The breach of VTech by an unknown cyber-criminal continues to escalate. After initial reports of a breach exposing personally identifiable data of it’s customers (despite VTech’s statement otherwise), the hacker released a limited set of personal messages and photos from VTech customers to prove a near-complete compromise.
It’s been a bad week for VTech. Make no mistake, VTech is the victim of a crime. However the more immediate issue is the potential fallout for their customers and their children. And it’s here that VTech’s initial response has made things worse not better. Thankfully, they’ve adjusted course in the last 24 hrs and are being more open with information.
Let’s learn from this. Here’s what you can do as a defender to make sure your organization is better prepared to handle a breach.
The time to figure out your post-breach communications plan is now. When you’re dealing with the fallout from a breach, you want to be able to implement a step-by-step plan that is appropriate for the situation.
Here’s a basic outline of what you’re going to need;
These items should be written ahead of time in a customizable template. Remember this is in addition to the internal response that you’ll require.
When you realize that you’ve been hacked, here are the steps you need to take to effectively communicate;
All of these should be written in a tone that is clear and apologetic. Don’t needlessly muddy the waters (e.g., VTech’s re-definition of personally identifiable information), try to deflect blame, or raise the point that your a victim too. You can provide an explanation and get into the specifics of how this happened afterwards.
The immediate goal is to reduce the impact of the breach.
This means ensuring that your customers have the necessary information as quickly as possible. If they need to take action of some sort (cancel credit cards, change account credentials, etc.), you want them to be made aware so they can reduce the chances of something bad happening.
Once you start to respond to an incident, the process has 5 key steps;
These steps are bookended by “prepare” and “improve/learn” and together these steps form the foundation of a solid incident response (IR) process.
Most often, the biggest challenges are faced in the “contain” step. This is often when the IR team is faced with tough decisions that directly impact the business.
VTech issued the following update on their FAQ 01-Dec-2015;
“As a precautionary measure, we have suspended Learning Lodge, the Kid Connect network and the following websites temporarily whilst we conduct a thorough security assessment.”
This is not something that any organization ever wants to have to write. But it’s 100% the right call despite the potential impact to the bottom line.
When is the right time to make this type of call? There’s no firm rule. It’s a judgement call based on the information you have at the time.
What you can do to make this easier is to work out possible scenarios ahead of time. This is an extremely difficult exercise to work through as it assumes your other work in defending the organization has failed. But it’s critical to work through these scenarios in theory and in practice (called a game day) in order to write a playbook for IR.
Part of this exercise is to determine who in the organization has the required authority to make the decision to shut down services. Hopefully you never have to make that call. But if you reach that point, you need to know who to call.
All of the processes you have in place with your security practice work towards never having to make a call to shutdown services. If you’re hacked and you have to make that call, you’re far better off working from the playbook you wrote ahead of time instead of calling an audible.
Know Your Exposure
The most important thing you can do now to reduce the impact of being hacked is to review the data your are collecting and storing. By creating an inventory of the type of data you have, it is much easier to evaluate the risk you’re facing.
With the list in hand, you want to run through a very simple exercise. Put each data point on it’s own sticky note. Use the stickies to combine various data points to create different points of view.
The goal of this play on usability card sorting is to find which data points pose more risk to your business when they are linked to other data points.
If we take the VTech example, their app store requires a billing address, the social app links parents and children, and the messaging server temporarily stores photos and private messages. Individually each of these data points poses a risk. Combined, that risk escalates dramatically.
Mapping out all possible connection between all of the data points you collect & store let’s you better identify risks and set the appropriate mitigations.
Those mitigation could entail;
Until you map out the entire landscape of data you store & collect, you won’t know what level of risk you’re facing. Without that knowledge, how can you formulate an effective defence?
Prepare For The Worst
No one wants to be hacked. It’s a security team’s worst nightmare. You can reduce the impact of a breach by taking steps now.
When you’re focusing on keeping the lights on or, worse, getting them back on. The last thing you want to do is to shoot from the hip. Writing out a clear playbook for all aspects of incident response is the key to a successful response.
What are your tips for successful incident response? Let me know on Twitter where I’m @marknca.