Brian Pichman provides guidance on steps to take after a hack or data breach for both individuals and organizations. For organizations, key steps include communicating with impacted parties, investigating the scope of the incident, resolving vulnerabilities, and preventing future attacks. For individuals, important actions are changing passwords, monitoring accounts for suspicious activity, and being aware of best security practices. Moving forward, organizations and individuals should focus on training, policy enforcement, and purchasing cyber insurance to mitigate risks.
2. Description: It happens. A place you shop at frequently gets its data stolen.
Someone was able to get access to one of your accounts. Or a system you
manage gets compromised. Either way, it is important to be prepared ahead of
time before the worst happens. Join Brian Pichman as he helps you put a proactive
plan in place and what to do after you or your organization has been hacked.
3.
4. Myths
I’m not worth being attacked.
Hackers won’t guess my password.
I have anti-virus software.
I’ll know if I been compromised.
5. Understanding Breaches and Hacks
A hack involves a person or group to gain authorized access to a protected
computer or network
A breach typically indicates a release of confidential data (including those done by
accident)
Both of these require different responses if breaches/hacks occur.
6. Agenda
General Terms and understanding impact.
What you (as a organization) should do if you’re hacked or compromised*
What you (as a person) should do if you’re hacked or compromised.
Protecting yourself from future attacks
*Always seek legal advice before moving forward on any action – from how you communicate
to what parties you involve during a breach.
7. Terms to Know
BYOD – Bring Your Own Device
The idea that an IT environment allows people to connect their own personal devices to the
network and utilize resources such as internet, file shares, servers, etc.
This is a RISK because those personal devices can be infected with viruses, might not be secure, or contain
software that do damage to your organization.
CIA –Confidentiality, Integrity and Availability
Frequently called to as the CIA triad - including three fundamental principles of information
security.
‘confidentiality’ describes the need for information to be accessible only to those that are allowed to view or
access it
‘integrity’ is the promise that the information is trustworthy and accurate
‘availability’ is a guarantee of information being available to those users that require it, when they require it.
8. More Terms to Know…
Encryption
Using an algorithm and a secret code, you can “scramble” data to make it unreadable…unless you have the “secret code” or
“key”.
Web browsers will encrypt text automatically when connected to a secure server, as indicated by a web address beginning
with https.
Worm
A malicious program that replicates itself over a computer network…and waits to show its malicious intent.
Bots / Zombies
When an infected machine is used to run processes, access websites, or remotely controlled to do something the owner is
unaware of or cannot control.
Sniffing
A tool that can be used by a hacker to steal information off a network, and is increasingly used for the purpose of stealing a
user’s password or credit card number
Security Audit
Identifying access control, encryption, intrusion detection systems, and monitoring account creation or server activity.
9. Assets + Threat + Vulnerability = Risk
Asset – People, property, and information
An asset is is something to protect
Threat – Anything that can intentionally or accidentally, and obtain, damage, or destroy an asset.
A threat is what you protect against.
Vulnerability – Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an
asset.
A vulnerability is a weakness or gap in our protection efforts.
Risk – The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.
You can never remove all risk – only mitigate.
Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets.
Thus, threats (actual, conceptual, or inherent) may exist, but if there are no vulnerabilities then there is little/no risk.
You have threat for the building catching on fire – however you’re asset is located in a fire safe.
You can have a vulnerability- but if you have no threat - then you have little/no risk.
You have a security system that doesn’t operate at low temperatures but you live in California.
10. Why do People Attack?
Financial Gain
Stocks
Getting Paid
Selling of information
Data Theft
For a single person
For a bundle of people
Just Because
Malicious
11. Examples of Hacks/Breaches
An employee/family member allows a hacker to access their machine through:
Email Attachments
Social Engineering
Walking away from their computer unattended
An employee/family member sends information to someone thinking they are someone else
“Hi, I’m the CFO assistant, he needs me to collect all the W2s”
Or more intrusive –
There is an attack on a database or server that then allowed a hacker in (SQL Injection)
There is a brute force attack or someone guessed the password on a key admin account, on
servers/networks, etc.
