Cyber ID Sleuth Data Security Forensics
Post on 10-May-2015
182 Views
Preview:
Transcript
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
CyberID-Sleuth™ Data Security Forensics
Prepared by: Robert A. Listerman, CPA, CITRMS
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
Robert Listerman (Bob) is a licensed Certified Public Accountant, State of Michigan and has over 30 years of experience as a process improvement business consultant. He graduated from Michigan State University and became a CPA while employed at Touche Ross & Co., Detroit, now known as a member firm of Deloitte & Touche USA LLP
Bob added the Certified Identity Theft Risk Management Specialist (CITRMS) designation issued by The Institute of Fraud Risk Management in 2007. The designation is in recognition of his knowledge and experience in identity theft risk management. Today Bob focuses his practice on data security compliance. Over 50% of identity theft can be traced back to unlawful or mishandling of non-public data within the workplace.
Currently Bob serves his professional community as an active Board Member for the Institute of Management Accountants (IMA), Mid Atlantic Council “IMA-MAC.” He is currently servicing as President of IMA-MAC (2011-2013). He is a regular seminar presenter for the IMA, Pennsylvania Institute of CPAs (PICPA), and the Michigan Association of CPAs (MACPA). Bob serves on, and is a past chair of the MACPA’s Management Information & Business Show committee which enjoys serving over 1000 CPAs in attendance each year. He is Continuing Education Chair of the PICPA’s IT Assurance Committee.
Bob serves his local community as a member of the Kennett Township, PA Planning Commission, Communications, Business Advisory, and Safety Committees. He is an active board member of the Longwood Rotary Club. He serves his Rotary District 7450 as their Interact Club Chair (Rotary in High School) since 2010.
Past professional and civic duties include serving on the Board of Directors for the Michigan Association of Certified Public Accountants (1997-2000), past board member of the Delaware Chapter of the IMA and past Chapter president for the IMA Oakland County, Michigan (1994-1995).
www.linkedin.com/in/boblistermanidriskmanager/
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
A DATA BREACH of “PII” IS DEFINED AS A FIRST NAME, FIRST INITIAL OR LAST NAME PLUS:
1 A Social Security Number
2 A Driver’s License Number or State-Issued ID Number
3 An Account Number, Credit Card Number or Debit Card Number Combined with any Security Code, Access Code, PIN or Password
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
A REAL“BREACH” IS DEFINED AS ANY INTRUDER TO YOUR ENTERPRISE
4 Your Trade Secrets
5 Access To Your Servers By a “Hactivism” Criminal
6 Whatever Is Important To Your Enterprise
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
When a hacker gets anyone’s credentials, it is easy for them to build a profile of the individual to gain even more information from social media sites.
From there they can “spearPhish” more information from the victim OR THEIR CONTACTS!
Examples of profile building follow:
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
LOST CREDENTIALS PUT YOU UNDER ATTACK
Name: Lucas NewmanExtraction Date:
12/30/20XX
Email: lnewman@firstrepublic.com Hometown: Portland, Oregon
HashedPassword:
16b90b178faff0e3e2f92ec647b50b11 Occupation: Managing Director and
Portfolio Manager
Extraction Type:
Hack Source:
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
Name: Robyn MondinExtraction Date:
12/30/20XX
Email: robyn.mondin@firstcitizens.com Hometown:Asheville, North Carolina
Clear Password:
36f76603a2212c7fc6ff4fb8ec77a64c
Occupation: Mortgage Banker
Extraction Type:
Hack Source:
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
EVERY EMPLOYEE, PARTNER, AND SYSTEM IS A WEAK LINK
Name: Pat GrundishExtraction Date:
8/13/20XX
Email: pat.grundish@53.com Hometown: Englewood, Ohio
Clear Password:
p_grundish Occupation: Mortgage Loan Officer
Extraction Type:
Hack Source:
Name: Mandy KnerrExtraction Date:
8/13/20XX
Email: mandy.knerr@53.com Hometown: Huber Heights, Ohio
Clear Password: m_knerr Occupation:
Sr. Marketplace Loan Officer
Extraction Type:
Hack Source:
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
STOLEN CREDENTIALS REPEATEDLY USED TO BREACH FINSERV16 Financial Services institutions publically reported a data breach in 2012, totaling 1.1M breached records.
