The Changing Faces of Cybersecurity GovernanceWHAT TO DO BEFORE ANDAFTER A CYBERSECURITYBREACH?Written By:Gurpreet Dhillon, Ph.D,Virginia Commonwealth University,Richmond, Virginia,[email protected]

Previous publications in The Changing Faces of Cybersecurity Governance SeriesMarch 2015CYBERSECURITY GOVERNANCE: FIVE REASONSYOUR CYBERSECURITY GOVERNANCE STRATEGYMAY BE FLAWED AND HOW TO FIX ITBy Peter Iannone & Ayman OmarMarch 2015CYBERSECURITY ACT OF 2015 REVIEW: WHAT ITMEANS FOR CYBERSECURITY GOVERNANCE ANDENTERPRISE RISK MANAGEMENTBy Joseph J. Panetta & R. Andrew SchrothSeptember 2015CYBERSECURITY REGULATION AND PRIVATELITIGATION INVOLVING CORPORATIONS AND THEIRDIRECTORS AND OFFICERS: A LEGAL PERSPECTIVEBy Perry E. Wallace, Richard J. Schroth and William H. DeLoneSeptember 2015HOW CAN BOARDS AVOID CYBERSECURITY PAIN?A LEGAL PERSPECTIVEBy Perry E. Wallace, Richard J. Schroth and William H. DeLoneThe views and opinions expressed in this paper are those of the author and do not necessarily reflect the position or policy of theKogod Cybersecurity Governance Center (KCGC).

“We have been hacked!” These are the dreadedwords no executive wants to hear. Yet this isexactly how the co-chairman of Sony PicturesEntertainment, Amy Pascal’s, Monday morningstarted when the company discovered its entirecomputer system had been hacked by anorganization called Guardians of Peace. This wasone of the biggest attacks in 2014. Several othershave followed in 2015 and 2016.Over the past few years the size and magnitude ofcybersecurity breaches have increased. The 2014South Korean breach, where nearly 20 million (40%of the country’s population) people were affected,epitomized the seriousness of the problem. Morerecently a cybersecurity breach was discovered inUkrainian banks. Carbanak, a malware program,infected the bank’s administrative computers.The breach resulted in banks of several countries,including the USA, Russia and Japan gettinginfected. The seriousness of the problem can bejudged from the 2016 Internet Security ThreatReport published by Symantec. Nearly half a billionpersonal records were stolen or lost in 2015 andon an average one new zero-day vulnerabilitywas discovered each week. When a zero-dayvulnerability is discovered, it gets added to thetoolkit of cyber criminals.An IBM study concluded that an average databreach costs about 3.52 to 3.79 million USdollars and it keeps rising every year1. It is notjust the dollar expense that matters in breachsituations. It is very likely that the breach damagesthe company’s reputation, and some smallerunprepared organizations might never recoverfrom a major disaster.Cybersecurity breaches affect organizations indifferent ways. Reputational loss and decreasedmarket value have often been cited as significantconcerns. Loss of confidential data andcompromising competitiveness of a firm can alsocause havoc. There is no doubt that preventivemechanisms need to be put in place. However,when an IT security breach does occur, whatshould be the response strategy? How can theimpact of a breach be minimized? What regulatoryand compliance aspects should a company becognizant of? What steps should be taken to avoida potential attack?Companies can defend themselves by conductingrisk assessments, mitigating against risks thatthey cannot remove, preparing and implementinga breach response plan, and implementing bestpractices. Past events have shown that betterprepared companies are able to survive an attackand continue their business operations. Expertsrecommend board of director’s involvement indata protection; active participation from seniordecision makers can reduce the cost of databreach. There are several other ways managerscan prevent, reduce, and mitigate against databreaches.Reasons for investing in cybersecurityIncreased frequencyGreater impact on business continuityData breach costs have skyrocketedAnthemAnother one bites the dustOn January 29, 2015, it was discovered thatAnthem, Inc, one of the nation’s leading healthinsurers, was the victim of a cyberattack wherebycyberattackers attempted to gain access topersonally identifiable information about currentand former Anthem members. The hackers beganaccessing the information in early December 2014and, during a nearly 7 week window, perpetratorswere able to gain access to nearly 80 millionrecords2. Anthem has indicated that not onlycurrent members of Anthem were impacted. Onits website3, Anthem noted, “In addition, somemembers of other independent Blue Crossand Blue Shield plans who received healthcareservices in any of the areas that Anthem servesmay be impacted. In some instances, nonAnthem members and non-Blue Plan membersmay have been impacted if their employeroffered Anthem and non-Anthem health planoptions. Anthem is providing identity protectionservices to all individuals that are impacted.”Although Anthem maintains that no credit card orfinancial information was accessed, the threat toindividuals’ finances remains. The hackers wereable to gain access to names of individuals, health1

