How To Handle A Data Breach: 5 smb tips

How will your company respond if an incident does happen? Spiezle offered the following advice on developing a strong plan for acting in the wake of a data breach.
1. What Data Do You Have? The first step is to fully understand the kinds of customer information your company is handling and storing–and why. It might sound obvious, but according to Spiezle, breaches often expose how little an organization knows about its data. “I’ve gone through a lot of breach responses with companies where people are literally sitting around a table saying ‘I had no idea we were doing that,'” Spiezle said. That can exponentially complicate matters when a data-loss event occurs–you can’t very well determine the consequences and communicate them appropriately if you don’t know what was at stake in the first place. Assess the kinds of data you have, who has access to it, and why.
The general rule of thumb: Limit access to those who need it for legitimate business reasons. Put a particularly high burden of proof on the case for storing sensitive customer information on laptops, external drives, mobile devices, and other hardware that can be easily lost or stolen.
2. What Are Your Regulatory Requirements? Spiezle is quick to note that this is one of the toughest data-breach challenges for SMBs that lack a compliance officer–much less an entire compliance staff–or that rely on IT generalists rather than information security specialists. But your regulatory requirements will dictate what you must do in data-breach scenarios. These are defined by the likes of HIPAA or PCI, but Spiezle noted that 46 states also now have some form of reporting requirements.
Alas, while there are vendors that can help, there’s no central online destination for companies to assess all of their compliance requirements. Spiezle thinks federal legislation could help. “It is a very complex issue, and [it] again underscores the importance of pre-planning,” he said.
Bonus advice: Be proactive. If you do seek help from a vendor, Spiezle pointed out that it’s much better to do this when you don’t already have a problem–it’s tough to get the best terms if you’re negotiating at 3 a.m. on a Saturday after a breach has already occurred.
3. Who Will You Notify? Knowing who you’ll need to communicate with can help lead to faster, more effective responses to data-loss events. Identify those groups before something goes wrong. “This might be partners, customers, [or] government agencies,” Spiezle said. He noted that some companies develop relationships with appropriate law enforcement agencies in advance so that they know the proper people to contact in the event of a data breach. Consider it the business equivalent of keeping a list of emergency contact numbers near your home phone.
4. When Will You Notify Them? This is a tricky and much-debated area: How soon should you notify affected customers and other stakeholders? Spiezle said it’s a case-by-case decision. With law enforcement or other government agencies, it’s usually an ASAP scenario. Customers and partners are a tougher call. On the one hand, Spiezle said, you don’t want them to find out from the media or other external sources. On the other hand, you don’t want to make things worse by communicating inaccurate information, which can happen if you act too quickly. Some of this decision may be guided the regulatory requirements your company operates under, too. Rule of thumb: Communicate as quickly as possible without sacrificing the clarity and accuracy of the information you provide.
5. What Will You Say? One way to cut down your response time and outreach efforts: Prepare your customer and other external communications in advance. This gets back to the importance of Tip 1–it’s tough to accurately message a breach if you don’t know what data you had in the first place. If you’ve got a complete understanding of your information and how you handle it, you can develop solid communications templates in advance.

WhiteHat Security Statics Report 2012

WhiteHat’s 12th Website Security Statistics Report represents far and away the largest amount of data we’ve ever 

analyzed — hundreds of terabytes worth. Just in terms of the total number of websites, it’s over twice the number since 

our last report. It’s easily the most complete and longest running study focused on the state of website security. 

Within this report we are very excited by the introduction of two new industries, Energy and Non-Profit. Historically, 

WhiteHat has reported vulnerability metrics generalized across industries. This increased website diversity increases our 

ability to share lessons learned.


1. The average number of serious* vulnerabilities found per website per year was 79, a
significant reduction from 230 in 2010 and down from 1,111 in 2007.

2. Cross-Site Scripting reclaimed its title as the most prevalent website vulnerability, identified in 55% of websites.

3. Web Application Firewalls could have helped mitigate the risk of at least 71% of all custom Web application vulnerabilities identified.

4.There was notable improvement across all verticals, but Banking websites possessed the fewest amount of security issues of any industry with an average of 17 serious* vulnerabilities identified per website.

5. Serious* vulnerabilities were fixed in an average of 38 days or faster, a vast improvement over the 116 days it took during 2010.

6. The overall percentage of serious* vulnerabilities that were fixed was 63%, up from 53% in 2010, and a marked improvement from 2007 when it was just 35%. A rough 7% average improvement per year over each of the last four years.

7. The higher severity that a vulnerability has, the higher the likelihood that the vulnerability will reopen. Urgent: 23%, Critical: 22%, High: 15%.

8. The average number of days a website was exposed to at least one serious* vulnerability improved slightly to 231 days in 2011, from 233 days in 2010. Find full report here

How to Improve your network security

When it comes to investing in network security, there are three types of IT philosophies.

