kindsey@kirkham.it, davin.chitwood@irontechsecurity.com, info@webpossible.net
#

Back to videos

You’ve Been Breached – Now What?

What is your course of action when hit with a data breach? It is critical to be prepared for a data breach at any moment. Are you prepared?

Prefer to read? (Transcription)

TOM: Welcome, everybody. This is Deep Dive #20 for those of you that are keeping score. This is not a competition. It’s just a webinar, okay? Today we’re going to talk about “You’ve Been Breached… Now What?” What happens now? We’ll go through some things and introduce myself in case you didn’t know: Tom Kirkham, Founder and CEO of IronTech.

And today we’ve got a very special guest, Mary Uhrina. I’m going to do an intro for her on a couple of slides that she’s going to talk about here in just a few minutes. Then at the very end, we’re going to announce something that we’re going – actually, we’ve got two things we’re going to announce today. But we’ll get to that. Let’s keep it a surprise.

Those of you that have been through the webinar and Deeper Dives, things like that, you know that everything we do conforms to the NIST Cybersecurity Framework. Part of that is developing an incident response plan. “What do I do when something happens?”

The cost of a data breach is really expensive. In 2016, IBM co-partnered with another company, and they did a cost of data breach study. It’s based upon cost per record. If you think about patient records, if you’ve got 1,000 patients, in 2016, 1,000 patients would cost the firm or the practice $158,000. So it was $158 per record.

Now, they also discovered that the research indicated that if the victim or the facility, the organization, whatever it is, actually did have an incident response plan in place, then it reduced that cost to $142 per incident. It takes about 10% off the total cost in mitigating a data breach. Killing it and getting over it and doing post mortems and PR and all of these different things. So you really need to do this. It’s part of the “Respond” part of NIST Cybersecurity Framework.

What does it consist of? Well, you’ve got to have a data inventory and also an equipment inventory. I forgot to put that on there, but you’ve got to know what you’re trying to protect. Remember that core of the onion that we’re going to wrap all these layers around. Whatever you’re trying to protect, whether it’s a financial database, patient database, customer list and credit card numbers, birthdays, Social Security numbers.

But also, especially for those of you that use industrial control systems or SCADA devices, you’ve got to protect them and be alerted because they have firmware and they do have vulnerabilities. Firmware is notorious. Companies that make hardware devices, until recently, treated the software that was embedded in those systems as – gosh, some of them hard-coded the password to access it. There are still some sloppy practices going on in the firmware business. So if you’ve got any sort of ICS or SCADA device, you’d better really consider that a nation-state could very easily attack a certain Siemens controller and release it on a utility. So you’ve got to know what you’re protecting.

Then you’ve got to monitor and audit. Once again, NIST CSF. We want to be able to monitor for anomalies or security events or what could be a security event, and then we have to discover it. We’re just looking for things out of the ordinary. But a lot of people forget about the audit part. That would be like QuickBooks. Maybe you’ve got 3 users in QuickBooks, but somebody leaves or is fired or whatever, and you never delete them out of access to QuickBooks. Those can stack up. It could be a computer network, online bank access.

No matter how trustworthy that individual is – yes, they could do something malicious; we’ve talked about malicious insider threats. But just the fact that there’s another set of credentials available to access that application or the bank account or website, whatever, that increases the attack surface just because it exists. Makes it less secure.

Many of you are going to have compliance requirements. If you’ve got financial records, you’ve got to be compliant with Sarbanes–Oxley, maybe. There’s some others I can’t think of off the top of my head. Health, dentist, anything that’s got patient records – could be a law firm that has patient records for whatever reason, personal injury, I’m thinking – you’re subject to compliance with HIPAA. Then you’ve got to assess your legal risk and your financial risk. This should be done early on, at the time you’re doing an inventory.

Then finally, you’ve got to have a properly prepared crisis communications plan. That is to not only communicate to regulatory agencies because you’re required to, or maybe your state – most states have a law requiring any business to report a data breach- but it also especially includes the press or media relations.

That’s just the basics of the overall 50,000-foot view of an incident response plan. Once again, forgot to start the fancy animation. Just throw it together.

Now, the technical response – because we are the ones monitoring it for most of you guys. Occasionally a client will report it to us first, but most of the time, all of the time, we’ve got a set of eyes or multiple pairs of eyes looking at control panels in the command center and this, that, and the other, looking for those anomalies.

We’ve got a tool that just works with industrial control systems. It’s a log ingester. Getting a little nerdy on this, but basically all of these devices have logs, and it’s just a tremendous amount of data. A really good SIEM tool analyzes those logs and then alerts us to anomalies that need to be investigated by human beings. But the very first thing we’ve got to do is stop the attack. Slow it down, stop it, bend but not break through using those multiple layers.

