Threat Landscape Advisories
By Gideon T. Rasmussen, CISSP, CRISC, CISA, CISM, CIPP
February 2015

We live in a time where hackers are active and high profile data breaches are making headlines. Employees want to know what they can do to protect their company. This article provides techniques to create advisories that help prevent business impact.

Relevance

Advisories should be tailored to the audience. Be mindful of the type of data at risk and the span of control of your employees and contractors. The topic of each advisory should be a real-world event that had business impact. Leverage article content for efficiency. Provide a reference link at the bottom of the message.

The Subject line must be tailored to attract the reader's attention. Use a format similar to this example:

Subject: Threat Landscape: Massive breach at a health care company

Use a 'Commentary' section to provide a synopsis of the event. Tie back to why it should matter from a business perspective.

Data Breach Change Management
Commentary: The hackers stole the crown jewels of customer information. Names, birthdays and social security numbers can harm customers through fraud and the pain of recovering from identity theft. E-mail addresses can be used to conduct phishing campaigns under the company's brand, resulting in further compromises and damage to customers. Income data can be used to focus attacks on affluent customers.

The company is incurring costs of an incident response firm, legal fees, unfunded remediation efforts, credit monitoring and identity theft protection. The breach may result in a class-action lawsuit. There will be expense associated with lost customers and increased regulatory oversight. The FTC will likely cite the company for unfair or deceptive trade practices, along with a fine. The FTC also typically requires independent privacy assessments for 20 years. In aggregate, the damage to the company will be significant.		 Commentary: This was an obvious failure of change management. One of the customers forwarded the e-mail to Reuters. It became national news as a result. Customers are bound to be embarrassed by having colonoscopy or mammogram mentioned in the subject line. They are also likely to wonder if their personal information is safe.

Recommendations

There is exposure wherever enterprise processes rely upon employees or contractors. Use a 'Preventive Controls' section to provide practical recommendations, where the company relies on the audience for support. The content should speak to how the event could have been prevented.

 Data Breach  Change Management
Preventive Controls:

* Adherence to security standards and support of controls is key
* Document where customer data is stored, processed and transmitted within system records
* Restrict access to data on a need-to-know basis (users and applications)
* Identify and remove sensitive data from applications
- Remove sensitive information that is not needed
- Replace SSNs or payment card numbers with another unique identifier (e.g. customer number)
- Truncate SSN or payment card numbers, storing only a portion of the numbers
* Ensure assessments and scans are conducted annually and within projects
* Harden applications against attack, leveraging OWASP security code
* Remediate known security issues with a sense of urgency
* If you discover a security issue, notify Information Security
 Preventive Controls:

* Open a record for each technology change
* Communicate changes to affected parties (e.g. owners of upstream and downstream applications)
* Proactively evaluate and address the risk of changes (e.g. using Failure Mode and Effects Analysis)
* Establish thorough Quality Assurance and User Acceptance tests for new applications
* Update tests as new features and functionality are developed
* Confirm testing has completed successfully when timelines are condensed and the release is near
* Leverage project checklists to account for regression and security testing
* Confirm there is no impact once changes are implemented in production

Variation

The threat landscape is dark, given the trend of high profile data breaches. Therefore, there is a natural tendency to focus on cyber security. Ensure advisories contain additional risk scenarios that can impact business such as business continuity and disaster recovery failures, fraud and privacy events. Consider data management topics such as the need for metadata, data validation and data retention.

It is important to vary the subject of each advisory. Otherwise, the audience will lose interest and there will be a high abandonment rate.

Document archived messages with details of the topic.

 TA #  Title  Topic
TA-001  Dominos Pizza Breach  Theft of customer records (full names, addresses, phone numbers, e-mail addresses and passwords) 
TA-002  AT&T Insider Data Breach  An insider data beach exposes customer birth dates and social security numbers 
TA-003  Code Spaces Out of Business  A company goes out of business following a cyber attack that erased data and backups 
TA-004  Israeli Defense Firms Hacked  A phishing e-mail begins an attack that results in disclosure of intellectual property 
TA-005  Rescind Access of Terminated Employees  Login credentials of an inactive employee were used to access Personally Identifiable Information (PII) 
TA-006  Hospital Network Hacked  Hackers stole data of 4.5 million patients 

Time to Market

Time to market must be quick. People are curious about breaking news. That is part of 'the hook' (what gets them to read the e-mail). Make an effort to send each advisory the same day the event is announced.

Rate of Occurrence

Send advisories whenever a significant event occurs. That could be one in a month or two in a week.

Distribution

Send to a targeted audience. Update the distribution with anyone else in the organization that wants to be added (opt-in). Host archived messages on SharePoint.

Sources

Learn of new incidents or data breaches by monitoring several information security sources. Subscribe to RSS feeds and view them with a news reader application such as Feedly.com.

Ars Technica >> Risk Assessment  CSO Online News  Dark Reading: Attacks/Breaches 
Forbes - Security  Threatpost | The first stop for security news   

Configure Google Alerts to search the Internet for 'Compromised OR breached OR hacked' with results sent daily by e-mail. Subscribe to CNN Breaking News Alerts.

Reinforcement

Expand beyond e-mail to provide threat advisories within briefings. Leverage advisory content in a monthly executive update and within awareness presentations to your organization.

There is an old expression, 'Never let a crisis go to waste'. Advisories are an important tool to defend against modern cyber-attacks. Leverage the power of your people.

About the author: Gideon T. Rasmussen is a Charlotte-based Information Security Risk Manager with over 15 years experience in corporate and military organizations. His website is www.gideonrasmussen.com. The opinions expressed here are those of Gideon Rasmussen and do not necessarily represent those of his current or past employers.

[i] "Hospital network hacked, 4.5 million records stolen", CNN Money, Jose Pagliery
[ii] "WellPoint email glitch puts colonoscopy test in the subject line", Reuters, Caroline Humer and Christina Farr
[iii] "Health Insurer Anthem Struck By Massive Data Breach", Forbes, Gregory S. McNeal








Originally published by RiskCenter (February, 2015)