Reading Between the Lines of Breach Notifications
Back in September 2012, I wrote two articles for Point2Security on how to effectively handle breach notifications:
Sadly, to many organizations are doing something entirely different when it comes to post-breach notifications. I like to take the time to read various breach notifications and see if I can get additional clues from what is said and how it has been said.
Let’s take a couple of recent examples and see what we can find:
South Carolina, Department of Revenue
In the South Carolina breach, here are several of the statements that stand out to me:
S.C. DOR last week announced that approximately 3.6 million Social Security numbers and 387,000 credit and debit card numbers had been exposed in a cyber attack, and today state officials said that information from up to 657,000 businesses was also exposed.
My Translation: We know that hackers were on our network, and we know that they likely had access to the area where SSN info and credit/debit card info is stored, but we have no tools in place to verify access one way or another, so we have to suggest that they could all have been accessed.
"South Carolina is compliant with IRS rules, but the IRS does not require SSNs to be encrypted, she said," Computerworld's Jeremy Kirk. "The state will now encrypt SSNs and is in the process of revamping its tax systems with stronger security controls. She said she has sent a letter to IRS to encourage the agency to update its standards to mandate encryption of SSNs."
My Translation: Despite rampant news of breaches and attacks, we are not going to try to keep up with any best practices unless absolutely forced. You can only imagine what security tools and training we have in place.
Etter (James Etter, director of Revenue Department) also disclosed Tuesday that the hacker was able to breach the Revenue Department’s system by somehow obtaining employee credentials. He said about 250 employees have special credentials that allow them access to the system. He declined to say whether the state knew whose credentials were used.
My Translation: Due to the lack of monitoring, it has been difficult to determine which credentials were used. And, we’re kind of embarrassed as to whose account seems to have been breached, so we’re trying to figure out a good way to phrase it. Look for a resignation soon, which might give some clues.
From the executive order signed by the governor on October 26, we see the following:
NOW, THEREFORE, I hereby direct all cabinet agencies to immediately designate an information technology officer to cooperate with the State Inspector General who is authorized to make recommendations to improve information security policies and procedures in state agencies, on a comprehensive and holistic basis, pursuant to his authority under Chapter 6 of Title 1 of the South Carolina Code of Laws with the following additional guidance:
My Translation: Most, if not all of our major agencies are currently lacking an information technology officer – certainly not any with clout to implement policies and procedures. This might explain why our technology infrastructure is so inadequate as it pertains to security (and probably IT operations in general).
The remainder of the executive order highlights a lack of leadership and staffing for both the information technology and information security teams.
As for Zaxby’s, I found it interesting that the breach announcement wasn’t even on the home page. I had to go to News page, and then click on Security Awareness which then took me to an entirely different domain: DataPrivacyInformation.com. I’m sure that there are a couple of legitimate reasons not to have one’s security and privacy notices attached to one’s primary domain, so I won’t comment further upon that.
Credit card processing companies identified certain Zaxby’s locations as common points of purchase for some fraudulent credit card activity. Zaxby’s Franchising, Inc. assisted those stores in reviewing the issue, and during the course of the investigation identified some suspicious malware files on the licensees’ computer systems at several Zaxby’s locations.
My Translation: We lack any effective tools and processes for monitoring breaches, and so we were reliant upon the credit card processing agencies to notice something with their anti-fraud systems. Additionally, we feel free in using the term “several” to represent any number greater than two (2), but less than one thousand (1000), since the number of affected stores is close to one hundred (100).
Although the forensic investigation has not determined whether credit or debit card data left the processing systems of any of the locations, Zaxby’s Franchising, Inc. is concerned that the existence of the suspicious files could indicate that an attacker or attackers may have accessed data, including credit and debit card information.
My Translation: We know that there is malware on the systems, but because we lack any tools to monitor traffic, we cannot determine if the files were taken or accessed, so we are assuming that they were – to be safe.
Zaxby’s Franchising, Inc. is working with all of its store locations to implement additional security measures to prevent further intrusions. A list of affected store locations can be found by clicking here and will be updated as appropriate.
My Translation: Looks like we finally have a solid business case to purchase the tools and hire the staff that was previously requested. We’ll likely implement and IPS systems and some monitoring tools. If customers are lucky, we’ll add encryption this time around.
Below are just a few of the coded messages in most breach notifications:
- If encryption is not mentioned, then it isn’t in place.
- “Implement additional security measures” means “buy some security tools, especially monitoring, and possibly encryption.”
- “Improve our processes and procedures” means “develop an information security policy, and apply more firewall rules to stop the wrong people from having access.”
- “Streamline our security operations” means “hire a separate security team, and split that role from the operations team.”
- “Takes security seriously” means “despite how the rest of this report sounds, …”
If organizations will stop assuming that they will never be hit, they would be better prepared to stop, catch or greatly limit attacks, and they could have more reasonable breach notifications.