Affect PROPRIETARY & CONFIDENTIAL March 4, 2010 Strategies - - PowerPoint PPT Presentation

PROPRIETARY & CONFIDENTIAL March 4, 2010 Affect Strategies

PROPRIETARY & CONFIDENTIAL March 4, 2010 Affect Strategies

MANAGING A HACK: Orchestrating Incident Response to Preserve Brand Reputation

Sandra Fathi President, Affect Email: sfathi@affect.com tweet: @sandrafathi web: affect.com blog: techaffect.com

Cyber Security Summit Chicago

Sept 26-27th, 2018

PROPRIETARY & CONFIDENTIAL

3 @sandrafath i

SECURITY EXPERIENCE

PROPRIETARY & CONFIDENTIAL

4 @sandrafath i

CRISIS EXPERIENCE

• Data Breaches, Identity Theft, Website Hacks, Malware (Multiple Companies)
• Product Recall for Potential Lead Poisoning (Baby Product)
• Hurricane Sandy, Hurricane Irene (ConEd)
• Worker Strike, Manhole Cover Explosion, Building Explosion (ConEd)
• Hit & Run (By Company Employee)
• Sexual Harassment and Executive Misconduct (By CEO)
• Executive Arrest for DUI
• Terrorist Activity Interrupts Operations (Tech Company)
• Foreign Mafia Threats on Executives (Tech Company)
• Employee Kidnapping/Release by Militia (Tech Company)

PROPRIETARY & CONFIDENTIAL

5 @sandrafath i

ANATOMY OF A BREACH

How does it start?

• IT discovers a breach
• Customers alert company regarding an issue
• Anonymous post on a social network
• Employee finds data for sale on the dark web
• A journalist calls
• A hacker makes contact

PROPRIETARY & CONFIDENTIAL

6 @sandrafath i

BASIC INSTINCTS

1. Triage – Stop the bleeding 2. Diagnose – Identify the nature of the breach 3. Investigate – Find the root cause 4. Repair – Implement technical fix 5. Communicate – Inform executive team

• Inform legal counsel
• Inform marcom
• Inform authorities
• Inform customers
• Inform media

Takes too long Doesn’t always happen

PROPRIETARY & CONFIDENTIAL

7 @sandrafath i

SELF-PRESERVATION

Justifications

• We don’t know if data was accessed
• No critical data was accessed
• It’s fixed. We’re out of danger
• Very few customers were impacted
• We don’t want to bring more attention to it
• We don’t know all the facts, so we’ll wait until we do
• We don’t want to appear incompetent
• We don’t want to lose our jobs, customers, revenue etc.

PROPRIETARY & CONFIDENTIAL

8 @sandrafath i

ALL 50 STATES

PROPRIETARY & CONFIDENTIAL

9 @sandrafath i

ALL 50 STATES

PROPRIETARY & CONFIDENTIAL

10 @sandrafath i

WHO’S IN THE ROOM

Crisis Drills/Tabletops

• Tech Leadership
• Executive Leadership
• Legal Counsel
• Operations
• Communications***

Photo Credit: CyberBit

PROPRIETARY & CONFIDENTIAL

11 @sandrafath i

FOUR PHASES OF CRISIS COMMUNICATION

PROPRIETARY & CONFIDENTIAL

12 @sandrafath i

• I. READINESS

Anticipating a Crisis

• 1. Crisis Mapping (SWOT Analysis)
• 2. Policies & Procedures (Prevention)
• 3. Crisis Monitoring
• 4. Crisis Communications Plan
• Crisis Action Plan
• Crisis Standard Communications Templates
• Crisis Drills

Photo Credit: CyberTraining 365 Blog

PROPRIETARY & CONFIDENTIAL

13 @sandrafath i

THREAT MAPPING

HR Sales Marketing Finance IT People Products Facilities Environment Information Other

Rank Order High Risk to Low Risk

PROPRIETARY & CONFIDENTIAL

CHANNEL MAPPING

PROPRIETARY & CONFIDENTIAL

• II. RESPONSE
• 1. Develop materials:
• Messages/FAQ
• Prepared statements
• Press release template
• Customer letters
• 2. Train employees
• Awareness
• Anticipation
• Organizational Preparation
• 3. Prepare channels:
• Hotline
• Dark site
• Social Media
• 4. Data Breach/Customer Assistance

Resources

• Microsite/Landing Page FAQ
• Identity Theft Remediation Services
• Force Password/Account