12.
13.
14. The Costs Of Breaches
This year’s study found the average consolidated total cost of a data breach is 9.4 million dollars
[IBM 2022 ibm.com/reports/data-breach
Data Breached Companies Experience…
People lose faith in your brand
Loss in business
Financial Costs
Government Requirements,
Penalties, Fees, etc.
Sending of Notifications
Payment of Identity Protection or
repercussions.
https://betanews.com/2016/02/10/the-economic-cost-of-being-hacked/
20. You as a Organization - Obligations
You are obligated to protect the data and privacy of:
Employees
Customers
Business Partners/Vendors/Etc.
Sometimes, we forget we house a lot of personal and identifying information about our
employees and customers.
Employees Social/Payroll/HR
Customer Records/Accounts/History
What employees/customers are accessing on the web
A sniffing tool, key logger, or fake DNS redirects can monitor not only the sites people are accessing but what
they use for their username / password
21. Steps – Communication and Speed!
Communicate
People will ask “How long did you know XYZ happened” - know this information before
communicating to them an attack occurred.
If you discover a breach, hack, or any other compromise that may have the impact of data being
stolen or viewed, you MUST communicate quickly and effectively.
While every scenario is different and has different factors – groups that move faster with the
information they know (as soon as they know it) they are generally better off long term (ie don’t’ wait
months as you “investigate” the issue. Give people time to protect themselves)
Don’t over communicate and have one spokesperson
Be clear and concise. Too many details can be harmful.
22. Other Points on Communication
Once you know a breach has occurred, by law you are required to
inform customers if their data has been compromised.
Some states have deadlines of when the announcement has to be made
Every impacted person must be told that a data breach has
occurred, when it occurred, and what kind of information was
compromised.
Answer: what are you doing to provide a remedy and should they do
(next slide)
23. what are you doing to provide a remedy and should they do
You as the Organization
Build a website with information about the
breach
Offer a Toll Free number people to call in
for questions
If the possibility of social information
provide contact information for Equifax,
Experian and Transunion, and the quick
links for fraud protection.
Them as Impacted Parties
Fraud Protection (if necessary)
Request them to change their passwords if
their password was compromised
Highlight if they use this password on
OTHER sites to change those passwords
too
24.
25.
26. Step 2 - Investigate
You will most likely need to hire an outside cyber security firm –
they have the tools and resources to track what might have been
stolen and who stole it.
Solve which computers and accounts were compromised, which
data was accessed (viewed) or stolen (copied) and whether any
other parties – such as clients, customers, business partners,
users, employees. Was the stolen data encrypted or unencrypted?
Also involve folks from the people you pay for services
(depending on where the breach occurred) such as ISPs, Web
Hosting Providers, Security Software, Firewall Vendors, etc.
Contact your local, county or state police computer crimes unit
and the FBI, which can do forensic analyses and provide valuable
guidance
27. Step 3 – More Communication and Follow Up
If you notify more than 500 impacted people from a breach, many states will also
require you to file a notice with your state attorney general’s office.
HIPPA, FERPA, CIPA, and all those other scary acronyms have requirements and
regulations – make sure none of those rules are violated.
28. Legal Stuff
There are a lot of laws that help a certain
level of security standards. The landscape of
these laws is evolving as the level of threats
increase.
There is compliance standards that
organizations should reach for security as
well – as a precaution and preventive
measure to mitigate risk.
The ISO/IEC 27000 family of standards helps
organizations keep information assets secure.
https://www.iso.org/isoiec-27001-
information-security.html
29. CIPA - Children's Internet Protection Act
The Children's Internet Protection Act (CIPA) requires that K–12 schools and libraries in the United States use
Internet filters and implement other measures to protect children from harmful online content as a condition for
federal funding
SOX - Sarbanes–Oxley Act
CEO and CFO of publicly traded companies to certify the effectiveness of their organization's internal controls as
they relate to the accuracy of financial information and maintaining records of financial data.