We harvested 6 credentials belonging to Independent Capital Management in December 2011.
As recently as 4/1/2013, we have found Citi credentials for a total of 1,688
February 22, 2012• An
unauthorized party misused Accucom
credentials to make
fraudulent $1.00
charges
March 2, 2012
• A user ID assigned to Independent Capital
Management used to
access consumer
credit reports
March 13, 2012
• Hacker logged
onto Citi's credit card
online account access
system by using
passwords and user
IDs
October 29, 2012
• Hackers use stolen
employee credentials
to hack Abilene Telco,
resulting in the theft of 847 credit reports
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
THE LONG-TERM EFFECTS OF LOST CREDENTIALS2005
• An employee of a Kansas
City investment
bank registers for
the free Stratfor
newsletter
December 2011
• Stratfor becomes
aware of its breachJanuary 2012
Stratfor initiates a massive breach
response, including
removing all related data from
the Web
February 2013
• Hactivist group
identifies the credential/password combo
that still accesses the investment
banks’s webmail
February 2013
• Hacktivist group
publishes the investment
bank’s client information on the it’s
home page
It took nearly eight years to feel the full effect of a duplicate password.
Over 300,000 individuals had their personal information leaked, such as credit card numbers, addresses, phone numbers, and more.
Employee used same password to access the Stratfor newsletter as his password to the investment bank’s webmail account.
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
MULTIPLE VECTORS OF ATTACK RESULT IN BREACHES
Data Breaches
Point of Sale
Systems
Web
MobileLost/
Stolen Device
FTP
Cloud Services
Employees
Hacking
Social Media
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
THREE PRIMARY CAUSES DRIVE DATA BREACHES
Data Breaches
Monetization
Negligence
Ego
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
USA Breaches*
* From 2005 to June 11, 2014 Source: http://www.PrivacyRights.Org
867,525,654* Records Known to Have Been Breached in The USA!
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
IT Administratorsharden their networks by building
walls with Anti-Virus software to keep out the bad guys
The Resultis that Anti-Virus software can’t keep
up and the bad guys are already inside your walls
The Problemis that 76,000 new malware strains are released into the wild every day
The Problemis that 73% of online banking users reuse their passwords for
non-financial websites
PROVIDING VISIBILITY BEYOND THE IT WALLS
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
STOLEN CREDENTIALS EXPOSE YOU TO UNKNOWN RISK
30,000 The number of new malicious websites created every day 1
80% Of breaches that involved hackers used stolen credentials
14%Of data breaches were due to employees using personal email accounts 2
SOURCES: 1. Sophos, 2012; 2. Verizon Data Breach Investigations Report, 2013
76%of network intrusionsexploited weak or stolencredentials. 2
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
MALWARE EVADES TRADITIONAL ANTI-VIRUS SOFTWARE
200,000 – 300,000 The estimated number of new viruses discovered each day 1
52% Of malware in a recent study focused on evading security 2
24.5%Antivirus software’s average detection rate for e-mail based malware attacks 3
40%Of malware samples in a
recent study went undetected by leading
antivirus software 2
SOURCES: 1. Comodo Group, 2012; 2. Palo Alto Networks, 20133. Krebs on Security, 2012
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
DO YOU KNOW WHAT THESE ARE? "automatedtest", "automatedtester", "bagle-cb", "c_conficker", "c_confickerab", "c_confickerc", "c_pushdo", "c_trafficconverter", "c_zeroaccess", "childpredator", "citadel", "condo", "cutwail", "d_tdss", "darkmailer", "darkmailer2", "darkmailer3", "darkmailer4", "darkmailer5", "deai", "esxvaql",
"fakesendsafe", "festi", "fraud", "gamut", "gheg", "grum", "hc", "kelihos", "lethic", "maazben", "malware", "manual", "mip", "misc", "netsky", "ogee", "pony", "relayspammer", "s_kelihos", "s_worm_dorkbot", "sendsafe", "sendsafespewage", "slenfbot",
"snowshoe",
"spamaslot",
"spamlink", "spamsalot", "special", "spyeye", "ss", "synch", "w_commentspammer", "xxxx", "zapchast", "zeus"
Prewritten Malware coding available to hackers to modify enough to get through your security
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
CASE STUDY: Sony PlayStation®Network
April 19, 2011
• Sony discove
rs its network had been
compromised but did
not annou
nce anythin
g
April 20, 2011
• Sony closed down
the network but
did not disclose what
it already knew
April 22, 2011
• Sony reveals that an “extern
al intrusi
on” caused
the networ
k outage
s
April 26, 2011
• Sony release
d a detaile
d accoun
t of incident and reveal for the
first time
that PII was
leaked
April 29, 2011
• Sony shares drop 4.5% and the
company
reveals 2.2
million credit card
numbers were stolen
March 2014
• Sony is still
attempting to resolve issues from
the 50+ different class actions
law suits
brought
against it
Current estimates of the total financial impact to
Sony is $171 million
Sony provided affected individuals with 12
months of identity theft protection and insurance
coverage
100M user accounts compromised , exposing
Full Name, Address, Phone Number, Date of Birth,
Credit Card Number, User Name, and Password
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
CASE STUDY: Target Corporation
Nov. 27 – Dec.
