MobileSMS.plist and the Joy of Testing – My Favorite Artifacts, Part Two
September 6, 2018
Qinynore Ransomware
October 8, 2018
Show all

It’s Not the Waking, It’s the Rising: Our Takeaways from NetDiligence-Santa Monica

ocean-view-at-netdiligence
We never have to try very hard to find an excuse to travel to California, and the NetDiligence Cyber Risk Summit was one of the easiest no-brainers when we were deciding if we should hop on a plane and head west. We were proud to serve as an Event Sponsor and even more proud of President Cindy Murphy’s participation on a panel discussing business email compromises. We had the opportunity to share the digital forensics perspective with legal and insurance colleagues and thoroughly enjoyed reuniting with old friends while forging new relationships in Santa Monica.

This post outlines some of the recurring themes we heard over the course of the conference.

Data breaches are expensive—and exhaustive

Okay, this isn’t something we learned at NetDiligence, but it is certainly something we learned more about.

The 2017 NetDiligence Cyber Claims Study points out a lot of interesting metrics related to incident response and the costs incurred. The survey found the average cost of a data breach from 2014 to 2017 was $394,000, with the business sector filing the largest number of claims followed by healthcare, financial and retail organizations. The sectors with the most expensive cost-of-breach were retail and telecommunications at $1 million and $666,000 respectively.

The most common causes of data breaches in their survey were hackers, malware and viruses, ransomware and cyber extortion, and staff mistakes. Interestingly, business email compromise and wire transfer fraud made it onto the list for the first time, and lost or stolen device claims doubled in 2017. Anecdotally, the emergence of wire transfer fraud is a rising concern among insurance, legal, and forensics experts as well.

Of the records exposed in a data breach, the survey found that hackers and malware were responsible for exposing 99% of all records with a combined total of 624,242,076 from 2014-2017. The vast majority of the exposed records were within the retail industry at 67%, followed by healthcare at 18% and financial services at 14%.

All of this information allows us to paint a picture of how data breaches affect businesses. Not only is the cost and number of records exposed a major issue, but the duration of the incident also dramatically impacts a business’ ability to function normally and at full capacity. A white paper by Corax and Clyde & Co was presented at the conference and found that after a data breach, the median duration of the event is 78 days. While many cases are cleared up in a much shorter amount of time, this figure demonstrates the extensive nature of these breaches.

Take advantage of out-of-the-box security and privacy features

Office365 compromises were a hot topic of conversation throughout NetDiligence. During a panel discussion, Gillware Forensics President Cindy Murphy was asked why she thinks so many compromises take place within the platform. She jokingly responded, “Well, the most popular kid always draws the most attention.” Colleague and joining panelist David Nides of KPMG elaborated to stress the under-utilization of stock security and privacy measures, such as two-factor authentication. Two-factor authentication is not automatically enabled but can significantly reduce the risk of compromise. A simple text message to an attached cell phone number after a password login can avoid thousands of dollars and records exposed.

Train and retrain internally

After discussing two-factor authentication, the natural follow-up concern is pushback from internal team members and stakeholders for the inconvenience caused by using those safeguards. While it may be easy to disregard the security features altogether, it is crucial to present them as a requirement, not an option. Effectively navigating these internal struggles can be tricky, but several panelists across several sessions pointed out that routine and repeated internal training is one of the only ways to increase cybersecurity awareness and understanding within your company culture.

Training needs to address not only security protocols, but also best practices for recognizing questionable activity. A common topic throughout the conference was business email compromise and how susceptible team members are to click and engage with fraudulent messages. Whether it’s an email alert that a new pay stub is available or a rushed message from the “CEO” requesting an immediate wire transfer, employees need to be equipped with the knowledge and best practices to identify these attempted attacks.

Internal training is especially important in relation to turnover. When team members leave the company, current employees’ workloads may change and they may receive new responsibilities. These new responsibilities may lead to more technological involvement or access. If the employee has not completed cybersecurity training since they joined the company, they may not be aware of the latest threats and protocols.

Some panelists throughout the conference discussed the idea of gamifying or incentivizing employees when they identify an attempted attack. Cindy Murphy discussed this on her panel. “At Gillware,” she said, “we all view it as kind of a game to identify email phishing and attempted attacks. Everyone gathers around to see what they found and how the attackers tried to weasel their way in.”

