Two Truths and a Lie? To Hide a Hack or Tell?
IT Security
Post based on the following article found at Gizmodo.com:
Clever Tool to Detect Hacks Companies Haven’t Told Users About by Melanie Ehrenkranz
People are at the mercy of the companies that they choose to give their personal or sensitive/confidential information to and companies are at the mercy of the vendors they choose to do business with. These companies will have access to sensitive / confidential information and it’s not uncommon for these companies to try and hide data breaches (e.g., Yahoo, Uber, etc.). Let’s be honest, the mindset of security professionals nowadays is not one of “if we are going to get hacked” but one of “when we get hacked, what will we do” and if that’s not the mindset of security professionals, given the task of protecting millions of people’s sensitive information, then there is something wrong.
There are people out there – I don’t think it would be a stretch to say the majority of people – who would rather do business with a company that they “think” has never had a breach or been hacked. They think they are safer doing that, than doing business with a company that has been hacked but has done everything correctly after the breach (e.g., disclose the breach, contact customers and vendors, forensics, implement incident response procedures, etc.). Personally, if there is a company that I can trust to take the right steps after a breach and most importantly, NOTIFY me about the breach, then I would feel comfortable with that company because nowadays it seems like companies would rather put their heads in the sand and duck and hide. Let me ask you this, if your information was compromised, wouldn’t you want to know ASAP, so you can take actions to help protect yourself, your family, and your organization? There is a misguided notion that companies will always disclose breaches and notify their customers because “that is what they are required to do” … isn’t it?
That is not always the case. “Determining notification obligations requires a bit of legwork. That’s because 47 states and the District of Columbia have each passed their own laws that require notifications in certain circumstances (Alabama, New Mexico, and South Dakota are the only states without breach notification laws).” – Jeffrey Kosseff, CIPP/US
Also, even if a company has suffered a data breach, that company might not be required to notify customers, vendors, or even regulators. The state laws only apply to breaches of specific types of “personal information.” Personal information meaning your name along with a government-identification number, social security number, payment card information, etc. However, “personal information” varies by state. But even then, a company still might not be required to notify customers, vendors, regulators, etc., because under a data breach-notification statute, state law only applies to breaches of unencrypted personal information. So, we might want to start being a little more cautious and start doing a little more research. A group of researchers from California San Diego (UCSD) did just this and created a tool called Tripwire to assist them with their research.
Tripwire is a tool that was developed in an attempt to bring greater transparency to breaches. Tripwire aims to detect websites that were hacked and this tool does this by using a “bot” that automatically registered accounts on thousands of websites. Each account shared a password with a unique associated email address. Working with a “major email provider”, the researchers would be notified if there was a successful login on any of the email accounts. Any login would be the result of a security breach on that particular website with that account due to the fact that those accounts were specifically created for this purpose (nobody is going to be personally logging into those accounts).
“While Tripwire can’t catch every data breach, it essentially has no false positives – everything it detects definitely corresponds to a data breach,” Joe DeBlasio, a Ph.D student of Jacobs School of Engineering at UCSDA. “Tripwire triggering means that an attacker had access to data that wasn’t shared publicly.” A study utilizing Tripwire monitored 2,300 sites from January 2015 to February of 2017 and found that 19 of those sites had been compromised. Guess how many of those sites failed to notify their users of this? The answer: 18. Only one site told the researchers of the study that they would force a password reset. Do you want to know which site I trust the most? I think that goes without saying.
So, what does this mean for us? How can we better protect ourselves, families, and organizations?
Let’s talk about passwords (briefly).
Most organizations will have password policies/practices in place but that does not mean that these are always correct. There are plenty of organizations, banks and hospitals, law firms and law enforcement offices that are not practicing proper and safe password practices. Here are some password parameters that will help to better protect your organization:
- Passwords should be complex and at a minimum 8 characters long. Longer the better. A minimum length of 8 characters will soon not be sufficient as the industry standard will soon become passwords with a minimum length of 10 or even 12, 14, or 16 characters. Start using longer passwords and start immediately. A helpful hint when creating longer passwords that are easier to remember: use a pass-phrase. A simple way that you can create a memorable and safe pass phrase is to think of something that you will be doing in the upcoming months. Think of something that you are excited about. Do you have a wedding that you will be attending or a vacation you are excited about? The following is an example of a pass phrase that an individual could use who will be going on a vacation to Door County, Wisconsin in the near future.
Trip to Door County WI can be changed to Tr!p2d0oRC0untyW!
By writing out the phrase and then replacing certain letters with numbers and some special characters, makes this a very strong password and one that is easier to be remembered.
- Passwords should be required to change (e.g., 45 or 90 days).
- Implement password lockout procedures (e.g., 3 unsuccessful attempts and the user is locked out until an administrator unlocks the account).
- Implement a total number of passwords remembered (e.g., 24 passwords remembered. This means that an individual’s new password cannot be the same as any one of their previous 24 passwords.
- Do not use the same password for multiple accounts. Malicious attackers will look to gain credentials from less security conscious sites (e.g., fantasy football, forums, retail stores, etc.) and then knowing that people reuse passwords across multiple accounts, will be able to compromise those accounts that mean more to the customer (e.g., email, online banking, etc.).
- Utilize a password management solution (e.g., KeyPass, LastPass, ZoHo Vault, etc.)
Vendor Management
Due diligence on a companies’ critical vendors should be performed on an annual basis and as part of this due diligence, we need to be asking the correct questions. When asking our clients what kind of due diligence is performed for their critical vendors we will receive the answer of: audits / reviews, financials, insurance, references, etc. and that is good – those need to be included in a companies’ due diligence of their critical vendors. But, we need to be asking the following questions to our critical vendors or vendors with access to customer or confidential information:
- Has the vendor had any known intrusions (e.g., over the past 2 years)?
- When, who, how – so in other words, the criteria – for which you as the company would be notified in the event of an intrusion?
These two incident response type questions are of great significance and needs to be implemented into your vendor management program as part of your due diligence performed. These questions should be asked of your critical vendors or any vendor that has access to you or your customers confidential information. You might tell yourself that those are two questions that don’t need to be asked because your vendors won’t be breached and if they were, you “know” that your “trusted” vendors would notify you immediately. But as you have just read, that is not always the case, and these questions can go a long ways in not only protecting your company from a security aspect but also from a legal aspect as well.
Article Written By: Chad Gutschenritter