15 2013• Hacke
r execu
te extended
attach agains
t Target
’s point-
of-sale syste
m
Dec. 18, 2013
• News of the breach is
reported by data and
security
blog KrebsOnSecurity
Dec. 20, 2013
• Target acknowledges the breac
h, saying
it is under investigatio
n
Dec. 21, 2013• JP
Morgan
announces it is
placing
daily spend
ing caps on
affected
customer
debit cards
Dec. 22, 2013
• Customer
traffic drops over the
holiday
season,
resulting in a 3-4%
drop in
customer
transactions
Jan. 10, 2014
• Target lowers its
fourth-
quarter
financial
projections, saying sales were “meaningfu
lly weak
er-than-expected”
Current estimates of the total financial impact to
Target is $200 million
Target provided affected individuals with 12 months of identity theft protection
and insurance coverage
110M user accounts compromised , exposing
credit and debit card numbers, CVN numbers,
names, home addresses, e-mail addresses and or
phone numbers
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
“Ongoing forensic investigation has indicated that the intruder
stole a vendor's credentials which were used to access our system.”
Molly Snyder, Target Corporation
January 2014
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
Email Attack on Vendor Set Up Breach at Target*
* Source: http://krebsonsecurity.com/
The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation.
KrebsOnSecurity reported that investigators believe the source of the Target intrusion traces back to network credentials that Target had issued to Fazio Mechanical, a heating, air conditioning and refrigeration firm in Sharpsburg, Pa.
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
ANATOMY OF A SPEARPHISHING ATTACK
TargetVictim
1
InstallMalware
2
AccessNetwork 3
Collect & Transmit
Data
4
BreachEvent
5
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
THE PROFILE OF AN ATTACKER
The malware used to hack Target’s POS system was written by a Ukrainian teen
• Andrey Hodirevski from southwest Ukraine carried out the attack from his home
• The card details that he stole were sold through his own forum as well as other communities
• CyberID-Sleuth™ investigated the breach when it occurred and was able to verify various discussions and identifiers pointing to this suspect
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
An Internet service provider (ISP, also called Internet access provider) is a business or organization that offers users access to the Internet and related services.
Source: http://en.wikipedia.org/wiki/Internet_service_provider#Access_providers
Definition
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
a.k.a: the “CLOUD”
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
The Internet “Web”
Topography
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
Can you identify what these numbers are?
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
IP Tracer Source: http://www.ip-adress.com/ip_tracer/
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
An IP Address gives the hacker access to your computer to run command and control botnet malware – you have been breached!
