Equifax breach: A learning opportunity to get ahead of the constant threats

If you haven’t heard already, Equifax one of the “big-three” U.S. credit bureaus has announced a data breach that may have affected 143 million Americans, including consumer Social Security numbers, birth dates, addresses and some driver’s license numbers. For a good rundown of what has transpired so far, Krebs on Security has a solid in-depth article on it here. Every time there is a breach in the news, most other outlets swarm to a few different types of articles. Some popular directions are attribution, defense advice, or sensationalist journalism.Attribution is almost always difficult in larger scale and more advanced attacks, coming from the defensive consulting side there is nothing I can tell you to help aid in defending your corporation in this article that hasn’t been covered in hundreds of other articles before it, and don’t worry this won’t be a sensationalist article. But bear with me, don’t stop reading yet! Sure you can go read articles all day of general advice on what to do for your organization, and many of you probably are already handling it in some aspect or another. One question though, when is the last time you’ve demonstrated anything that you’re doing for security is successful? All of that advice you’ve taken on auditing your firewall rules, patching devices, protecting your data, is it really working?All organizational wide controls and processes should routinely be tested with drills, tabletops, and full scope offensive security attacks. Why? Because the attackers never stop. They don’t have a scope, it’s a no holds barred attack with no survivors. For example, say you’re learning a martial art or other physically defensive sport, karate, boxing, or jiu jitsu, something of that nature. You can practice all you want on your own, read books, watch instructional videos, etc. What happens when you encounter a legitimate threat? You’re shocked, you might forget what you’ve taught yourself, you fumble from lack of a real life training. That is how the majority of organizations treat their defensive infrastructure. If your organization is not participating in the 3 aforementioned items, you aren’t ready for a breach no matter how great your security might be.Scenario Based Testing Thought ProcessSo now what? Time to create some drills and tabletop exercises! A tabletop exercise is a meeting of key stakeholders and staff that walk step by step through the mitigation of some type of disaster, malfunction, attack, or other emergency in a low stress situation. A drill is when staff carries out as many of the processes, procedures, and mitigations that would be performed during one of the emergencies as possible.While drills are limited in scope, they can be very useful to test specific controls for gaps and possible improvements. A disaster recovery plan can be carried out to some length, backups can be tested with the restoration of files, and services can be failed over to secondary cluster members.There are a few different avenues you can take to walk through a tabletop exercise. You can start with a technical only team exercise or you can include a multitude of other groups or teams, up to a full blown organizational scenario. Something to consider when establishing a scenario revolves around legitimate risks. Something that could possibly devastate and bankrupt your company should be a serious consideration for a tabletop topic.Planning TabletopsUse the Equifax breach or any other newsworthy hack as part of your strategy. Imagine those are your customer records. Walk through the steps of what needs to be done, in what order, by whom, and when. This will make a great playbook to save in the event that something of that magnitude actually does happen by taking a lot of the guess work and panic out of the live situation. Running through the exercise, and deviations of the exercise, not only provide the teams with practice just in case, but also brings up concerns or limitations that may be able to be remediated prior to a real incident. Scatter smaller drills and team specific workshops throughout the year, and perform at least one large incident involving the entire company and an offensive team once a year.SummaryThere will be more to come in an additional blog post on this topic of a deeper dive specifics when it comes to creating drills and tabletops. In the meantime, use the mistakes of others as a low cost learning opportunity to get ahead of the constant threats that we’re all facing daily. Test your defenses to help avoid having your organization’s name the next to show up on the nightly news.