategic thinkers and operationalstaff.Steps to avoid a potentialattackManagers can take steps today to avoid potentialbreaches and mitigate damage when breachesoccur. There is a vast amount of data from manysources that purports to answer exactly how toprepare for the inevitability of a cyber attack.Because the nature and purpose of every attackis different and the composition of every businessis different, there is no single prescription forprevention. However, by boiling down the datafrom multiple sources, we can derive a list of highlevel practices that all organizations should adopt. Executive buy-in In order to create an optimalcybersecurity policy, support hasto come from the top levels of theorganization. Security must become acore part of the organizational culture. Fully understand your risk profile By knowing your industry and itsattack vectors, what is valuable to yourorganization and how to protect thoseassets, security personnel can effectivelycreate, support and promote cybersecurity initiatives. Identify and classify different cyberattackscenarios. Take threats seriously Many organizations understand thefull extent of the damage that can bedone during an attack as well as theaftermath. However, many companieschoose to ignore the possibility of suchan attack happening to them, or they arewilling to accept the risk of not takingadequate precautions due to cost orcomplexity. Policy Enforcement Policies can be as simple as a strongpassword, but should ideally go wellbeyond passwords. Security policiesshould be documented and automatedwherever possible to avoid human erroror omission. Circling back to ExecutiveSupport, policies should be a part of theculture that everyone chooses to follow. Keep things in simple terms that non-ITexecutives and users can understand. Training Security awareness and policyenforcement is crucial in order to createa security culture within an organization.Awareness of policies, security andother, should be of paramount concernto all organizations. There should be specialized training forthose that deal with the most sensitivedata in the company. Employee Screening Not all possible employees possess thesame moralities as the business ownersand stakeholders. Employees shouldnot only be screened to ensure thattheir skills meet the requirements of thepositions but, more importantly, thattheir beliefs closely match those of theorganization. Remember that people are often theweakest link in a security chain Offline backup of critical data Data is the lifeblood of an organization.Data loss is often as damaging,monetary and brand, to an organizationas a data breach. Many organizationsnever fully recover from data lossevents, some go out of business entirely.A copy of critical data in a secure offsitelocation is one small step that shouldnot be overlooked. Invest intelligently in security Information overload prevents manyorganizations from making intelligent5

security decisions. There are a thousandvendors pitching a thousand variantsof “best practice” security models.Create a plan based on the needs of theorganization and implement policiesand tools that augment the plan. Avoidtying your security policy to any vendor’ssoftware or hardware. There is no “onesize-fits-all” solution. One of the more direct methodsfor avoiding a security breach is toimplement application whitelisting.Application whitelisting can preventmany forms of a breach where thespoofing of an application allows a virusor malware to traverse firewalls andscanners without detection. Keep systems updated Another direct method for avoidinga breach is simply to apply securitypatches to software and hardwaresystems on a prompt and routineschedule. This may appear to most as a“no-brainer” but is often overlooked.The detailed list above describes concepts thatevery organization should consider to improvetheir cyber security preparedness. These conceptscan be tailored to fit the individual organizationculture and data protection requirements.Regardless of the specifics, every organizationshould understand the company’s security chain.The CEO must enable the Chief Compliance Officer(CCO), the Chief Privacy Officer (CPO), the ChiefInformation Officer (CIO) and so on, to ensureeach understands their role before, during andafter an attack. Working together, these individuals1Install sensors ormechanisms to collectpotential hazards2must create and own an enterprise-wide Incident(or Risk) Management Plan, a Data Managementprogram, an Incident Response Plan andcommunication/reporting plans.Once the above initiatives are in place, moredetailed workflows, such as the ContinuousDiagnostics and Mitigation (CDM) program fromthe Department of Homeland Security (DHS), canbe adopted. This program utilizes commercialoff-the-shelf (COTS) software and hardware tocontinually monitor for security related eventsas well as continuously improve upon processesand risk prioritization. A CDM-style framework,see figure 1, also provides a practical model thatany organization can adopt and tailor to meet itsspecific cyber security requirements.In this day and age managers have to be proactivein preventing an attack. No longer is the questionasked if companies will be hacked but rather whenthey are hacked what will be the protocol. Beingvigilant about even the smallest and seeminglyinsignificant changes can be extremely useful. Toprotect customers and employees from havingtheir financial or private information stolen, bothindustry and governments have implementedregulations with the intent of securing againstcommon cyber-attacks. To combat credit cardfraud, the Payment Card Industry created the DataSecurity Standard that requires merchants whoprocess credit cards to take specific measuresthat help protect against hacking attacks. TheEuropean Union, United Kingdom, United States,and Canada are among the governments that havealso instituted privacy acts meant to regulate howbusinesses protect their customer and employeedata from malicious hackers.In addition to the fees and legal ramifications thatcan come as a result of failing to comply with the3Automatic search atregular intervals forpotential flawsCollect results fromdifferent divisions and/orstakeholder groupsSystem Scans on a continuous basis66Report progress andcontinuously improve5Fix the most criticalissues first and developa priority list4Triage and analyzeresults on an ongoingbasisFigure 1, Continuous Diagnosis and Mitigation Framework