care ID numbers, dates of birth, Social Securitynumbers, home addresses, email addresses, andemployment information. With this data it is easyto create identities and impersonate someone in avariety of settings.Home DepotSheer embarrassmentIn the case of Home Depot, in September 2014the company announced its payment systemswere breached which affected nearly 2,200 USand Canadian store locations in a cyberattackthat may have started as far back as April 2014.Embarrassingly, Home Depot wasn’t aware itspayment systems were compromised until banks,and members of the law enforcement communitynotified the company months after the initial databreach. The Home Depot security breach actuallylasted longer than the Target breach, spanning anestimated 4 months resulting in thieves stealingtens of millions of the customer’s credit and debitcard information. In the six months leading up to2015, Home Depot processed approximately 750million customer transactions that presented atreasure trove of information for hackers to focuson.SonySimple blame attributionSony faced a cyberattack prior to the expectedrelease of the movie The Interview where hackersreleased username and passwords for staging andproduction servers located globally, in addition tothe usernames/passwords and RSA SecurID tokensof Sony employees. Sony was forced to “turn-off” itsentire computer network infrastructure after it wasalso discovered the hackers posted information forall of Sony’s routers, switches, and administrativeusernames and passwords to log on to every serverthroughout the world. As a result of the Sonyattack, an estimated 40% of large corporations nowhave plans to deal with and address aggressivecybersecurity business disruption attacks. The Sonyattack, in which hackers also posted embarrassingwork emails of the Sony Pictures executives, hasled to more buy-in from C-suite and executiveboards across all corporations.2Technicalities of a BreachNow that the attack has happened and victimsare reeling from the unsettling feeling that theirpersonally identifiable information is out theresomewhere, the real question is how did all thishappen in the first place? To answer that question,we must first analyze the security policy thatAnthem had in place at the time of their attack inearly December 2014. At the time of the attackthere were several media reports4,5, accusingAnthem of inadequate policies for accessingconfidential information. The insurer was alsofaulted for technical evaluation of softwareupgrades that verified authority of people orentities seeking access to confidential information.In addition to these accusations, the buzzwordthat surfaced after the attack seemed to be“encryption.” Anthem was accused of storingnearly 80 million Social Security numbers withoutencrypting them. Some would argue that whileencryption would make the data more secure, itmay also render it less useful.The root of the issue is not a solitary smokinggun. There are a variety of technical factors thatcontributed to the inevitability of this securitybreach, but first and foremost in creating a soundsecurity policy is limiting access. As was mentionedabove, Anthem did a very poor job of formulatingsound policies for granting access to the variousdatabases and failed to implement adequatemeasures to ensure unauthorized users who didnot have a specific need to access the data weredenied access to client data. The secondary issueis the part about encryption; without question,if the data was encrypted, the task of decryptingand making useful information out of the datawould have been a significantly more difficult taskfor the hackers. But let’s pretend for a momentthat the benefit of using the data in its naturalform outweighs the risk of leaving in unencryptedand readily available to hackers in the event of abreach, aren’t there other ways of protecting thedata? Certainly many companies employ a varietyof additional safeguards to protect their data, ofwhich Anthem employed very few. Among theseadditional safeguards are random passcodesgenerated on a keyfob that change over a briefperiod of time, the use of IP based access toremote servers, and the use of random IDs stored

