Are you suffering from breach exhaustion? In other words, so many organizations have experienced a data breach that this is “old news” and you just don’t pay attention any more? One example of an incident in the accounting profession that should refocus your attention on mitigating risks in the cloud is the Cloudnine Realtime data center outage that took place around Labor Day.
There are so many incidents in the news that it’s hard to estimate how many incidents occur that are not reported. Just in the recent past we’ve seen the Equifax breach of 145.5 million records, Uber attempting to cover up a 57 million record breach by paying $100,000 to a bad actor to delete the breach data, and various breaches in 2017 in healthcare following the Anthem 78.8 million record breached in 2015 that cost the company $115 million in lawsuits alone. If you want to keep an eye open for healthcare breaches, browse the portal of the Office of Civil Rights of the U.S. Department of Health and Human Services, where breaches of HIPAA information of more than 500 individuals must be listed.
Events & Incidents Versus Breaches
Let’s be clear about some terminology. If you have a breach of data in a regulated industry, you have reporting obligations. However, events and incidents are usually not reportable. Consider the following:
If we reflect on Events, these happen every day. Security Incidents are occasional, Privacy Incidents are less common, and Breaches are rare. It is important that you refer to either events or incidents when they occur in your IT environment by one of those terms since a breach refers to a particular, reportable circumstance. According to the NIST Special Publication 800-61, rev 2 — Computer Security Incident Handling Guide:
- An event is any observable occurrence in a system or a network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending e-mail, and a firewall blocking a connection attempt.
- An adverse event is an event with a negative consequence. Adverse events include system crashes, packet floods, unauthorized use of system privileges, unauthorized access to system data, or execution of malware that destroys data.
- A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples include:
- An attacker uses a botnet to crash a web server;
- Users are tricked into opening a “quarterly report” sent via e-mail that is actually malware;
- An attacker obtains sensitive data and extorts money from the target in exchange for not releasing sensitive or embarrassing data;
- A user provides or exposes sensitive information to others through peer-to-peer file sharing services.
- If a privacy incident meets specific legal definitions, per state and/or federal breach laws, then it is considered a data breach.
- Data breaches require notification to the affected individuals, regulatory agencies, and sometimes credit reporting agencies or the media.
- Additionally, contractual obligations require notice to business clients if the incident affected clients’ employees or customers.
- A breach may lead to the application of computer forensics. The “application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.”
- When are forensics needed?
- Whenever your attorney advises you to use these techniques:
- When it is reasonably foreseeable that a technology incident will result in litigation, a criminal investigation, or administrative proceedings;
- There may also be a legal requirement to notify law enforcement of certain kinds of events;
- When it is possible that there has been data loss or corruption and you want to use such techniques.
- Forensic techniques take time and are expensive, but preserve data to support possible future litigation or criminal prosecution
- The forensic process (Collection, Examination, Analysis, and Reporting) preserves the integrity of the data and uses legally justifiable techniques to create a fact-based report on an event or occurrence.
- Whenever your attorney advises you to use these techniques:
If we reflect on the breaches mentioned above, they should be “rare.” It is clear that errors were probably made, and bad actors were attempting to access data on the respective parties’ systems that had economic value. Various industries are targets for attack because the data has value if it can be obtained — particularly without company knowledge. In the case of Equifax, it is clear that the data stored has economic value because it can be used for identity theft, credit card applications, and bank loans. The owner of the information may not be aware that credit card or loan applications are being requested in their name, Social Security Number, and redirected to an alternate address. Clearly the Equifax breach is a fiduciary trust issue, too, not to mention the insider trading executed by top management before leaving the organization, such as that by Richard Smith, the former CEO.
Cloudnine Realtime Example
When bad actors try to break into hosting companies, their expectation is to gain access to information that has economic value. If we consider Cloudnine Realtime as an example, their clients are commonly accounting firms and legal firms. The bad actors know that the data that these professional firms have stored has value. If the bad actor can gain access to one or more companies in the hosted environment and transfer the files from the hosted providers to their own storage, they can act on this information for years and years in the future. The bad actors today are well funded and very patient. Whenever you hear of a security breach, you should consider the implication of this information being used one, two, or three years into the future after the immediate awareness of a breach is past.
Steps for Mitigating Risks in the Cloud
So, what can we do to protect ourselves? Well, first, it should be unequivocally stated that using services like LifeLock is almost 100% worthless. These services prey on FUD (Fear, Uncertainty and Doubt) and are dependent on Equifax — yes, Equifax — to provide credit monitoring services. We suspect bad actors know that data stolen from Equifax has some short-term value, some long-term value, and will use the data in a discreet fashion to do quick “hit and run” loans for less than $1,000 (the legal limit of a felony) to capitalize on the information as well as make a plan for the use of the data in the future.
For the short-term, think in-store charge accounts from merchants or chains to get “on the spot” financing or credit. For long-term use, think about the bad actors building their own loan sharking operation or knowledge-based authentication service since they know who needs loans and is having trouble complying with payment terms.
There are no single solutions or one-time solutions to these types of attacks. We do recommend:
- User security training at least once/year but 2-4 times per year is better,
- Changing passwords on a regular basis, most likely every 30-45 days,
- Use of multi-factor authentication with products like Duo, and
- Acquiring Cyber Insurance.
Taking these steps is the best risk mitigation practice that you can choose today.
Have you noticed the breach reports? Have you taken any action? If your firm needs guidance on fraud prevention strategies, Accountex can connect you with resources to help you make the right decisions.