Recent incidents involving data breaches and stolen credentials have drawn significant media attention and board-level interest leading to highly reactive responses in many cases.
The most recent such incident involved Hold Security's announcement that they had obtained around 1.2B stolen credentials. In another, similar incident last November, Trustwave discovered two million compromised accounts. However, unlike Trustwave who appropriately chose to avoid efforts to monetize their discovery of stolen credentials, Hold Security has instead chosen to leverage their discovery in an attempt at monetization. While offering free notification to individuals, Hold is charging subscription fees for their "Breach Notification Service" to companies who wish to determine if their data has been compromised. This difference has drawn a great deal of media attention resulting in board and executive peer inquiries directed to CIOs.
While CIOs often find themselves in the driver's seat for managing IT focused risk decisions, there is little precedent on how to handle such an attempt by a researcher to profit from stolen data. In order to effectively lead your organization through this key decision, it is important that an outcome-focused approach be followed. The following points provide a suitable high level approach.
1. Define potential outcomes
The desired end state should drive the definition of the potential outcomes. This should include input from Legal, IT, PR, and other stakeholders to make the best overall decision for the business.
In this case, most would agree that an immediate response would be to increase the security monitoring of anomalous network activity, privileged accounts, and login locations.
An alternative response might include resetting passwords. However, this can create significant disruption to the business and would likely be considered an overreaction given that it is unknown if your company is affected at this point.
Determine if your company was impacted. Unfortunately, in the current case, Hold Security does not appear to have the capability to respond to the volume of inbound inquiries in a timely manner, nor is there a tool in place where you can check to see if your domain was affected. With this in mind, legal options should be evaluated with counsel to determine if they want to file a civil action in federal court to determine if your credentials were impacted and/or to file an injunction against use or retention of the credentials. At the federal level, a starting point would be Title 18 U.S.C., Section(s) 1831, 1832, 2314, 2315. As the aforementioned headquarters is in Wisconsin, one could begin by evaluating state code 943.20, 943.34 and 134.98.
2. Determine the impact of each option on the business
Each of the identified options will have a set of pros and cons. Work closely with the other stakeholders to determine what the direct and potential impact will be on the business. For example, a full reset of domain credentials will disrupt production, Web users, or even sales team members. Often disruptions of that nature will not be approved unless security is sure that credentials have been compromised. Be careful not to create additional business challenges through knee-jerk reactions.
3. Decide on the acceptable level of risk
Timing and external factors will drive the risk tolerance of your team. For example, if you are in the middle of a merger or acquisition and data obtained through stolen credentials could significantly impact the deal, it may be worth disrupting the business with an enterprise-wide password reset. In most cases however, it would not make sense until it has been verified that credentials have been compromised and you have received validation that the compromised credentials could lead to negative outcomes due to the sensitivity of the data protected by the stolen credentials.
4. Choose a course of action
Evaluate the outcomes, impact, and risk, and then make a decision. The collective team needs to agree that the decision is right-sized to the levels of commensurate risk and reward of the course of action. The important part is managing and communicating the residual risk regardless of the chosen outcome, even if the chosen outcome is to do nothing.
Overall, determining the proper balance between an expedient response time and the acceptable risk tolerance of your company will continue to be a challenge for CIOs and their peers. When possible, spend the time before an incident to establish policies and procedures for handling these situations as they can often be outside of the current crisis response and incident response plans drafted by PR and IT respectively.
This article is published as part of the IDG Contributor Network. Want to Join?