in a separate, unlinked database to name a few.Anthem needs to take advantage of the veritablecornucopia of cutting edge security options tocover themselves from a technical vantage point orrisk having disaster occur again.Home Depot had similar issues and problems withtheir security policy. Once the attackers gainedaccess to one of their vendor environments, theycould use the login credentials of a third partyvendor to then open the front door. Once on thenetwork, it was easy for the hackers to exploit aknown zero-day vulnerability in Windows. Thevulnerability allowed the hackers to pivot fromthe vendor environment to the main Home Depotnetwork. It was then possible to install memoryscraping malware on the point of sales terminals.Eventually 56 million credit and debit card data wasstolen. The Home Depot vulnerability could havebeen prevented. While the network environmentdid have the Symantec Endpoint Protection, theNetwork Threat Protection feature had not beenturned on. While this may not guarantee security,it would have certainly made life more difficultfor the hackers. Moreover, the policy seemed tobe deficient in terms of a proper vulnerabilitymanagement program.Policy ConsiderationsThere are a variety of technical and human factorsthat contribute to the inevitability of a breach. In amajority of the cases, fingers have been pointed tothe technical inadequacy of the enterprise. In thecase of Anthem, it was the lack of encryption. ForHome Depot, it was the lack of technical controls toprevent malware from collecting customer data. AtTarget, there was a basic networking segmentationerror.Occasionally we hear issues related to policyviolations. In the case of Anthem, the USDepartment of Health and Human Services mayimpose a fine of some 1.5 million because ofHIPAA violations. In many instances efforts aremade to ensure security policy compliance throughrewards, punishment or some behavioral changeamongst employees. Rarely do we question theefficacy of the policy. Was the policy createdproperly? Was it implemented adequately?Were various stakeholders involved? Were thereany change management aspects that wereconsidered? These are some fundamental issuesthat need consideration.Unfortunately, these questions never getaddressed. Security policies keep gettingformulated and implemented in a top-downcookie-cutter manner. Organizational emphasisremains on punitive controls. And little attentionis given to the content of the policy and how it isrelated. So, how can organizations ensure thata coherent and a secure strategic posture bedeveloped? Security education, training, and awarenessprograms need to be established andmonitored on an ongoing basis All constituents are given access tocybersecurity strategic goals, which helps ininculcating ownership and hence compliance Various stakeholders should be involved andencouraged to participate in cybersecuritydecision-making, which helps with increasedcompliance.Reputation andResponsivenessReputational damage is significant following adata breach, particularly if a company fails torespond promptly. Following the Anthem, Sonyand Home Depot breaches various social mediaoutlets criticized the companies their delayed orinadequate response regarding the breach. Interms of crisis management, a three-day delay isconsidered significant. Post-crisis communicationand a response strategy are essential to ensurethat the right message gets through. Transparencyin how the breach is being handled has its addedimportance.Another well publicized breach was that ofJP Morgan, were hackers were able to stealconfidential data for nearly 76 million UShouseholds. The author and a colleague statedcollecting twitter data following the JP MorganChase breach in order to undertake a sentiment3