We respond according to the specific threat, and perhaps knowing who the threat actor is – those nation-states and criminal syndicates that I’ve talked about several times. Could be a vendor. It’s a non-malicious vendor that’s somebody accessed through them that may have access to your systems. Once we determine that, we want to remove that intruder. Sometimes we don’t know this until we do a post mortem, but we need to find out what the attack vector was as soon as possible. That needs to start really immediately.

And then we’ve got to assess the scope of the breach so we can make advisements and consult with the boss, CEO or the manager or the president or whoever is where the buck stops. Who’s going to be in charge of this breach? We’ve got to give them accurate information as soon as we possibly can so we know the scope of it. If it’s an attack on a SIEM device, we already know, more than likely, there was no patient, client, or financial records released if it was a very targeted response.

These days we’ve got multi-vector attacks, and especially in the case of ransomware, they almost always drop backdoors and keyloggers on the network because that’s another source of revenue. We’ve talked about that before. Anyway, as this attack is being remediated, we have to advise you, the manager, the president, the owner, as soon as we know something definite. “This is what the scope is, and this is how soon we’re going to be able to stop it, and this is what records, what equipment was affected. This is going to be the outcome, more than likely.”

And finally, any good security company is always going to do a post mortem after the fact. Once all the fire is put out, the intruder is off the network, we understand the attack vector, we still go through everything and say, “Where did those layers to that onion break? Did we deem this tool too expensive, and we worked with you to say “Okay, we recommend it, but” – I know everybody’s got budgets, but if we discover that we were missing a layer of the onion, we need to know those things.

Threats evolve constantly, and since, like I’ve said, the NSA was breached in 2018, or late ’17, the threats are totally different, and they’re evolving all the time. In fact, today we were on a meeting internally and we were talking about paying ransoms or not paying ransoms, and this, that, and the other. There was a threat being described in this article that sounded suspiciously like it was one of the NSA tools that a nation-state was using. It really did sound like it was the Stuxnet that the United States and Israel used to destroy the centrifuges that Iran was using to refine plutonium.

At any rate, the more we understand the attack after the fact, the better our response can be going forward. It could be that environment or other environments.

But the main thing that you may have to deal with is crisis communications. Now, Mary’s on the call here, and she’s a brand strategist and PR maven dedicated to being a part of teams whose lifeblood comes from building brand and community trust. Mary has received recognition by her peers in the business marketing world, garnering numerous Tower Awards for excellent work, and she’s been honored with the coveted Madonna Award for professional excellence from Mount Mary University.

Among the many crises events that Mary has worked on – and I’m going to date myself here, but they include the Tylenol scare, when I think they were tampered with and they had cyanide put in them. That was a big deal back then. Nothing was sealed back then. You could just open up a tube of toothpaste and whatever. The drugs were the same way. No one would’ve thought somebody would want to kill people by using that attack vector.

Anyway, she worked with a team that worked on that, and she also did some Six Flags death incidents, I think on rollercoasters. I don’t know all the details about that, but these are serious crises when you’re talking about death. It doesn’t get any worse than that. Some of you – hopefully it’ll never happen to you, but you are dealing with critical infrastructure and things like water, public drinking water.

Hopefully I didn’t butcher her bio too much. Having said that, I want to turn it over to Mary.

MARY: Hello, everybody. Glad to be with you this afternoon. Wish we were talking about something more fun, like my Chicago White Sox being in the playoffs for baseball instead of crisis communication. But believe me, crisis communication is a darn important thing to be prepared for.

When crisis strikes, we need to communicate and we need to do it right. What I like to say is we need to stay off the blunder list. Some of my colleagues call it the “cringe list,” where you just cringe when you hear a company make a statement and say, “Ooh, that was the wrong thing to say. People aren’t going to respond to that.”

In the last year, we’ve had some pretty memorable blunders. If you think about Boeing, when the 737 MAX jets had their two bad accidents, they made a statement that said they’re going to make them “even safer” – which was a really strange comment that could be interpreted as meaning that the planes weren’t as safe as Boeing could’ve made them in the first place. Then piling on top of that, their former CEO said in a news conference that they “followed exactly the steps in their design and certification processes that consistently produce safe airplanes.” Well, it was clear to the public and everyone else that those airplanes weren’t safe if they were crashing. So Boeing didn’t admit fault. They said they did everything right, and they never said that they were sorry. That’s kind of a cringeworthy moment, if you ask me.