Time is of the essence

Too often we hear about data breach attacks first being recognized days before the client’s attorney or cybersecurity insurance provider were notified. This significantly impacts the scope of the breach, as it gives the bad actors more time to cover their tracks and disappear altogether. Reasons for this behavior include disbelief, fear of repercussions, and guilt if the person who first identified the breach somehow enabled it. Regardless, it is crucial to notify your legal counsel and/or your cybersecurity insurance provider immediately. For those who do not have cybersecurity insurance, immediate notification of legal counsel or an incident response team is still crucial and will likely reduce the overarching cost of the breach when all is said and done.

If you cost a company money, it’s annoying. If you cost a company their reputation, it’s over.

This was another anecdote that surfaced several times throughout the conference. A lot of conversation revolved around the cost of business interruption and the breach itself; however, more than one panelist and speaker drove home the importance of brand reputation. At the end of the day, if a business is breached, it is crucial to manage the situation efficiently, thoroughly, and responsibly. If the business misreports the extent of the breach, blanket notifies all customers even if they don’t need to, or hunkers down and doesn’t disclose any information, the business runs the risk of severely damaging the brand’s reputation.

While financial costs are substantial and serious, revenue can still be generated once the incident response has run its course. However, if the business missteps, the potential harm to the brand's reputation may be irreversible.

It’s not the waking, it’s the rising.

In any profession, it’s easy to fall into a routine, take the path of least resistance, make sure the bosses are happy, and not rock the boat. This year’s Santa Monica session of the NetDiligence Cyber Risk Summit kicked off with a simple message from a new Hozier lyric—it’s not the waking, it’s the rising. In the world of cybercrime, cryptocurrency, and coverage against it, we all expected to hear about the latest trends, statistics and defenses. Instead, Jeremy Barnett of NAS Insurance delivered an inspiring message challenging everyone in the room to take things one step further to elevate the work we do every day.

He emphasized that we all have one primary goal–to help our clients respond to and recover from cyberattacks. But to elevate our efforts, he charged us with the objective to fight back—to develop better safeguards, better coverage, and better outcomes—because as he put it, “someone’s got to do it.”

To a room filled with attorneys, insurance brokers and underwriters, and digital forensics experts, his message hit home. While we do our absolute best to respond to ransomware and hacking attacks, we can always do more to prevent and lessen the impact of these attacks. Because, after all, it’s not the waking, it’s the rising.

1 Comment

  1. H. Carvey says:

    This is fascinating, thanks for sharing!

    > The survey found the average cost of a data breach …

    I find the numbers fascinating, but I also keep in mind that they’re based on a survey. That is to say that the results will be based on responses from those who chose to respond, as well as what they chose to share. I’m not discounting it, as it is valuable, and I do find it interesting. Thank you for sharing the information.

    > ..the median duration of the event is 78 days..

    I get that’s the median. Was there any information discussed at the conference (ie, perhaps not specifically called out in the survey results) regarding dwell time?

    > …more than one panelist and speaker drove home the importance of brand reputation

    Great point, but I have to wonder…how many businesses/executives feel this way? More to the point, how many executives feel strongly enough to do something about it? I’ve been in the DFIR business for two decades, and I’ve conduct PCI investigations, as well as been involved in cases that would be considered a “cratering event” for a brand. In most cases, no one around me really had much of a concern regarding brand. My experience on the ground has been that business continuity was the most immediate concern.

    Ancillary to that, even today, I still see businesses following the “remove from the network, wipe, reinstall” process for affected systems, without determining the initial infection vector (IIV) or root cause of the compromise. Sometimes that’s not needed, and I completely understand when that’s the case…spam email received, user accesses attachment, clicks on the “Enable Content” button, etc. However, in cases where the IIV is not understood, not doing an root cause analysis leaves that door open, meaning that bad guy can come back. Wouldn’t public notification of a second or third compromise via the same means damage the brand?

    Finally, one thought I’ve had for some time….for those attendees who may have contracted for outside DFIR services, either directly or through counsel, I wonder how they then go about determining the quality of the work, based on the what they receive. How is one firm or consultant chosen over another, and what does the customer then look to in the final report to determine the quality of the work they received?

    This is easy enough to do with respect to other services rendered in the real world, such as auto body repair, or getting your oil changed. I have a friend who got the oil changed in her Land Rover, and drove away from the dealership. A short time later, she stopped at a light and her vehicle stopped functioning. It seems that she didn’t get an oil _change_, only an oil removal service. As such, it was relatively easy for her to judge the quality of the work. However, how does a customer do the same with respect to DFIR services?

Leave a Reply

Your email address will not be published. Required fields are marked *