analysis. Our objective was to assess how howindividuals reacted to the breach. 39,416 tweetswere collected during the month of October 20146.Analysis of the results suggests that more thanhalf of the tweets expressed negativity. Othersignificant findings included: When a data breach responsibility is attributedto a company, it results in negative emotions,which in turn translates to negative word ofmouth and even severing relationships withthe enterprise. If the negativity related to the breach is high,it results in a quicker spread of the negativeword of mouth sentiment (in our case, Twitterposting exhibited a shorter re-tweet timelatency). The initial security breach responsibilityshapes the reputation of the firm. Hence, it isimportant to frame the message and securitybreach responsibility since it has a directreputational impact.Risk and ResilienceWhen a data breach occurs, post-crisiscommunication is perhaps the only opportunitythat a company has to repair its reputation. Crisissituations can potentially have many negativeconsequences, ranging from losing customers,profitability, and market share to declining stockprices and job losses. A much less explored, butvery important factor, is the impact of a crisis onorganizational reputation. Corporate risk andresiliency planning are important for organizationsto be able to bounce back from disruptionsand thus retaining stakeholder confidence.Understanding and identifying potential adverseevents in computerized networks is important forplanning and implementing resilient mechanismsto defend, detect, and remediate from suchthreats. The risk reduces when organizationsimplement both resilient technical and socioorganizational mechanisms. There is a need tointegrate risk and resilience mechanisms into theorganizational culture to prevent security breaches.There are four key characteristics of any risk andresilience approach:4 The approach should provide a holisticframework, which assesses the systems andtheir interactions – from a system to thenetwork; from the network to the organizationand subsequently the societal impact The approach should emphasize capacity tomanage the range of hazards. There need to be options for dealing withuncertainties, surprises, and any potentialchanges The focus should be on proactive managementHence a system that effectively reduces risks isgoing to be more resilient to the security breaches.Risk reduction means a deflection of risk andrisk sharing. Also an ability of an organizationto prepare for the surprises and effectivelyresponding to the breach incidents characterizesorganizational resilience.GovernanceWell-considered governance is at the core ofany successful cybersecurity program. Manyimportant aspects require consideration - policy,best practices, ethics, legality, personnel, technical,compliance, auditing, and awareness. Weakgovernance is often considered to be the causeof organizational crisis. Over the past severaldecades, we have observed that in institutionswhere governance was poor or the structures ofaccountability and responsibility were not clear,they have been susceptible to cybersecuritybreaches. For instance, the multi-billion dollarloss experienced by Société Générale because ofviolation of internal controls by Jérôme Kerviel.Similarly, the case of Barings Bank where NickLeeson circumvented established controls. SociétéGénérale and Barings Bank showcase a lack ofgovernance as the prime reason for the securitybreaches. Key principles for a sound and robustsecurity governance include: Senior leadership commitment to cybersecurity is essential for good securitygovernance Cyber security is considered strategically withdue consideration of risk management, policy,compliance and incident handling

Clear lines of communication are establishedbetween strategic thinkers and operationalstaff.Steps to avoid a potentialattackManagers can take steps today to avoid potentialbreaches and mitigate damage when breachesoccur. There is a vast amount of data from manysources that purports to answer exactly how toprepare for the inevitability of a cyber attack.Because the nature and purpose of every attackis different and the composition of every businessis different, there is no single prescription forprevention. However, by boiling down the datafrom multiple sources, we can derive a list of highlevel practices that all organizations should adopt. Executive buy-in In order to create an optimalcybersecurity policy, support hasto come from the top levels of theorganization. Security must become acore part of the organizational culture. Fully understand your risk profile By knowing your industry and itsattack vectors, what is valuable to yourorganization and how to protect thoseassets, security personnel can effectivelycreate, support and promote cybersecurity initiatives. Identify and classify different cyberattackscenarios. Take threats seriously Many organizations understand thefull extent of the damage that can bedone during an attack as well as theaftermath. However, many companieschoose to ignore the possibility of suchan attack happening to them, or they arewilling to accept the risk of not takingadequate precautions due to cost orcomplexity. Policy Enforcement Policies can be as simple as a strongpassword, but should ideally go wellbeyond passwords. Security policiesshould be documented and automatedwherever possible to avoid human erroror omission. Circling back to ExecutiveSupport, policies should be a part of theculture that everyone chooses to follow. Keep things in simple terms that non-ITexecutives and users can understand. Training Security awareness and policyenforcement is crucial in order to createa security culture within an organization.Awareness of policies, security andother, should be of paramount concernto all organizations. There should be specialized training forthose that deal with the most sensitivedata in the company. Employee Screening Not all possible employees possess thesame moralities as the business ownersand stakeholders. Employees shouldnot only be screened to ensure thattheir skills meet the requirements of thepositions but, more importantly, thattheir beliefs closely match those of theorganization. Remember that people are often theweakest link in a security chain Offline backup of critical data Data is the lifeblood of an organization.Data loss is often as damaging,monetary and brand, to an organizationas a data breach. Many organizationsnever fully recover from data lossevents, some go out of business entirely.A copy of critical data in a secure offsitelocation is one small step that shouldnot be overlooked. Invest intelligently in security Information overload prevents manyorganizations from making intelligent5