If you go back to the Volkswagen crisis that started in 2015 – and unfortunately they still haven’t recovered from it – they were manipulating their engine controls to pass emissions tests, and they didn’t handle that scandal well at all. First of all, they denied that they did it, and then they shut down social media, which prior to that was a huge means of communication for them and their community. And they never admitted fault. Again, that’s another cringeworthy moment. The executives even said that they didn’t know what was going on. It’s their company to run; how can they not know what’s going on?

And then Wells Fargo, we all remember their employees opening 2+ million bank accounts and credit cards without customers’ knowledge to meet some quotas that had been put forth. They got fined by the feds and the state of California. The CEO didn’t come out with an apology. The company issued a statement that was attributed to no one and downplayed the incident. They said that while the circumstances were unfortunate, it wasn’t really a big deal – that they were committed to putting their customers’ interests first 100% of the time, and they regret what happened and take responsibility for any instances where customers may have received a product they did not request. That’s as far as they went with an apology from their end. It’s very bizarre.

College admissions this past year. Celebrities and very well-known people were paying colleges and universities to get their kids in as students. There was no cohesive voice from the colleges talking about what their standards were, and there was no cohesive voice from the parents, if they were admitting or not admitting that they were in the wrong.

On a more – well, I say a fun note because it’s the royals, but Prince Andrew and his relationship with Jeff Epstein, he had no remorse. He acknowledged that he had a relationship with the man and showed no remorse in his actions or his words, and we know how that all worked out. He’s not really an active part of the Royal Family anymore with a job.

Those are just some interesting big blunders of the past year. But don’t discount it; it is in our own backyard. Just last month, in Clark County, which is a school district in Las Vegas, the school district suffered a ransomware attack, and they decided that they were not going to pay the attackers. So the attackers went ahead and published stolen data on the students and teachers. The superintendent never admitted fault, never admitted that anything was amiss, did not come forward with a plan or any communications with the students and parents of how this was all going to work out, and that is still coming back to haunt them.

In the past year, it’s cost $144+ million, just in 2020, to municipal governments, universities, and private business for just ransomware. It’s top of the mind right now. Going back to the school districts, some of those school districts that have been breached have paid anywhere from $25,000 to $200,000 in ransomware, plus they have to, as Tom was mentioning, rebuild their servers and assess the viability of their equipment and spend more money on that. So it becomes a huge financial burden for any organization.

A ransomware attack is one attack vector where sensitive customer data or organizational data can be compromised. In your situation, a malcontent could contaminate your water supply, or the water system fails or someone shuts it down, even worse. The key here is that you need to be ready with a plan. My hope as a crisis communications professional is that we create the crisis plan, we practice the crisis plan, we dust it off a couple times a year to make sure that it’s still valid and updated, and we never have to use the crisis plan.

But it’s all about what Tom preaches. It’s that preparedness and it’s the training of the people so that everyone knows their role should there be a crisis. You don’t need a high-priced consultant. All you need to do is think it through, and you need to always think transparency. I think now, with what’s going on in our country, we all understand what transparency is and how we want information served to us. The media is no different from that.

The difference here is, in a crisis situation, you can’t control the media. You need to give them your message and you need to make sure that it’s fair and that they understand it, but you can’t control what they write or broadcast. That’s a given forever and always.

So we’ve got 6 steps for crisis communication. It’s fairly simple and straightforward. Again, as I said, you just need to think it through and have it committed to by the organization.

First, in the case of a crisis, you have to verify the crisis situation. What happened and where did it happen? When did it happen? Who’s involved with what happened? How did it happen? And what’s currently being done to rectify the situation? Sometimes there aren’t answers for all those questions, and that’s okay. But again, that transparency means that when you communicate with your audiences, who may or may not include the media and the regulatory agencies, etc., you need to be transparent and tell them what you know and what you don’t know and how you plan to move forward.

Once you verify the crisis situation on the spot, you have to notify and gather your team. They should be clear on their roles, and the key spokesperson, who’s probably your manager, needs to be trained to handle that key spokesperson responsibility and be available to your key audiences and the media.

Then we talk about assessing the crisis level. That drives how your communications works. Is it highly intense? For example, in the Six Flags example that Tom gave, people died. That was a tragic, horrific situation, so let’s say that was a highly intense situation.

The Tylenol situation was less tense; people didn’t actually die, but it was widespread because Tylenol is a very well-known brand, very well-used brand, and it’s a large company. So that was intense on the scale, and Johnson & Johnson did a good job of handling it.

Then there’s moderately intense. The public is aware of the situation or the event, but it’s attracting very little attention. For the water utilities, that might be that your communications systems are shut down – something that’s not threatening lives.