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
CyberID-Sleuth™ PROVIDES MORE THAN AUTOMATED ALERTS
Credential Monitoring
Identifying email addresses from a corporate domain that have been hacked, phished, or breached
IP Address Scanning
Identifying devices in a corporate network connected
to a known malware command and control server
Doxing awareness and hacktivist activity monitoring
Locating the individuals and exchanges involved in intellectual property theft
Hacks, exploits against networks,
glitches, leaks, phishing/keylogging
monitoring
Identification of communities targeting brands, networks or IP addresses
Identification of intellectual property distribution
Identification of individuals posing a risk to any IP address
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
CyberID-Sleuth™ IDENTIFIES-PROVIDES EARLY WARNING AT TWO POINTS
CyberID-Sleuth™ scours botnets, criminal chat rooms, blogs, websites and bulletin boards, Peer-to-Peer networks, forums, private networks, and other black market sites 24/7, 365 days a year
CyberID-Sleuth™ harvests 1.4 million compromised credentials per month
DarkWeb CyberID-Sleuth™
identifies your data as it accesses criminal command-and-control servers from multiple geographies that national IP addresses cannot access
CyberID-Sleuth™ harvests 7 millioncompromised IP addresses every two weeks
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.comCyberID-Sleuth™
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
REMEMBER WHAT THESE ARE? "automatedtest", "automatedtester", "bagle-cb", "c_conficker", "c_confickerab", "c_confickerc", "c_pushdo", "c_trafficconverter", "c_zeroaccess", "childpredator", "citadel", "condo", "cutwail", "d_tdss", "darkmailer", "darkmailer2", "darkmailer3", "darkmailer4", "darkmailer5", "deai", "esxvaql",
"fakesendsafe", "festi", "fraud", "gamut", "gheg", "grum", "hc", "kelihos", "lethic", "maazben", "malware", "manual", "mip", "misc", "netsky", "ogee", "pony", "relayspammer", "s_kelihos", "s_worm_dorkbot", "sendsafe", "sendsafespewage", "slenfbot",
"snowshoe",
"spamaslot",
"spamlink", "spamsalot", "special", "spyeye", "ss", "synch", "w_commentspammer", "xxxx", "zapchast", "zeus"
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
Zeus Infection targeted towards multiple entities within the Hotel Industry within India
CyberID-Sleuth™ identified a targeted Zeus campaign which appears to have been focused and distributed to Hotel chains, mainly within the India region. The attack in question caused active compromises against a number of systems.
CyberID-Sleuth™ ’s main focus is the type of data often held within Reservation and other Hotel systems. Personal information such as credit card data, as well as passport scans or copies, are often held on Hospitality systems and the data identified next highlights that these same systems are compromised and under direct control of malicious actors.
CyberID-Sleuth™ CASE STUDY ACTUAL CREDENTIAL DATA
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
CyberID-Sleuth™ IDENTIFIES ACTUAL MALWARE VARIANT
Infection Type: Zeus Infection - V2.1 Payload: Theft of all credentials, Key logging of all data,
Remote access to devicesTotal Infection Count: 487Total Credential Count: 12894 ( including duplicates )Command and Control (C2) Domain: matphlamzy.com
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
CyberID-Sleuth™ IDENTIFIES ACTUAL CREDENTIAL DATA
bwstarhotel.com - 111.68.31.202
,('92', 'RSV1_E532648A3D69E5DE', '-- default --', '33619969', '', '', '1394590108', '7557047', '0', '±\0\0', '1033', 'C:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE', 'RSV1\\owner', '101', 'pop3://reservation@bwstarhotel.com:starrsv1*@116.251.209.92:110/', '111.68.31.202', 'ID', '1394590104')
Date extracted and listed below is related to valid and legitimate accounts which are still active. These are not passwords taken from Breach events or other untrusted sources. They are taken directly from devices that are still infected/compromised!
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
CyberID-Sleuth™ IDENTIFIES ACTUAL CREDENTIAL DATA
bwmegakuningan.com - 139.0.16.90
('447', 'USER-PC_E532648A9824115F', '-- default --', '33619969', '', '', '1394593039', '162643491', '0', '±\0\0', '1033', 'C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE', 'user-PC\\user', '101', 'pop3://reservation@bwmegakuningan.com:79r2mz5xrx@116.251.209.92:110/', '139.0.16.90', 'DE', '1394593037')
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
CyberID-Sleuth™ IDENTIFIES ACTUAL CREDENTIAL DATA
townsquare.co.id - '180.250.172.36
('453', 'RESERVATION_1F3D59E96522DF69', '-- default --', '33619969', '', '', '1394592970', '14267024', '0', '± \0', '1033', 'C:\\Program Files (x86)\\Microsoft Office\\Office12\\OUTLOOK.EXE', 'TSPDC\\vitha', '101', 'pop3://reservation.seminyak@townsquare.co.id:tsbali1234@103.31.232.210:110/', '180.250.172.36', 'ID', '1394593095')
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
Over 257 unique credit cards were stolen during the attack.CyberID-Sleuth™ identified the botnet, which was made up of infected devices.