security decisions. There are a thousandvendors pitching a thousand variantsof “best practice” security models.Create a plan based on the needs of theorganization and implement policiesand tools that augment the plan. Avoidtying your security policy to any vendor’ssoftware or hardware. There is no “onesize-fits-all” solution. One of the more direct methodsfor avoiding a security breach is toimplement application whitelisting.Application whitelisting can preventmany forms of a breach where thespoofing of an application allows a virusor malware to traverse firewalls andscanners without detection. Keep systems updated Another direct method for avoidinga breach is simply to apply securitypatches to software and hardwaresystems on a prompt and routineschedule. This may appear to most as a“no-brainer” but is often overlooked.The detailed list above describes concepts thatevery organization should consider to improvetheir cyber security preparedness. These conceptscan be tailored to fit the individual organizationculture and data protection requirements.Regardless of the specifics, every organizationshould understand the company’s security chain.The CEO must enable the Chief Compliance Officer(CCO), the Chief Privacy Officer (CPO), the ChiefInformation Officer (CIO) and so on, to ensureeach understands their role before, during andafter an attack. Working together, these individuals1Install sensors ormechanisms to collectpotential hazards2must create and own an enterprise-wide Incident(or Risk) Management Plan, a Data Managementprogram, an Incident Response Plan andcommunication/reporting plans.Once the above initiatives are in place, moredetailed workflows, such as the ContinuousDiagnostics and Mitigation (CDM) program fromthe Department of Homeland Security (DHS), canbe adopted. This program utilizes commercialoff-the-shelf (COTS) software and hardware tocontinually monitor for security related eventsas well as continuously improve upon processesand risk prioritization. A CDM-style framework,see figure 1, also provides a practical model thatany organization can adopt and tailor to meet itsspecific cyber security requirements.In this day and age managers have to be proactivein preventing an attack. No longer is the questionasked if companies will be hacked but rather whenthey are hacked what will be the protocol. Beingvigilant about even the smallest and seeminglyinsignificant changes can be extremely useful. Toprotect customers and employees from havingtheir financial or private information stolen, bothindustry and governments have implementedregulations with the intent of securing againstcommon cyber-attacks. To combat credit cardfraud, the Payment Card Industry created the DataSecurity Standard that requires merchants whoprocess credit cards to take specific measuresthat help protect against hacking attacks. TheEuropean Union, United Kingdom, United States,and Canada are among the governments that havealso instituted privacy acts meant to regulate howbusinesses protect their customer and employeedata from malicious hackers.In addition to the fees and legal ramifications thatcan come as a result of failing to comply with the3Automatic search atregular intervals forpotential flawsCollect results fromdifferent divisions and/orstakeholder groupsSystem Scans on a continuous basis66Report progress andcontinuously improve5Fix the most criticalissues first and developa priority list4Triage and analyzeresults on an ongoingbasisFigure 1, Continuous Diagnosis and Mitigation Framework

different regulations, hacking attacks can alsodamage a company’s reputation or brand to thepoint that they lose customers and revenue. Acompany who is in the news because they havebeen hacked is sure to lose the trust of even theirmost loyal customers. The same happens withweb sites that are identified as containing spamor malicious scripts. Once this is known, mostvisitors will stay away. A company’s brand, oncedamaged, may never be restored to its formerstatus. Despite the restoration of services at SonyPictures after the breach earlier this year, theSony brand continues to fall under scrutiny. Whilemonetary losses from the breach were significant,losses because of a damaged brand will continueto plague Sony for years.How to respond when abreach occursAs discussed above, managers and organizationsshould take preventative steps to avoid the risk ofa breach occurring. After spending time planning,spending money, and training employees,someone still manages to break through theorganization’s security measures? What do youdo now?! Once a breach has been discovered, theorganization should take the following immediatesteps to limit the breach.Step 2: Attempt to limit additionaldamageThe organization should take steps to keepan attack from spreading. Some preventativestrategies include: Re-routing network traffic Filtering or blocking traffic Isolating all or parts of the compromisednetworkStep 3: Record the detailsThe information security team should keep awritten log of what actions were taken to respondto the breach. The information that should becollected include: Affected systems Compromised accounts Disrupted services Data and network affected by the incident Amount and type of damage done to thesystemsStep 1: Survey the damageStep 4: Engage law enforcementFollowing the discovery of the breach thedesignated information security team membersneed to perform an internal investigation todetermine the impact on critical business functions.This deep investigation will allow the company toidentify the attacker, discover unknown securityvulnerabilities, and determine what improvementsneed to be made to the company’s computersystems.A major breach should always be reported to lawenforcement. The law enforcement agencies thatshould be contacted are: The Federal Bureau of Investigation (FBI) The U.S. Secret Service (USSS) The U.S. Immigration and CustomsEnforcement (ICE) The District Attorney State and Local law enforcementMany companies wait until after a security breachbefore contacting law enforcement, but ideally theresponse team should meet with law enforcementbefore an incident occurs. The preliminary7