FERPA – Family Education Rights and Privacy Act
Federal law that protects students’ educational records from public and third party exposure. Failure to meet
these demands will result in loosing federal funding.
HIPPA – Health Insurance Portability and Accountability Act
Act that requires employers, insurance plans, and healthcare providers to setting up physical and technical
security
PCI-DSS - Payment Card Industry Data Security Standard
PCI compliance regulations require anyone who store, process, or transmit credit card information to protect
cardholder data regardless of its location.
FISMA – Federal Information Security Management Act
This act recognized the information security as matters of national security. Thus, it mandates that all federal
agencies develop a method of protecting the information systems.
30. Step 4 Solve It
Through the investigation and hiring of consultants and engagement of local/state/federal
groups – find out what happened and how to prevent it from happening again
Removing infected computers or servers (if it was from a virus/malware)
Consider reformatting hacked computers and restoring data with clean backups or replacements
Removing access from the outside world to your network (or specific applications)
If the breach occurred because of non patch system or software – patch it, then put a policy in place
to check patches.
If the breach was done through a stolen or weak passwords, secure those accounts and set new,
complex passwords that will be hard to crack.
Communicate the resolution to the users impacted
31. Repercussions
Depending on the severity of the hack and type of hack you
may:
Need to pay a fine/penalty from a governing body if it was because of
lack of security or no reasonable efforts to defend users data
Pay for identity protection for those impacted users (usually at least a
year)
Pay a settlement
32. Moving Forward / Prevention
Make sure your security defenses are running properly and that data is being
backed up securely.
You should run activity logs and tracking on all network devices and public facing
servers. These logs should be checked and monitored for unwanted access or sudden
activity.
Follow up with vendors to see what they are doing to protect your/their data –
and share with customers best practices for their own security (like strong
passwords).
Create a disaster recovery plan and train employees so everyone can respond
quickly and calmly if they know of an attack or see something that could be
indicative of being attacked.
33. cyber-insurance
Policies can be purchased from most major insurance carriers for between $5,000
and $10,000 per $1 million in protection.
Policies will generally cover:
Legal Fees
Forensic Fees
Costs for providing customer credit monitoring for those impacted
Any court costs related to civil litigation and class actions.
Some policies include access to portals/support so if and when an attack occurs, you
can get guidance and support on what to do.
34. Training for Staff
Not installing software on the machine
You could put secure rules in place to prevent installations
Not opening attachments or clicking on links from senders you don’t recognize.
Teach staff that IT support will only email communications in a specific template from a specific
address. Any other emailing claiming to be “IT” isn’t them.
Have staff either take an assessment after training and/or sign a document agreeing to
practice best practices for security.
Simulate attacks with tools like KnowBe4
Checking Non-Work Related Functions (like emails) – caution users from accessing personal
email or personal information while at work – as the IT team will not be monitoring that
email for malicious messages.
35.
36. You – As A Person (If Infected Machine)
If you think you infected your machine (through an email, virus, etc)
Disconnect it from the internet.
Immediately shut down the computer
If you notice an odd message take a photo first so an IT person (or you) could do more research
You can remove your drive from your computer and using another computer (that’s not network
connected) run scans on the drive.
Depending on the severity – you may need to wipe your computer.
If this is a work computer – always inform IT Security or IT. They rather have a false alarm than an
actual issue leak to the entire organization.
37. If Your Personal Accounts Got Hijacked
If its your personal email or social media accounts
Send an email to all your contacts letting them know (if a fake message was sent out) that
it wasn’t you who sent the message and to delete it.
Change your email password.
Google will tell you what sites you have connected your Google Account too:
https://myaccount.google.com/intro/secureaccount
If it’s your work email
Inform IT / Security – and ask them the best course of action.
38.
39. You Heard Of A Breach
Change Your Passwords!!
