Affect PROPRIETARY & CONFIDENTIAL March 4, 2010 Strategies - PowerPoint PPT Presentation

Affect PROPRIETARY & CONFIDENTIAL March 4, 2010 Strategies

MANAGING A HACK: Orchestrating Incident Response to Preserve Brand Reputation Cyber Security Summit Chicago Sept 26-27 th , 2018 Sandra Fathi President, Affect Email: sfathi@affect.com tweet: @sandrafathi web: affect.com blog: techaffect.com Affect PROPRIETARY & CONFIDENTIAL March 4, 2010 Strategies

SECURITY EXPERIENCE PROPRIETARY & CONFIDENTIAL @sandrafath 3 i

CRISIS EXPERIENCE Data Breaches, Identity Theft, Website Hacks, Malware (Multiple Companies) • Product Recall for Potential Lead Poisoning (Baby Product) • Hurricane Sandy, Hurricane Irene (ConEd) • Worker Strike, Manhole Cover Explosion, Building Explosion (ConEd) • Hit & Run (By Company Employee) • Sexual Harassment and Executive Misconduct (By CEO) • Executive Arrest for DUI • Terrorist Activity Interrupts Operations (Tech Company) • Foreign Mafia Threats on Executives (Tech Company) • Employee Kidnapping/Release by Militia (Tech Company) • PROPRIETARY & CONFIDENTIAL @sandrafath 4 i

ANATOMY OF A BREACH How does it start? • IT discovers a breach • Customers alert company regarding an issue • Anonymous post on a social network • Employee finds data for sale on the dark web • A journalist calls • A hacker makes contact PROPRIETARY & CONFIDENTIAL @sandrafath 5 i

BASIC INSTINCTS 1. Triage – Stop the bleeding Takes too 2. Diagnose – Identify the nature of the breach long 3. Investigate – Find the root cause 4. Repair – Implement technical fix 5. Communicate – Inform executive team Doesn’t always • Inform legal counsel happen • Inform marcom • Inform authorities • Inform customers • Inform media PROPRIETARY & CONFIDENTIAL @sandrafath 6 i

SELF-PRESERVATION Justifications • We don’t know if data was accessed • No critical data was accessed • It’s fixed. We’re out of danger • Very few customers were impacted • We don’t want to bring more attention to it • We don’t know all the facts, so we’ll wait until we do • We don’t want to appear incompetent • We don’t want to lose our jobs, customers, revenue etc . PROPRIETARY & CONFIDENTIAL @sandrafath 7 i

ALL 50 STATES PROPRIETARY & CONFIDENTIAL @sandrafath 8 i

ALL 50 STATES PROPRIETARY & CONFIDENTIAL @sandrafath 9 i

WHO’S IN THE ROOM Crisis Drills/Tabletops • Tech Leadership • Executive Leadership • Legal Counsel • Operations • Communications*** Photo Credit: CyberBit PROPRIETARY & CONFIDENTIAL @sandrafath 10 i

FOUR PHASES OF CRISIS COMMUNICATION PROPRIETARY & CONFIDENTIAL @sandrafath 11 i

I. READINESS Anticipating a Crisis 1. Crisis Mapping (SWOT Analysis) 2. Policies & Procedures (Prevention) 3. Crisis Monitoring 4. Crisis Communications Plan Photo Credit: CyberTraining 365 • Crisis Action Plan Blog • Crisis Standard Communications Templates • Crisis Drills PROPRIETARY & CONFIDENTIAL @sandrafath 12 i

THREAT MAPPING HR Sales Marketing Finance IT People Rank Order Products High Risk Facilities to Environment Low Risk Information Other PROPRIETARY & CONFIDENTIAL @sandrafath 13 i

CHANNEL MAPPING PROPRIETARY & CONFIDENTIAL

II. RESPONSE 1. Develop materials: 3. Prepare channels: • • Messages/FAQ Hotline • • Prepared statements Dark site • • Press release template Social Media • Customer letters 4. Data Breach/Customer Assistance 2. Train employees Resources • • Awareness Microsite/Landing Page FAQ • • Anticipation Identity Theft Remediation Services • • Organizational Preparation Force Password/Account Information Change • Special Customer Advocate/Team PROPRIETARY & CONFIDENTIAL

