We all hope that the worst won’t happen when it comes to cybersecurity and data breaches. However, in today’s environment, it’s important to acknowledge that it can happen to anyone. It’s crucial to practice and understand what actually occurs during a breach, the responsibilities involved, and the steps to be taken both during and after the incident.
In the past few months, we’ve had the opportunity to assist a client in managing a data breach and observed what worked and what didn’t. As always, having privacy and security policies in place, along with built-in controls, greatly assists a company and its employees in addressing cybersecurity issues. The following are some of the solutions that proved effective in this particular case:
The company was in the process of adopting a security posture and implementing policies and controls when a breach occurred. Customers began reporting that their personal data had been breached and was being sold on the Dark Web. Experian and LifeLock notified their subscribers about the newly discovered data on the Dark Web.
As the investigation unfolded, various policies and their corresponding controls were put into action:
- Website breach: The Vulnerability Management policy stipulates that static and dynamic code scanning should be conducted. We evaluated the scans and found no issues. Additionally, we enforced TLS 1.3 and encryption of the database at rest in accordance with our backup and encryption policy.
- Data classification and protection: Since we determined that only customers’ phone numbers and emails were breached, the IT team could narrow down the risks. Following the Risk Assessment and Incident Management policies, the team focused on the customer-facing application (as dictated by the Inventory Policy) and G Suite products, such as Google Drive and Email, as potential areas of data leakage. The implementation of a Data Leak Prevention (DLP) solution on G Suite, as per the Company’s Data Leak Policy, ensured no data breach occurred. Furthermore, logs were evaluated for forensics in accordance with the Logging and Monitoring policy.
- Centralized log for data leak evidence: While the company had a logging policy in place, there wasn’t sufficient funding at the time to implement a working SIEM (Security Information and Event Management) solution. Consequently, proper threat hunting couldn’t take place, and logs from all applications, such as the shipping server and customer order database, weren’t available. Although there was an existing MFA (Multi-Factor Authentication) policy, MFA wasn’t enforced on the publicly accessible Customer Order application due to non-compliance with the Access Control Policy. The shipping server was also running an outdated operating system, violating the Patch Policy. Therefore, since not all controls were in place, the burden of proof remains on the organization.
Lessons learned: The company needs to catch up by investing approximately $100K to properly implement DLP on all endpoints, provide employee training, and ensure the proper collection and monitoring of application and access logs. Additionally, it is essential to fully adopt these policies with the assistance of the CISO.
Here is a discussion with Eugene deFikh and Jonathan S. Schwam on the breech, and we hope you enjoy!