discussions would help an organization know whento report an incident, how to report an incident,what evidence to collect and how to collect it. Oncethe incident is reported, the law enforcementagency may contact the media and ensure thatsensitive information is not disclosed.Step 5: Notify those affectedIf a breach puts an individual’s information at risk,they need to be notified. This quick response canhelp them to take immediate steps to protectthemselves. However, if law enforcement isinvolved, they should direct the company asto whether or not the notification should bedelayed to make sure that the investigation is notcompromised. The individuals are usually notifiedvia letter, phone, email, or in person. To avoidfurther unauthorized disclosure, the notificationshould not include unnecessary personalinformation.Step 6: Learn from the breachSince cybersecurity breaches are becoming a wayof life, it is important to develop organizationalprocesses to learn from breaches. This enablesbetter incident handling, should a company beeffected by a breach in the future. Some learningissues include: Document all mistakes Assess how the mistakes could have beenavoided Ensure training programs incorporate lessonslearntThe above responses to an event in progressshould not be a surprise. These reactions shouldbe rehearsed components of an organization’sCyber Incident Response Plan. Keep the plan up todate. Without a plan, confusion ensues and costlymistakes will likely be made. Working a plan willshow to law enforcement and the public that yourintentions are good and will likely reduce fallout.Ensure the plan calls out Key Assets. Have thoseresources at the ready. Identify tools and processesthat will be used and followed. Knowing yourindustry and what is valuable to your organization(or what is valuable to someone looking to exploityour resources) will allow you to understand theattacker’s intent and allow for proper assessmentof the threat and proper plan execution. Have apost-attack plan to ensure effective triage afterthe event. Use this plan to prioritize the effortsrequired to recover from a cyberattack, understandthe extent of the damage, and minimize furtherdamage. Close gaps in the environment and workthe plan in such a way that it prevents causingmore harm. Once again, document everything.Thorough documentation fosters credibility foryour organization, prevents repeats of mistakes,and produces confidence throughout theorganization. Figure 2 summarizes the responseprocess for a cyber security breach.How to respond to a breachA six step processSTEP 1STEP 2STEP 3STEP 4STEP 5STEP 6SurveyLimitRecordEngageNotifyLearnSurvey thedamageLimit additionaldamageRecord extentEngage withlawIdentifyaffectedpartiesDocumentlearning pointsIdentify theattackerFilter trafficFind effectsIsolate ectwith DistrictAttorneyNotify affectedpersonsEngage withFBI InfragardSeek legalcounselProactivelyensurelearningFigure 2, How to respond to a breach8

Best practices: How to beprepared for an intrusionCompanies should use good judgment in avoiding,preparing for and managing security events (evenpresumed events). History shows us a mixed bagof responses by major organizations. In Target’scase, during the 2013 attack where payment cardreaders were infected, much evidence points tonegligence by the retail giant. The retailer’s FireEyemalware detection product was found to beperfectly functional. In fact, the software found thesame malware infection on consecutive attacks.There is an assumption based on these facts thatTarget either did not know how to read the datathat the monitoring tools were reporting or thatthey intentionally neglected to report the breach.The net effect of either ignorance or negligencewas huge brand damage to the retailer and salesnumbers dropped for some time. Having anadequate response plan along with notifying lawenforcement an

An IBM study concluded that an average data breach costs about 3.52 to 3.79 million US . dollars and it keeps rising every year. 1. It is not just the dollar expense that matters in breach . encryption would make the data more secure, it may also render it less useful. The root of the iss