PREPARING A RESPONSE 1. Don’t delay 2. Acknowledge situation 3. Acknowledge impact and victims or potential victims 4. Commit to investigate 5. Commit to sharing information and cooperation with relevant parties 6. Share corrective action plan if available 7. Respond in the format in which the crisis was received** @sandrafathi PROPRIETARY & CONFIDENTIAL

PUBLIC BREACH NOTIFICATIONS 1. What happened? 2. What do we know? 3. Who/what was impacted? 4. How do we feel about it? 5. What are we going to do about it? 6. When are we going to do it? 7. Who is involved in this process? 8. When/how will we communicate next? @sandrafathi PROPRIETARY & CONFIDENTIAL

CUSTOMER COMMUNICATION 1. Introduction: Why are we contacting you? 2. What happened? 3. What information was compromised? 4. What are we doing to remedy the situation? 5. What can you do to prevent/mitigate further risk? 6. Where can you find more information? @sandrafathi PROPRIETARY & CONFIDENTIAL

III. REASSURANCE Who to Reassure? - All Stakeholders: Customers, Prospects, Public, Shareholders, Employees, Partners, Media etc. 1. Develop full response plan • Policies & procedures • Technology • People 2. Put plan into action: Immediate remedy 3. Communicate results of plan and impact 4. Reaffirm commitment to correction 5. Demonstrate results of program @sandrafathi PROPRIETARY & CONFIDENTIAL

IV. RECOVERY Rebuilding reputation, trust and customer loyalty Implementing preventative measures for long-term crisis mitigation and/or prevention 1. Review need for operational, regulatory, environmental and employee changes 2. Develop long-term plan including policies and prevention tactics 3. Reassess crisis plan 4. Regain customer/public trust @sandrafathi PROPRIETARY & CONFIDENTIAL

CASE STUDY: EQUIFAX • March – Apache vulnerability discovered, patch issued next day • May-July – Hackers infiltrate Equifax servers with more than 9,000 requests. ~145M records are accessed, nearly 44% of US Population • July 29 – Equifax discovers breach • Sept 7 - Equifax issues public statement • Sept 8 – Equifax shares plunge 13.7% • Sept 12 – CEO apologizes in USA Today Op-Ed • Sept 15 - Equifax announces CIO & CSO are retiring • Sept 21 – Equifax admits sending victims to bogus website ‘securityequifax2017.com’ • Sept 26 – CEO retires • Oct 3 – Former CEO testifies for the first time (of four) in Congress PROPRIETARY & CONFIDENTIAL @sandrafath 21 i

MEDIA REACTIONS PROPRIETARY & CONFIDENTIAL @sandrafath 22 i

CONSEQUENCES TO DATE • CEO, CIO, CSO ‘Retire’ • 2 employees indicted for insider trading (CIO & Developer) • CEO testifies at 4 Congressional hearings • 8 State bank regulators impose orders for increasing security, auditing and reporting • CA passes law imposes sanctions/fines for each data breach (up to $750 per record, effective Jan 2020) • AL & ND penalties for delayed notifications (60 days/$10K and 45 day/$5K) • Federal bill for FREE credit ‘freeze’ and ‘thaw’ from all three large bureaus (previously $5-$10 each) • 30+ Consumer class action suits PROPRIETARY & CONFIDENTIAL @sandrafath 23 i

BEST PRACTICES I 1. Implement Policies to Address Potential Vulnerabilities 2. Establish a Regular Review Cycle for Crisis Preparation 3. Establish Inter-Departmental Cooperation 4. Establish a Framework for Response 5. Build a Crisis Communications Toolkit PROPRIETARY & CONFIDENTIAL @sandrafath 24 i

BEST PRACTICES II 6. Know Where & How to Respond 7. Prepare Your Employees in Advance 8. Establish Assistance Services for those Impacted 9. Know the Relevant Legal & Regulatory Requirements 10. Be Honest, Be Transparent PROPRIETARY & CONFIDENTIAL @sandrafath 25 i

Slides Available: Slideshare.net/sfathi Sandra Fathi President, Affect Email: sfathi@affect.com tweet: @sandrafathi web: affect.com blog: techaffect.com Affect PROPRIETARY & CONFIDENTIAL March 4, 2010 Strategies