CyberID-Sleuth™ CASE STUDY ANATOMY OF THE FINDINGS
Q. How many credit cards were captured?
Q. Specifically what data did it steal and report back that you could see?
CyberID-Sleuth™ could see EVERYTHING that was entered on a user’s device or saved as a password or credential.
Q. How much did this breach cost the client?
No “price” could be put on the damage caused to a victim after a fraudster has stolen their credentials. The data stolen would allow the fraudster access to internal systems, either via the stolen credentials or via backdoor access to affected systems.
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
Q. What data about the attacker were we able to find?
Limited details. Any information about the attackers are not shared with clients unless a directed attack, and is only shared with US and UK Law Enforcement.
Q. How did the authorities use the data to capture the intruders
The individual responsible for running the botnet in question is so far still at large.
CyberID-Sleuth™ CASE STUDY ANATOMY OF THE FINDINGS
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
CyberID-Sleuth™ Credential Monitoring Demo *
* Let us see if your credentials are for sale, at no obligation
Tier I
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
A STANDARD RESPONSE TIMELINE SHOULD BE FOLLOWED
Incident Detection / Discovery Incident Notification & Resolution
Rem
edia
tion
Effor
ts
Internal and External Communication of Event, Reaction, and Remediation
Notification Capabilities Go Live
Coordinate Breach Notification Copy and Distribution with Breach
Remediation Vendor
Establish internal or third party communication channel to affected
population
Contact and or activate contract with Data Breach Remediation Vendor
Prepare Internal and External Communication Plan & Copy
Determine Organization’s Public Response Plan (including notification type, verbiage, and remediation offering if any)
Implement Breach
Response Plan
Determine total scope of event, size of affected population, type of data lost or compromised, necessary legal and industry specific guidelines
Activate technical / security focused breach response team processes and procedures based on Data Breach Plan
Initial Internal Reporting, notifications, and security triage of the “event”
Asse
ssm
ent E
ffort
s
Plan Ahead By Forming
a Breach Response
Plan
CyberID-Sleuth Tiers II & III
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
THE COSTS OF A DATA BREACH ARE VARIED• Detection or Discovery—”Activities that enable a company to
reasonably detect the breach of personal data either at risk (in storage) or in motion”
• Escalation—”Activities necessary to report the breach of protected information to appropriate personnel within a specified time period.”
• Notification—physical mail, e-mail, general notice, telephone
• Victim Assistance—card replacement, credit monitoring offer, identity theft protection offer, access to customer service representatives
• Churn of existing customers / personnel
• Future Diminished Acquisition of customers or employees
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
RECOMMENDATIONS TO REDUCE DATA BREACH EXPOSURE & COSTs
• Promote Employee Data Management Training & Education
• Require GC / CISO and their teams to understand industry, state, federal, and event specific data breach response guidelines and recommendations
• Establish an internal data breach response plan and process flow
• Prior to a data breach event contract with a data breach remediation, notification, and or forensics provider
• Utilize and maintain available data loss prevention technologies such as CyberID-Sleuth™
• Require advance encryption and authentication solutions be in place across the organization
• Contractually require notification from vendors who manage data from your organization to alert you of they incur a breach of any data
• Support enactment of legislation that clearly dictates rules and guidelines for organizations to follow in advance of, and following a data breach event
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
Take this 20 Question Assessment to Score Your Risk Level
Give us a call and we can even do this over the phone!
Data Security Compliance AdvisorsCertified Identity Theft Risk Management Specialists
873 East Baltimore Pike #501Kennett Square, PA 19348
610-444-5295
www.BTR-Security.com
1. Remember to ask us for a no-obligation credential search for your enterprise2. Allow us to give you your 20 Question Assessment Score on your risk level
Email your questions to CyberIDSleuth@BTR-Security.com or to get two no-obligation services mentioned below
top related