How to Regain Trust After a Data Breach

Data breaches come with a hefty price tag – from IT costs to notification expenses, insurance premiums and operational down time, organizations are very often faced with a financial crisis that can take years to overcome. Shaken consumer confidence only amplifies the hurt.

When Equifax announced that they had suffered a data breach in 2017 (along with the fact that the personal information of more than 147 million customers had been compromised) the public was rightfully enraged. They had trusted the consumer credit agency to protect their data and it was shocking to see a well-known enterprise fail – and on such a massive scale.

Immediately following the incident, a YouGov survey showed that Equifax’s public perception took a serious hit, not to mention an 18% loss in stock price. At the time, the company’s Buzz Metric fell to negative 34 – meaning most people had only heard adverse things about the company.

According to some reports, the fallout was so bad, it even negatively affected the perceptions of other credit rating agencies such as Experian and TransUnion despite the fact they were never breached. As a result of a growing trend around mega breaches like Equifax, Moody’s announced a new rating to evaluate the cyber risk of a company.

Timely Communication

Over the last year, Equifax has worked to regain the trust of the American people and their efforts are starting to pay off. Last month, Equifax’s public opinion metric was around negative 2 – about where it was pre-breach. How did they orchestrate such a turnaround despite some very public pitfalls along the way? Good, timely communication.

Immediately following the breach news, Equifax CEO Richard Smith issued an official apology and then stepped down. The new, interim CEO then made a series of additional apologies and introduced a free, self-service portal that gives customers more control over their own data, though that too has had its own set of issues that the company has also had to remediate. With last week’s House Oversight Committee report that called the Equifax breach ‘preventable,’ the company’s leadership team again has more damage control to do.

From Home Depot to Nordstrom and countless other data breaches, post mortems often show quick, transparent communication is a key ingredient in maintaining credibility and rebuilding trust in the eyes of stakeholders.

Data Breach Prevention

For Equifax and other companies who must deal with the fallout of a data breach, the NIST Cybersecurity Framework can be a guide to response best practices. It was designed to safeguard organizations and the data they hold with 5 pillars: identify, protect, detect, respond and recover. The fourth, Respond, outlines the implementation of three required elements for an effective data breach response:

  1. Response planning
  2. Communication
  3. Analysis

While recovering from a data breach can mean months – sometimes years – worth of work, responding with clear communication, an incident response plan and post event analysis can help an organization get back to business.

For more on how to use the fourth pillar, Respond, watch this video below. And you while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.

Video transcript:

Hi! Josh here from Absolute. Today’s video is all about the Respond pillar of the NIST Cybersecurity Framework.

Think of the term ‘efficient’ as doing things right, while ‘effective’ should be thought of as doing the right things. We need both. And nestled inside this section are focus areas for improving effectiveness and efficiency.

It starts with Response Planning.

I know, I know. The famous quote from Mike Tyson: “Everyone has a plan until they get punched in the face”. But when you think about it, even world champion boxers will train, simulate, and spar to plan for what happens after the punch.

A good place to start your response planning is to return to the five questions: What could happen? What should happen? What would happen? What is happening? What did happen? Each of these questions demands answers; and those answers become the foundation of the response plan.

Next is Communication.

Marketing and advertising teams will often lean on ‘style guides’ to have consistent tone, voice, and terminology for any outbound communications.

It was only when I saw this same style implemented by IT and security teams that I realized good ideas are not imprisoned in the place of birth.

Then comes, Analysis. A detailed examination of something; leading to interpretation and sharing. That’s the definition of analysis. We’ll talk more about root-causes and forensics in the next episode. For now, to win at the NIST framework, and response effectively, we need to direct analysis toward recover. Which is the effect we’re going for in the first place, so… effectiveness.

This helps to prevent the incident expansion, and mitigate its effects. Because if we analyze where something is, and where it is going, we can stop it dead it its tracks.

Finally… NIST call for us to eradicate the incident. Returning resources back to a state of cyber hygiene.

These are just some of NIST’s timely advisories to level-up incident response. When you plan, communicate, analyze, and mitigate you naturally improve, in both, effectiveness and efficiency.

Happy holidays everyone. We’ll see you again after the calendar rolls over into 2019 where we will wrap up with the final pillar of NIST.

‘Tis the Season for Predictions – Part Two

Just before the Thanksgiving holiday, I posted a few predictions on what 2019 will bring for the security industry. Now that year-end is quickly approaching and with it, more chances to eat, drink and be hacked, I’d like to share what I think we will see more of next year across our ever-expanding threat landscape.

1. More social engineering will make social media increasingly anti-social

The hodgepodge of social media accounts has diminished individual persons into particles of data we call ‘personal information.’ State-based cyber warfare will likely continue their focus on direct heist and disabling services, while your run-of-the-mill organized crime will increase their activities, all while using social media.

