As if the personal data of more than 57 million customers and drivers being exposed is not bad enough, the timing and response to the recently exposed Uber breach is especially problematic.
Several studies on data breaches indicate that it can take up to nine months to identify and resolve a security incident. This is simply too long, and in the case of Uber, it took more than a year to disclose the massive breach.
It was easy for hackers simply exploiting the login credentials from a private GitHub coding site used by Uber software engineers, obtaining access to Amazon Web Services, to then discover information on Uber drivers and guests.
There are several things we as security professionals need to keep in mind in the aftermath of this and other major breaches we have seen in the past.
First, be honest. Everyone will get to know about a data breach sooner or later. And, you have an obligation to disclose the breach information to legal entities/authorities.
If we take the Uber case, according to GDPR (EU General Data Protection Regulation), Uber can face penalties of up to 4% of its annual turnover as of 25 May 2018. Think about Uber’s turnover; I don’t need to mention any numbers here!
So, let’s focus on some of the best practices we can implement while using common sense and sound security practices: Here is my take:
- Report the breach immediately or within the given deadline to legal authority.
- Create an ability to organize your response to security incidents in one place. This should work with all of your security products to give you a single place to manage the security incident response process.
- Implement login credentials rules that make it difficult to hack – use best practices for login history, password length, password complexity and encryption.
- Execute patches to existing vulnerabilities. According to a data breach report from Verizon, only 61% of vulnerabilities are patched within a month. Leftovers are likely never to be patched.
- Work with threat intelligence sources to better understand the depth and potential resolutions of security incidents with underlying IoCs (Indicators of Compromise) and vulnerabilities.
- Turn your runbooks into workflows to automate mundane tasks.
- Share threat intelligence among peers, industry domains and trusted circles for unclassified information and build “immunity by community.”
- And lastly, there must be a deep connection into IT. This is required, as many of the actions needed to fix security issues are performed by IT teams, not the security team directly.
All of this together makes up Enterprise Security Response, and this can help organizations improve upon what we have witnessed from the Uber episode to resolve security threats quickly and provide appropriate and timely responses to data breaches.
Editor’s note: Manoj Patel presented on security incident response best practices at the 2017 CSX Europe conference. Find out more about the 2018 CSX Europe conference, to take place 29-31 October in London.