Information Change

• Special Customer Advocate/Team

PROPRIETARY & CONFIDENTIAL

PREPARING A RESPONSE

• 1. Don’t delay
• 2. Acknowledge situation
• 3. Acknowledge impact and victims or potential victims
• 4. Commit to investigate
• 5. Commit to sharing information and cooperation with relevant

parties

• 6. Share corrective action plan if available
• 7. Respond in the format in which the crisis was received**

@sandrafathi

PROPRIETARY & CONFIDENTIAL

PUBLIC BREACH NOTIFICATIONS

@sandrafathi

• 1. What happened?
• 2. What do we know?
• 3. Who/what was impacted?
• 4. How do we feel about it?
• 5. What are we going to do about it?
• 6. When are we going to do it?
• 7. Who is involved in this process?
• 8. When/how will we communicate next?

PROPRIETARY & CONFIDENTIAL

CUSTOMER COMMUNICATION

• 1. Introduction: Why are we contacting you?
• 2. What happened?
• 3. What information was compromised?
• 4. What are we doing to remedy the situation?
• 5. What can you do to prevent/mitigate further risk?
• 6. Where can you find more information?

@sandrafathi

PROPRIETARY & CONFIDENTIAL

• III. REASSURANCE

Who to Reassure? - All Stakeholders: Customers, Prospects, Public, Shareholders, Employees, Partners, Media etc.

• 1. Develop full response plan
• Policies & procedures
• Technology
• People
• 2. Put plan into action: Immediate remedy
• 3. Communicate results of plan and impact
• 4. Reaffirm commitment to correction
• 5. Demonstrate results of program

@sandrafathi

PROPRIETARY & CONFIDENTIAL

• IV. RECOVERY

Rebuilding reputation, trust and customer loyalty Implementing preventative measures for long-term crisis mitigation and/or prevention

• 1. Review need for operational, regulatory, environmental and

employee changes

• 2. Develop long-term plan including policies and prevention tactics
• 3. Reassess crisis plan
• 4. Regain customer/public trust

@sandrafathi

PROPRIETARY & CONFIDENTIAL

21 @sandrafath i

CASE STUDY: EQUIFAX

• March – Apache vulnerability discovered,

patch issued next day

• May-July – Hackers infiltrate Equifax servers

with more than 9,000 requests. ~145M records are accessed, nearly 44% of US Population

• July 29 – Equifax discovers breach
• Sept 7 - Equifax issues public statement
• Sept 8 – Equifax shares plunge 13.7%
• Sept 12 – CEO apologizes in USA Today Op-Ed
• Sept 15 - Equifax announces CIO & CSO are

retiring

• Sept 21 – Equifax admits sending victims to

bogus website ‘securityequifax2017.com’

• Sept 26 – CEO retires
• Oct 3 – Former CEO testifies for the first time

(of four) in Congress

PROPRIETARY & CONFIDENTIAL

22 @sandrafath i

MEDIA REACTIONS

PROPRIETARY & CONFIDENTIAL

23 @sandrafath i

CONSEQUENCES TO DATE

• CEO, CIO, CSO ‘Retire’
• 2 employees indicted for insider trading (CIO & Developer)
• CEO testifies at 4 Congressional hearings
• 8 State bank regulators impose orders for increasing security, auditing and

reporting

• CA passes law imposes sanctions/fines for each data breach (up to $750 per

record, effective Jan 2020)

• AL & ND penalties for delayed notifications (60 days/$10K and 45 day/$5K)
• Federal bill for FREE credit ‘freeze’ and ‘thaw’ from all three large bureaus

(previously $5-$10 each)

• 30+ Consumer class action suits

PROPRIETARY & CONFIDENTIAL

24 @sandrafath i

BEST PRACTICES I

• 1. Implement Policies to Address Potential Vulnerabilities
• 2. Establish a Regular Review Cycle for Crisis Preparation
• 3. Establish Inter-Departmental Cooperation
• 4. Establish a Framework for Response
• 5. Build a Crisis Communications Toolkit

PROPRIETARY & CONFIDENTIAL

25 @sandrafath i

BEST PRACTICES II

• 6. Know Where & How to Respond
• 7. Prepare Your Employees in Advance
• 8. Establish Assistance Services for those Impacted
• 9. Know the Relevant Legal & Regulatory Requirements
• 10. Be Honest, Be Transparent

PROPRIETARY & CONFIDENTIAL March 4, 2010 Affect Strategies

Sandra Fathi President, Affect Email: sfathi@affect.com tweet: @sandrafathi web: affect.com blog: techaffect.com

Slides Available: Slideshare.net/sfathi