After page scraping, account hacking, brute force attacks and exfiltrations, cybercriminals will develop composite profiles that will fool the account authentication mechanisms of social media platforms into thinking they’re real people. This will level-up the tactic of social engineering and, initially, there will not be an answer to prevent it.

2. Cybercriminals’ focus will start to shift from stealing data to manipulating data

For most of its history, the discipline of cybersecurity has had an outsized focus on the ‘C’ of the data CIA triad—confidentiality, integrity, availability. But as insights-driven organizations continue to depend on data for decisions and progress, that data’s integrity will take center stage in 2019.

Approximately 85% of cyberattacks are detected when the invader attempts to lift valuable information from the victim’s coffers.

The economic incentives for thievery are significant, paired with a simple business model: steal data, sell it on the Dark Web. But goals are extraneous to tactics. If the goal is financial reward, selling stolen data has become a commoditized market. Cybercriminals will start to shift to manipulating data, to change decisions, to get a desired outcome, to leverage and call options on a company’s stock.

Corrupt the data, corrupt corporate performance, deceive shareholders and institutional investors, rake in the cash.

3. Expect more insider threats as individuals’ technical capabilities rise

During the past 10-15 years, technical progress outpaced the average person’s ability to master it all. But our generational turnover has changed how the general population thinks about technology.

University Liberal Arts programs are collapsing, funding for humanities research is constricted, and the next cohort of would-be scholars are steering their futures toward the technical (with STEM-related degrees or training).

This shift has created a meteoric rise in people’s ability to work with technical material. But a threat? You bet. If in 2010, 5% of your insiders were capable of a successful attack, what happens when that proportion goes to 10-15%?

By simply adding more capable people to the attack surface, you’ve increased the likelihood that one insider threat will be successful. Reverend Bayes and his pesky compounding probabilities. Once enough successful attacks are widely circulated, organizations will being to look inward to this near limitless threat.

4. Like a rock: an ounce of prevention will be worth a pound of cure

We will continue to see the pendulum swing back to prevention as the most impactful thing a security and IT team can do to protect their organization from a breach. While strolling through a security operations center (SOC) may feel like you’re an extra in a sci-fi movie, this will be increasingly less poignant than the ‘carry water, chop wood’ discipline of doing the small things right every time to have a robust security posture.

Hardening, purity and cyber hygiene will continue to increase and budget dollars will flow in that direction. Along with this mindset will be the increased adoption of frameworks such as the NIST Cybersecurity Framework, compliance with controls, and the self-imposed privacy protections notwithstanding an Act of Congress to impose it for you.

Of course each of these predictions aren’t fact, rather they are my thoughts on what 2019 will bring based on my evaluation of our threat landscape today. Unfortunately, the only real constant in cybersecurity is change.

If you’d like to make some early progress on improving your security posture in 2019, try this Dark Endpoint Assessment. You can identify and eliminate your endpoint vulnerabilities and increase your visibility and control.

How to Evade the Real Holiday Grinch

If the holidays have you busy running from one commitment to another, you’re not alone. Dashing out of a year-end budget meeting to your kid’s school production and then back for a departmental holiday party is a painfully common schedule for many right now. While it can be exhausting, the holiday season only comes once a year, so why would you miss any of these get-togethers or unique opportunities?

The same can be said for cyber criminals.

This time of year is busy for them too because, for cyber thieves, it’s also all about opportunities. But rather than looking for chances to fill your holiday with joy, they come to swindle and steal your data while you aren’t looking.

If you’re thinking this sounds like a familiar storyline, you’re right. It’s like the Grinch who silently sneaks into Whoville to swipe everything he can before escaping back onto his mountaintop.

The biggest celebration of the year for the Whos of Whoville presents the perfect opportunity for the holiday-hating Grinch to strike. While everyone is asleep, he has the chance to quietly take everything because, as the story goes, his heart is two sizes too small. Without passing judgement on the capacity for compassion of cyber criminals, we do know their pilfering is for profit. Stealing your data is their money-making venture and they always have their eyes open for an easy score.

So, what can you do to evade these Grinch-like advances?

Most threats can be prevented by closing the opportunity gap. An important component of effective risk mitigation includes reducing the probability of their success. In other words: make it harder for them so they move on to the next Whoville. To do this, I’m not suggesting you cancel your holiday but rather make it incrementally harder for them to get in.