“There are the ones that value technology and see it as a strategic advantage in their environment, and they’ll invest heavily in it. There are the ones that know they need it and they’re willing to invest where they need to,” says Rick Norberg, president of Atrion Networking SMB, an IT service provider. “And then there are the ones that just see it as the cost of doing business. And those are the ones that tend to be unprotected, unmanaged and dedicate inadequate staff resources in order to plan through security.”

Don’t get pegged in that third group, Norberg warns. According to Norberg and several other IT experts, there are a number of ways to revamp your thinking and your network design for better IT functionality and improved security. Here’s where they say to start.

Build Backward from Mandates

According to Norberg, before designing your network it’s important to take a step back and think about a couple of critical variables, including:

What vertical you operate in;
What compliance mandates you answer to;
Where you want technology to take the company in the next three years.
Then design back from there, he suggests. When taken into consideration early in the design process, these elements should have significant bearing on the choices you make in infrastructure and deployment options.

“Sometimes, people will just buy cheap switches, network gear, firewalls and things like that because they’re inexpensive. And they throw them in,” says Norberg. “Then when they have a breach, they realize they just paid a zillion dollars to the government or to a credit card company or something like that in order to remediate it. And then they have to go buy the more expensive gear anyway. Taking an ‘it can’t happen to me’ approach is probably not the best way to design a system.”

Know Where Data Sits

One of the biggest weaknesses of many organizations is the lack of visibility into where exactly important data sits on the network.

Scott Laliberte, managing director at global business consulting and auditing firm Protiviti, says, “Among the things that clients we are working with are spending more time on is not only data leakage prevention–making sure it doesn’t go out on the front end–but also what I call ‘data discovery,’ which is being more confident and clear on where the data for sensitive information really does reside and then organizing it in such a way that you can manage it in a segmented way.”

According to a Protiviti survey earlier this year, organizations still struggle with data discovery and classification–just 50% of respondents said they have a specific plan in place to categorize data. And according to Laliberte, when he engages with clients to do data discovery on their network for the first time, surprises are common.

“In almost every instance there is a surprise found by the client as to where some of the sensitive data is,” he says.

Next: The Importance of Modularity, Firewalls and Patches

Modularity Is the Name of the Game

The more modular you can design a network, the easier it is to control and monitor traffic, according to Norberg.

“You want a network that you’re able to functionally monitor and secure, so you’re controlling the traffic on the network. You want one that can grow with the users,” he says. “A lot of times, you start with a flat network and then you start to modularize the phone traffic, the PC traffic and, if they’re in a retail environment, some of the POS terminals to make sure they’re secure and separated from each other. And then you want to get more granular from there.”

When done efficiently, network segmentation and modularity give a lot more flexibility in prioritizing risky segments of the network so you can focus your monitoring and security efforts on the most critical areas rather than having to worry about all of the infrastructure in aggregate. That’s a step up from what most organizations are used to, says Norberg.

“Traditionally, you might just slap a firewall into there and when it goes down, the customer calls you,” he says. “These days, we’re actually looking at the logs and doing proactive monitoring on the devices to make sure that they’re not only secured and updated with the latest firmware, but you’re also looking at what’s happening with the firewall and the connection itself.”

Manage Firewalls More Intelligently

Speaking of firewalls, organizations have to take an active management approach to their firewall rules if they’re going to get the most out of these assets. With most enterprises today depending on thousands of firewalls dispersed throughout their network fabric, firewall management has become an important element both for efficient IT operations and effective IT security.

“The core of network complexity begins with a firewall,” says Kevin Beaver, founder and principal information security consultant at Principle Logic.

Beaver says that, all too often, he sees organizations that believe that their security is OK. However, once he starts digging into their firewall rule sets and configurations, security holes are discovered.

“[We find] system configuration problems, weak passwords, network segments that shouldn’t be talking to one another, ports that are open,” he says. “I often see database servers that are sitting out on the public Internet wide open for attack.”


Patch management isn’t just for endpoints. Smart organizations need to have utilities in place that can automate system patching across all IT infrastructure.

“If I’m the IT director for the company, I want to make sure I’m using every tool capable of doing updating firmware and software on an immediate basis and alerting and reporting on it,” says Norberg. “Generally, you want to buy a third-party product that’s capable of doing more than just one particular manufacturer. Otherwise, you run into problems where you’ve got some of this gear, some of that gear, some of these servers, and then you end up spending a lot of your time not being very efficient in the way you’re patching things.”

