What Can Be Learned From 2016 Security Incidents?


Cue the year-end articles saying that this was the worst year to date for data breaches. Follow that with more dire predictions for 2017. Layer in one-size-fits-all recommendations to mitigate these risks. And finish with technology solutions that you must have. If you read all of this you might come away thinking that if your company is not using AI and machine learning, buying threat intelligence, building a threat-hunting team, installing a next-generation antivirus solution, deploying an endpoint product and reducing your attack surface, all of those bears people talk about outrunning may already be in your network.

It is true that there were a lot of incidents disclosed in 2016, and for the first time an incident reportedly affected 1 billion accounts. There are core steps most companies can take to mitigate risk and be prepared to respond when an incident is detected. And depending on the company’s risk profile, you may be implementing all of those security measures. But the many years spent responding to security incidents reveal several constants:

  • Whether you have “next-gen” security or little security, unskilled, semiskilled and skilled attackers usually still find a way in.
  • Regardless of the sophistication of the security of a network, one of the reasons attackers still find a way in is that networks are built and maintained by people (your people and your vendors’ people) and people are fallible – people make mistakes, people get phished and people get socially engineered.
  • Most incidents are not the result of a sophisticated, never-before-seen, unpreventable attack.

After the incident is investigated and the incident response team is looking back for lessons learned, it is not uncommon for the lessons to include:

  • Paying better attention to basic security measures would have prevented the issue.
  • Realizing that the network environment is not uniform, there are data and devices that were not known by the security team, there are third parties with access that were not known or that were established without using the approved remote access solution, and over time, exceptions and work-arounds have been created.
  • Having more verbose logging for a longer period of time that can be accessed from a central source would have enabled the analysis of what occurred to be more precise.
  • Acknowledging that trust but verify is important (e.g., if someone says a network is segmented, check the ACLs and firewall rules to confirm this).
  • Knowing that you can have great security tools and generate terabytes of logs, but someone has to review the logs.
  • Determining that assumptions about a vendor’s role in maintaining and managing the security of the service it is offering may have been wrong.
  • Deciding that delegating responsibility for security to IT or the security team is insufficient – it takes an enterprise-wide approach to address this enterprise risk.
  • Identifying a forensic firm before the incident, negotiating the terms of a master services agreement in advance, and then meeting with that firm to discuss how it will investigate and what data is needed would have facilitated a faster response, investigation, containment and final analysis.

While most of the security incident disclosures in 2016 related to theft of data, the surge of ransomware and emergence of denial-of-service tools fueled by compromised IOT devices demonstrate that maintaining operational resiliency is equally as important as preventing data theft. The 10-k cyber risk disclosures of many public companies state that the company relies on technology to operate its business and a failure of that technology could have a material impact. Despite those statements, many companies that have focused primarily on preventing data theft are now addressing: (1) whether their critical operating systems are as well-guarded as systems that interact with sensitive data; (2) what backup capabilities and procedures are in place in the event of a widespread outbreak of ransomware; (3) in anticipation of facing a ransom or cyber-extortion scenario, whether the company should establish and fund a bitcoin wallet; and (4) what denial-of-service mitigation solutions are in place.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.