And I’m hoping you don’t use the same password for all your
accounts
Do some investigatory work of your own
Do you use this username on other systems?
Check to see if other sites you use have you logging in when
you haven’t
Many websites allow you to get an audit of when and where you’ve
logged in. Contact those sites support pages for details.
41. Your Organization
Administrative Accounts are easy to figure out if they are something like
“administrator” ”root” or “power users”. At the same time, no employee should
have their account as a full admin.
Instead, give them their own username for admin access (like brian.admin)
Change the default “login” pages for sites to something that’s not
www.mysitename.com/login. Bots look for this and attack.
My Drupal Site login page is www.evolveproject.org/catpower
User Awareness is key to any secure organization. Teach users how to identify
potential threats and how to respond quickly.
Avoid shared accounts. One account should only be used by one person.
42.
43. You
Sites to protect yourself all the time (not free)
IdentiyGuard.com
LifeLock.com
Sites to monitor when breached data gets related (this is free)
Haveibeenpwned.com
Password Management Sites (like lastpass.com)
Don’t have the same password for all your sites.
Don’t write your passwords down on a post-it-note and leave it at your desk
46. Credit Card Tools for Online Shopping
Check out Privacy.Com
https://privacy.com/join/473XB
shameless plug
47. Other tricks for anonymity
10 Minute Email
https://10minutemail.com/10MinuteMail/index.html
Temporarily get an email box that’s anonymous and disappears after 10 minutes
Dr Cleaner (Mac) or Eraser (Win) can overwrite files on your computer with “blank”
data to make file recovery near impossible.
Tools like Recuva is free software to allow you to restore deleted files.
50. Basic Tips
Accept only people you know to personal and professional accounts
Never click on links from people you don’t know.
Especially if they are using a url shortner: bit.ly, tinyurl.com, etc
https://www.urlvoid.com/ - test the website to see if its safe
https://www.site-shot.com/ get a screenshot of what will load on site
https://pagescreen.io/ another paid tool that works pretty well
If there are people claiming to be you on social media, it’s best to get your
account “verified” on those social media platforms
This lets users distinguish that you’re the actual official account
51. Checking Your Accounts / Name Online
Use this site to check your usernames: https://namechk.com/
The next is a tool searches through your email with things you may have signed
up for (I've paid for their premium service as well, not really worth it, the free does
just fine) https://brandyourself.com/privacy-overview.
This tool: https://email-lookup.online/index.php searches public searches to see
what links. Its similar to https://www.spokeo.com/email-search.
57. Increases Efficiency
Having a security policy allows you to be consistent in your approach to issues
and how processes should work.
It should outline how and what to do, and repeatable across your organization.
Everyone is doing XYZ the same way and on the same page.
58. Accountability, Discipline, and Penalties
Think of it as a contract – for legal purposes – that you have taken the steps needed to secure your
organization.
Need to define penalties when violations occur. People need to know the consequences are for failure to
comply – both from a legal and HR standpoint or even access permissions.
Policies and procedures provide what the expectation is and how to achieve that expectation. It should define
what the consequence are for failure to adhere.
59. Education For Employees
By reading these policies (and signing them), it helps educate your employees
(and users) the sense of ownership for assets and data.
Everything from advice on choosing the proper passwords, to providing
guidelines for file transfers and data storage, internet access and rules, will help to
increase employees’ overall awareness of security and how it can be strengthened
60. Addresses Threats and Risks
A good policy should address all threats, strategies to decrease the vulnerabilities
of those threats, and how to recover if those threats became actionable.
This makes the “what do we do if someone hacks our network” a defined process
already and who to call and what to do to mitigate further damage.
61. Access Definitions and Permissions
A good policy would outline who accesses what and why. This makes reporting a
security violation easier and streamlined.
Policies are like bouncers at a night club
It states who has access to the VIP section of the club, why, and any reasons to allow
entry.
Without these rules, VIP wouldn’t be really VIP.