Apple guide to iOS Security

Apple has introduced a guide to iOS security, which was posted to sometime in late May, but is just now being noticed outside the Apple developer community. The publication is notable because it’s the first time Apple has published a comprehensive guide intended for an I.T. audience. (Apple’s developer-friendly documentation on security matters iseasy to spot, however).
The new guide includes four sections dedicated to topics like system architecture, encryption and data protection, network security, and device access.
In reading the introduction, it’s clear that the guide’s intention is to better help corporate I.T. understand the security environment with iOS devices, including iPhones, iPod Touches, and iPads. It’s important that these details are documented in language I.T. understands as more and more businesses allow personal devices on their network and implement their own BYOD (bring your own device) programs.
To this point, the report begins:

“Apple designed the iOS platform with security at its core. Keeping information secure on mobile devices is critical for any user, whether they’re accessing corporate or customer information or storing personal photos, banking information, and addresses….
For organizations considering the security of iOS devices, it is helpful to understand how the built-in security features work together to provide a secure mobile computing platform.”

While some may imagine the guide to be an example of Apple’s increasing openness (on matters not related to new products, that is…), much of the information contained in the guide is not new at this point in time. It has simply been repackaged for a different audience.
However, detailed in the guide are things like how the code-signing process works and ASLR (address space layout randomization) works in iOS, which had previously been outed by security researchers prior to Apple’s reveal.
Another I.T.-friendly tidbit includes a list of items which administrators can restrict using configuration profiles within their Mobile Device Management solution. For example, Siri (as IBM recently did), plus FaceTime, the camera, screen capture, app installs, in-app purchases, Game Center, YouTube, pop-ups, cookies and more. Users may have more freedom of choice in terms of devices they use for work than in years past, but corporate I.T. is now adapting so it can deliver the same level of protection it once did it the BES/BlackBerry era…or, as an end user might tell you – the same level of lockdown. (What, no YouTube at work? No fair.)

Security for Small Business -in Points

1) No security plan is foolproof. Comforting, isn’t it? But it’s true–there is no such thing as 100% secure, and I’ve yet to an encounter a security pro that would argue otherwise. (Some governments in the Middle East would likely agree now, too.) That’s not an excuse to do nothing. When online crooks target SMBs, either via targeted attacks or indiscriminate malware, they usually do so for two reasons: SMBs have more money than the average individual, and they have less security in place than large enterprises. That can make them easy, profitable targets. The SMB’s job: don’t be an easy mark. Practice good basic security at bare minimum. If time and money are key challenges, consider a risk-management approach–more on that below in number five.
2) You might not know it if you’re infected. Flame’s just now coming to light, but it has existed since 2010–and possibly as far back as 2007. Even if you’ve got strong security controls in place, you might not necessarily know if you’ve been infected by malware or other means. “Most malware is written to be very stealth and not let you know that it’s on the machine, so what Flame does is very typical,” Haley said. Robust, current security technology is a good first step toward minimizing the chance of undetected breaches–the straightforward anti-virus programs of yore aren’t likely to cut it. Haley also advises SMBs take steps to eliminate spam in their corporate email accounts; the bane of inboxes continues to be a favorite delivery method for malware makers. Expect social media to continue to grow as a malware vector, too. Haley thinks SMBs need to be thinking about social risk and actively monitoring their accounts for unusual activity.
3) Attacks are increasingly sophisticated. The complexity of today’s security threats almost make you long for the good old days of the Wazzu virus. Flame appears to have reset the bar. For SMBs, it’s a reminder that a set-it-and-forget security plan is a recipe for failure. What worked in 2010 probably won’t pass muster in 2012. “You really need to review everything [periodically],” Haley said. That’s important even if you outsource security to a consultant or other vendor. If time is an issue, an annual review is better than none at all. Depending on how much a particular company invests in security–or doesn’t–it might want to consider more frequent checks on its technologies and processes to ensure it’s keeping up with the times.
4) Reputation harm can be expensive. The fallout from the Flame revelation is just getting started, but it’s safe to say this is a public embarrassment for the affected governments. For SMBs, it’s a reminder that security breaches don’t necessarily need to hit your bank account to be costly. A website that gets co-opted into a malware host, for example–they’re at an all-time high, according Symantec’s most recent annual security report–could have a difficult time earning back the trust of its customers and other visitors. Likewise, data theft can be both embarrassing and expensive.
“It’s bad enough if you get your money or your customer list or some sort of intellectual property stolen,” Haley said. “But also the damage of the publicity from it could be really crippling to a business. Some people may be reluctant to do business with you if they think that you can’t keep your information secure.”
5) Prioritize your most important assets. A sound strategy for some SMBs is simply to not try to protect everything. Rather, identify your most valuable assets–banking credentials and other financial information, customer databases, and intellectual property, to name a few examples–and focus your efforts there. That can help resource-strapped organizations minimize their vulnerabilities in a practical manner rather than waving a white flag of surrender.