This is where the NIST Cybersecurity Framework (NIST CSF) can help you. Using five primary pillars, NIST CSF has outlined a series of best practices to guide you in making it harder for cyber crooks to break in. Following the first two pillars, identify and protect, the third pillar, Detect lays out three ways to detect a possible breach so that you can shut it down quickly:

  1. Anomalies and events: what are you hunting for
  2. Security continuous monitoring: when you hunt for it
  3. Detection processes: how you hunt

If you are looking for more information on how NIST CSF can help your organization avoid Grinch-like opportunity seekers, we created a series of short videos on the framework and other essential cybersecurity tips. For more on how to detect a breach, watch this video below. And while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.

 

NIST Cybersecurity Framework

 

Video transcript

Hey! Josh here from Absolute.

We’re going to continue looking at the NIST cybersecurity framework, with a special attention

put on the third pillar “Detect”.

The real-world doesn’t seem all that interested in your cyber resilience. New threats, exposures, vulnerabilities, and blunders that can wreck the show. But, here, we can lean on the techniques of the NIST CSF.

Let’s start with strange things happening. By definition an anomaly is simply anything that deviates from the standard, the norm, or the expected.

Imagine you have an endpoint running a PHP process with a connection to an IP address in another country:

– Is it anomalous?

– Well… Do we have a baseline?

– What’s the endpoint’s hygiene status?

– Who is using it?

– Where is the device physically located?

– What were the activities this time last week, last month, last year, or any time period?

Well… we have built the foundation with the first two pillars (Identify and Protect) so we can see when things start to fall outside of our expectations.

Within the “Detect” pillar, we can see how anomalies are the ‘what’ we need to detect, and continuous monitoring is ‘when’ we need to detect.

Spoiler alert: always be watching.

Start with a digital tether to your endpoints, where a firmware-based module that has a persistent connection that never loses its grip on any device. Which allows you to have a recursive index, updating your asset intelligence with new inputs from the real world.

Then, use Attack Simulation to play ‘what-if’ scenarios based on hygiene profiles and shifting circumstances, to adapt before disaster strikes the ‘Detect’ pillar of NIST is a crucial discipline that forces us to be honest about our base-rate (to determine if something even is an anomaly) and extends visibility in time and in space across the TAC surface to rapidly discover trouble and capture every last shard of the environment.

In our next episode we’ll go deeper into the NIST CSF for a more effective incident response.

Be sure to subscribe, you won’t want to miss it.

See you then!

The Criticality of Strong Cyber Hygiene

The more connected we become, the more at risk we are to cyber criminals who are busy looking for a chance to capitalize on our technology dependency. Unfortunately, we’ve seen this breakdown many times – in our hospitals when WannaCry ransomware forced medical personnel to turn away patients and in our local governments when ransomware used by the SamSam group rendered the city of Atlanta incapable of validating arrest warrants or accepting bill payments from residents. These are but two recent examples.

With countless attack possibilities and an ever expanding threat surface area driven by the explosion of apps, IoT and mobile users, savvy organizations today consider a breach a matter of when, not if. But there are practical steps you can take that will make a successful attack harder which might just be enough to cause your would-be attacker to move on to lower hanging fruit for a faster, easier score.

As your organization works to become more effective and efficient through innovative technology, a security mindset must be baked in from the very beginning. This mindset is best shaped by the goal of strong cyber hygiene which includes covering off on these basic areas:

  1. Fortifying data
  2. Probing for sensitive info
  3. Blocking unauthorized software
  4. Monitoring hygiene
  5. Educating users

Allowing the protection of your service offerings to become an afterthought could be a costly mistake. Thankfully, the NIST Cybersecurity Framework (NIST CSF) was created to help us advance along the continuum of good cyber hygiene. It was designed to help IT security pros everywhere, regardless of industry, categorically safeguard their devices, data, apps and users with a set of 5 broad practices: identify, protect, detect, respond and recover.

If you are looking for more information on how NIST CSF can help your organization, we created a series of short videos on the framework and other essential cybersecurity tips. For more on cyber hygiene, watch this video below, which is a look at NIST CSF’s second pillar, Protect. And you while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.

 

NIST Cybersecurity Framework

 

Video Transcript

Hey! It’s me again, Josh from Absolute.

This week’s episode is fully dedicated to the “Protect” pillar of the NIST Cybersecurity Framework.

Although everyone wants to describe their data devices apps and users as safe, the label is only true when we take deliberate steps to make it that way. Which is why the NIST Cybersecurity Framework focuses on those actions we can take to have safe devices, safe data, safe apps, and safe users.

The second law of thermodynamics tells us that everything in our universe, everything, goes from order to disorder, unless something (or someone) acts to reverse the drag of entropy. Without action, devices and data will naturally lead to disorder. They’ll degrade and fall to shipwreck.

But the NIST “Protect” pillar gives us guidance for VPN access, blocking cloud storage apps, persisting endpoint visibility, and regenerating security apps like encryption or anti-malware: all hallmarks of good cyber hygiene.