different regulations, hacking attacks can alsodamage a company’s reputation or brand to thepoint that they lose customers and revenue. Acompany who is in the news because they havebeen hacked is sure to lose the trust of even theirmost loyal customers. The same happens withweb sites that are identified as containing spamor malicious scripts. Once this is known, mostvisitors will stay away. A company’s brand, oncedamaged, may never be restored to its formerstatus. Despite the restoration of services at SonyPictures after the breach earlier this year, theSony brand continues to fall under scrutiny. Whilemonetary losses from the breach were significant,losses because of a damaged brand will continueto plague Sony for years.How to respond when abreach occursAs discussed above, managers and organizationsshould take preventative steps to avoid the risk ofa breach occurring. After spending time planning,spending money, and training employees,someone still manages to break through theorganization’s security measures? What do youdo now?! Once a breach has been discovered, theorganization should take the following immediatesteps to limit the breach.Step 2: Attempt to limit additionaldamageThe organization should take steps to keepan attack from spreading. Some preventativestrategies include: Re-routing network traffic Filtering or blocking traffic Isolating all or parts of the compromisednetworkStep 3: Record the detailsThe information security team should keep awritten log of what actions were taken to respondto the breach. The information that should becollected include: Affected systems Compromised accounts Disrupted services Data and network affected by the incident Amount and type of damage done to thesystemsStep 1: Survey the damageStep 4: Engage law enforcementFollowing the discovery of the breach thedesignated information security team membersneed to perform an internal investigation todetermine the impact on critical business functions.This deep investigation will allow the company toidentify the attacker, discover unknown securityvulnerabilities, and determine what improvementsneed to be made to the company’s computersystems.A major breach should always be reported to lawenforcement. The law enforcement agencies thatshould be contacted are: The Federal Bureau of Investigation (FBI) The U.S. Secret Service (USSS) The U.S. Immigration and CustomsEnforcement (ICE) The District Attorney State and Local law enforcementMany companies wait until after a security breachbefore contacting law enforcement, but ideally theresponse team should meet with law enforcementbefore an incident occurs. The preliminary7

discussions would help an organization know whento report an incident, how to report an incident,what evidence to collect and how to collect it. Oncethe incident is reported, the law enforcementagency may contact the media and ensure thatsensitive information is not disclosed.Step 5: Notify those affectedIf a breach puts an individual’s information at risk,they need to be notified. This quick response canhelp them to take immediate steps to protectthemselves. However, if law enforcement isinvolved, they should direct the company asto whether or not the notification should bedelayed to make sure that the investigation is notcompromised. The individuals are usually notifiedvia letter, phone, email, or in person. To avoidfurther unauthorized disclosure, the notificationshould not include unnecessary personalinformation.Step 6: Learn from the breachSince cybersecurity breaches are becoming a wayof life, it is important to develop organizationalprocesses to learn from breaches. This enablesbetter incident handling, should a company beeffected by a breach in the future. Some learningissues include: Document all mistakes Assess how the mistakes could have beenavoided Ensure training programs incorporate lessonslearntThe above responses to an event in progressshould not be a surprise. These reactions shouldbe rehearsed components of an organization’sCyber Incident Response Plan. Keep the plan up todate. Without a plan, confusion ensues and costlymistakes will likely be made. Working a plan willshow to law enforcement and the public that yourintentions are good and will likely reduce fallout.Ensure the plan calls out Key Assets. Have thoseresources at the ready. Identify tools and processesthat will be used and followed. Knowing yourindustry and what is valuable to your organization(or what is valuable to someone looking to exploityour resources) will allow you to understand theattacker’s intent and allow for proper assessmentof the threat and proper plan execution. Have apost-attack plan to ensure effective triage afterthe event. Use this plan to prioritize the effortsrequired to recover from a cyberattack, understandthe extent of the damage, and minimize furtherdamage. Close gaps in the environment and workthe plan in such a way that it prevents causingmore harm. Once again, document everything.Thorough documentation fosters credibility foryour organization, prevents repeats of mistakes,and produces confidence throughout theorganization. Figure 2 summarizes the responseprocess for a cyber security breach.How to respond to a breachA six step processSTEP 1STEP 2STEP 3STEP 4STEP 5STEP 6SurveyLimitRecordEngageNotifyLearnSurvey thedamageLimit additionaldamageRecord extentEngage withlawIdentifyaffectedpartiesDocumentlearning pointsIdentify theattackerFilter trafficFind effectsIsolate ectwith DistrictAttorneyNotify affectedpersonsEngage withFBI InfragardSeek legalcounselProactivelyensurelearningFigure 2, How to respond to a breach8

Best practices: How to beprepared for an intrusionCompanies should use good judgment in avoiding,preparing for and managing security events (evenpresumed events). History shows us a mixed bagof responses by major organizations. In Target’scase, during the 2013 attack where payment cardreaders were infected, much evidence points tonegligence by the retail giant. The retailer’s FireEyemalware detection product was found to beperfectly functional. In fact, the software found thesame malware infection on consecutive attacks.There is an assumption based on these facts thatTarget either did not know how to read the datathat the monitoring tools were reporting or thatthey intentionally neglected to report the breach.The net effect of either ignorance or negligencewas huge brand damage to the retailer and salesnumbers dropped for some time. Having anadequate response plan along with notifying lawenforcement an

Home Depot. Sheer embarrassment. In the case of Home Depot, in September 2014 the company announced its payment systems . were breached which affected nearly 2,200 US and Canadian store locations in a cyberattack that may have started as far back as April 2014. Embarrassingly, Home Depot wa