Image for post
Image for post

Security Breach 102

Making your security breach public

Ryan McGeehan
Dec 14, 2015 · 11 min read

(See appendix for historic breach blog posts)

For advice on technical incident response, view Security Breach 101.

EMPLOYEE ANNOUNCEMENT

First, tell your employees what the hell is going on. Calm them down and organize communication with them well.

Image for post
Image for post
The employee hysteria of the Sony Picture breach

TIMING

Decide on a time to release a blog post or FAQ with the technical leadership involved with the response.

Image for post
Image for post
Brian Krebs announcing a Hilton data breach before Hilton’s announcement
Image for post
Image for post
Breach notification from WP Engine

BLOG POST

Let’s write out the blogpost. We must answer questions that users want to ask, and provide transparency to prove we’re responding seriously to the breach.

  • Which users are impacted? Some? All? None?
  • What time window did bad actors have access to data?
  • What is the specific data they accessed?
  • What were the motives of the attackers?
  • Who are the attackers? (otherwise known as attribution)
Image for post
Image for post
Google blaming China for their security breach
Image for post
Image for post
Patreon was very clear about what was NOT accessed
  • Release a post-mortem, or technical details of the breach. Some call this a Root Cause Analysis. This will expose a stronger engineering culture within your company. (Of course, don’t do this unless you can thoroughly explain what happened)
  • Release features you may not have had that will improve the security of your users.
  • Be transparent! It is painful to do so, but it sets you apart and proves you have nothing to hide.
Image for post
Image for post
Image for post
Image for post

CUSTOMER SERVICE

After the blog post goes up, there’s no telling the amount of work that will land in your customer service organization’s inbox. Make sure they’re prepared to answer questions and have an FAQ, or you risk them making answers up based on internal word of mouth. If your business has any concept of VIP customers, you may want to reach out to them privately with special treatment before a blog post goes out.

LAWYERS

Your lawyers need to be involved. They’ll need to be prepared to explain your obligations around breach notification. Certain types of breached data will greatly influence your public response. For instance, SB-1386 is only triggered by:

Image for post
Image for post

PARTNERS

You may have contracts holding you to obscure breach notifications even during vague incidents where the vendor/partner is not actually impacted. For instance, if you provide a service to a partner, they may be entitled to hear about any breach, and you may be liable for not disclosing if they discover it happened through other means.

PUBLIC RELATIONS

If you have PR resources or a firm on contract, they should be in touch with security+tech journalists and available to provide a comment once an announcement is out. A proactive PR team can get ahead of speculation and clickbait, ensuring that your message is out there alongside any public commentary. Breach notifications may not pick up in the press, but it’s better to assume it will.

LAW ENFORCEMENT

Contact your local FBI field office and loop them in. However, do not rely on any law enforcement agency to assist with your breach. Set your expectations that this will “check the box” and not change the situation very much.

SECURITY FIRMS

There are incidents you can handle in-house without a huge amount of external support from large security firms. (Read: Not every breach requires you to call Mandiant). Credential reuse comes to mind, or for instance, the “happiness” breach at Twitter likely didn’t need external help. Your corporate IT team doesn’t call in a firm like Mandiant for every piece of malware found on a laptop.

Image for post
Image for post
Account takeover of a Twitter Admin in 2009

DOING MORE

If the breach involved personal data that would exacerbate a fraud risk, the current trend is to provide services around credit checks and alerting.

Image for post
Image for post
Slack releases MFA after their breach

Conclusion

A security breach is an emotional roller coaster. The moment you realize that you’ll have to tell the world you’ve been defeated is deeply humbling. When you’re supposedly a security professional, it will rattle your identity a bit.


@magoo

I’m a security guy, former Facebook, Coinbase, and currently an advisor and consultant for a handful of startups. Incident Response and security team building is generally my thing, but I’m mostly all over the place.


APPENDIX

EXAMPLE BREACH BLOG POSTS

Starting Up Security

Guides for the growing security team

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store