With a keen eye on endpoint hygiene, you can bolster the entire device population. All put into service to protect data. These attributes can be measured with a unique score: The Endpoint Hygiene Coefficient.

When no single device aligns with my picture of hygiene, my Endpoint Hygiene Coefficient is “0”.

This is rare. So rare, that we can rule it out. But just as rare is an Endpoint Hygiene Coefficient of “1”. If only our devices remained that pristine. So imagine an Endpoint Hygiene Coefficient of “0.81”. This means that some, if not all, devices are pulling us away, to some degree, from where they need to be.

Some devices are unencrypted, others are encrypted but have sensitive data in cloud storage apps. Still others have outdated AV tools. The reasons can vary, but by examining the device population AND quantifying the drift, you can get ahead of mishaps that put data at-risk.

We all have data to protect. But when you fortify data and avoid unwitting user hazards by probing for sensitive information, blocking unauthorized software, monitoring hygiene and recruiting your users to join your epic quest you can safeguard our most valuable raw material: information.

The world is far from perfect. But in the next episode, we’ll accept that reality that we don’t live in a Utopia, and explore the techniques for finding trouble.

So make sure you subscribe, and we’ll see you next time!

How to Keep Your Endpoint Security Applications Healthy

From healthcare to professional services, and every industry in between, organizations are pressed to secure their ever-growing number of endpoints, including laptops, tablets, mobile phones, IoT devices and more. According to a new study by Ponemon Institute, nearly two-thirds of enterprise organizations have been compromised in the last 12 months by attacks that originated on endpoints. This is a 20 percent increase over last year, researchers say.

Attacks from outside intruders are a daily challenge, but internal threats are too. Of particular concern, are employees disabling or tampering with the critical security applications that IT teams rely on to secure devices and data. Whether out of negligence or malice, employee behavior can put organizational information at risk and cause malware intrusion, corrupted registry files and drivers, disabled services, and the need for reimaging when they interfere with system management, patch management, anti-virus, anti-malware, encryption, and other important security tools. Not only does it put the organization at risk for a breach, but it also creates additional work for IT who are already spread far too thin.

With device fleets growing in size and scattering in geography, there isn’t a manual solution for preventing users from disabling or tampering with critical security tools. Automation is the name of the game today. More and more organizations are relying on tools to monitor their security applications and remediate problems when necessary. Absolute’s Application Persistence® is one such solution. Its patented, unique technology maintains a direct, two-way connection with the endpoint and enables report only, report and repair, and report, repair and reinstall policies.

Just Announced: Dell Persisted Applications

This week, Absolute Application Persistence was released for Dell Data Guardian and Dell Endpoint Security Suite Enterprise (ESSE) which includes both Advanced Threat Prevention and Dell Encryption applications. Application Persistence leverages Absolute’s Persistence technology which is embedded in the firmware of Dell products and therefore cannot be disabled or tampered with.

Application Persistence runs periodic health checks across the device fleet and seamlessly remediates applications that are either not installed, not running, or missing critical operational files or directories. It also sends regular updates on device status so the administrator can monitor the entire device fleet without having to worry about individual instances of application issues.

New Reach Scripts

To help IT and security teams ensure the integrity of their endpoints and data, Absolute has released new scripts for Reach, a powerful custom query and remediation feature that is part of the Absolute platform. Because Reach lets you ‘reach’ any device — even if these devices are off your network and outside the bounds of traditional tools — you can still take action on these devices. The full list of new Reach scripts is below:

New Script Name Description
Enable/Disable Removable Media This script enables or disables USB removable media on a system.
Change Share Permissions This script is designed to add or revoke share permissions for a Windows File Share.
Enable/Disable User Account This script will enable disable a user account on a computer.
Share Windows folder This script shares a Windows folder on a device.
Start Windows Application This script is designed to start a windows application.
Start Process This script starts a process on a device that will execute and then close.
Start/Stop Windows Service This script is designed to start, restart, or stop a Windows Service on a system.
Change volume license activation from MAK to KMS This script changes volume license activation on a device from MAK (Multiple Activation Key) to KMS (Key Management Service).
Report failed Windows updates This script is designed to report the failed installation of Windows Updates on a system.
Mute sound on a computer This script mutes the sound on a computer.
Clear SCCM Cache This script is designed to clear the SCCM Cache using the UIResourceMGr.
Force SCEP/Windows Defender check-in This script forces System Center Endpoint Protection (SCEP) or Windows Defender to check in and get the latest definitions.
Force SCCM Machine Policy Evaluation This script is designed to force an SCCM Machine Policy Evaluation (Machine SCCM Check-in).