And then minimally intense is just something weird or bad that happened that you didn’t have control over, but you still need to let people know that it happened because it may affect some of their goings-on in their daily life.

You need to develop messages, and that means you need to put yourself in the victim’s shoes. When you develop your messages, a lot of organizations decide that they want to script those messages. That’s not a bad idea. There’s a tool that we use called message mapping, which helps make those pre-scripted messages and develop new messages easily for you and then figure out the best delivery for those messages.

Managing the communications means that you know who you’re going to talk to. You have a prearranged list and knowledge of who’s important that needs to be communicated with – again, the regulatory agencies, the media, your customers, your employees, families of employees if employees are affected, and so forth.

Then lastly, as Tom was talking about in a different context, you need to monitor your message and be ready to give feedback. Make sure that what the media is digesting and what your key audience is digesting is on target, it’s correct, and give feedback and continual communications going forward to clarify and keep them updated on what’s happening with your crisis.

Again, it’s not difficult. It’s some key steps. The key is having the team in place to be able to fulfill those steps and bring it forward.

That brings me to our Crisis Communications Toolkit. We at IronTech are developing an easy-to-use toolkit for you. It contains easy-to-understand explanations of all of the terms we use, all of the steps that have to be taken, some hints and tips. It includes templates that are for real-world use. That means that you can take these Word templates and essentially fill in the blanks and make it yours and have that ready to go. You don’t need to reinvent the wheel here and decide on what the appropriate format or the appropriate context is for your messages. We have that.

And then we have a media training add-on tool, which I know Tom is as excited as I am about. We happen to be acquainted with one of the media training experts here in the States. He’s an award-winning journalist, on-air personality with several network stations, and now his focus is simply speaker and media training. So we offer that as an option for you to be able to get your spokesperson trained and anyone else who may be on the communications frontline.

All of that is backed by – I guess I’m patting myself on the back – a crisis communications expert. Should you need it remotely or onsite, we can offer you the help that you would get from the finest consultants anywhere on crisis communications. What we can promise there is that it will be timely and there will be no lag in getting your messages brought forward.

In a nutshell, that’s it. Again, when crisis strikes, you need to communicate and you need to do it right.

TOM: Thank you, Mary. That’s a lot of stuff to learn there. Sometimes our Deeper Dives get a little deep. [laughs] Absolutely good advice. You do have to manage that stuff. I wish I had a dime for every time I said this – I used to say nickel, but inflation, you know. If you think you’re too small and it won’t happen to you, there’s no such thing. The attackers do not care and may not even know who you are, but they certainly don’t care. They only care if you’re really big. They still want to get $1,000 or $5,000 out of everybody that gets hit with ransomware.

Nation-states, with a certain Siemens controller or whatever that all water operators use, a SCADA device – a nation-state could probably figure out a way to get that deployed in a lot of different ways. Maybe they’ll do it as just an add-on to a ransomware attack. They add on keyloggers and backdoors for servers now. So it can happen to everybody, and if you’re following NIST, you know that you have to plan that it will happen to you.

The first surprise is we’ll have that available shortly. We haven’t set an exact date to release yet, but we’ll let you know whenever it happens. Or email us if you just want to get on the list for the release date and any other news around it, or if you’ve got any other questions. You can email us or call us at any time. You know the drill if you’ve been on these before; we’re highly available. You can chat with us on the website. It’s irontechsecurity.com/chat.

And then finally, we haven’t spoken about this publicly, so you’re the first to hear: our Calypso Cybersecurity Conference. We have it scheduled for April next year. It’s going to be a virtual conference, and we’re going to have a lot of speakers. Very talented cybersecurity speakers and maybe DHS, FBI. We haven’t got the full list. We know a few that are going to be in it. We’ll keep you posted on that. There’s plenty of time. What are we, 7-8 months out?

But if anybody – let’s see, how can I do this? Just for fun, why do you think it’s called Calypso? A hint is it has to do with diving. That may be too big of a hint, but if you get it, then you’ll know what it was.

At any rate, thank you, everybody, for joining us today. We do these every week at 2 p.m. What have we got next week, Kindsey?

KINDSEY: It is the structure of the NIST Cybersecurity Framework.

TOM: Oh, we’re going to get into those nitty-gritty boring details. That is some dense stuff. But we’re going to get into it a little bit more. If you know the 5 things, that gets you where you need to go, but we’re going to dive into it a little bit more. I don’t know if we’ve got any more housekeeping, do we?

KINDSEY: No, I don’t think so.

TOM: We didn’t put Mary’s contact info on here, but if you need to get in touch with her, just let us know. We’ll see you next week on Deeper Dive. Thanks.