Post-mortem of a data breach
1 like1,228 views
The document outlines a post-mortem analysis of a data breach experienced by a company referred to as 'corpx', which was targeted unexpectedly despite being a regular business. It highlights the business impacts of the breach, including loss of revenue, reputational damage, regulatory fines, and internal disruptions. The analysis emphasizes the importance of preparedness for such cybersecurity incidents, suggesting that companies conduct cyber drills similar to fire drills.
Post-mortem of a data breach
- 1. POST-MORTEMOF ADATABREACH Janne Kauhanen @jkauhanen Jani Kallio @janikallionet F-Secure Cyber Security Services
- 3. SERVICEPROVIDER”CORPX” Listed on several international stock exchanges Provides application services, e.g. to financial sector Never thought they could be targeted – ”we’re just a regular company” 3
- 4. SITUATIONONEMORNINGINSEPT2015 ”7GB of data was sent from one financial department employees PC to IP-address xxx.xxx.xxx.xxx.” F-Secure Labs confirmed the address as a known data exfiltration server, used in a recently activated campaign 4
- 11. WHATWASTHEBUSINESSIMPACT ON”CORPX”? 11 Jani Kallio F-Secure Cyber Security Services Professional Services, Management Consulting
- 12. SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE Stakeholderfocus&attention Resourcedemand Discovery Long-term implications - Loss of revenue - Stock price effect - Brand & Reputation damage - Regulatory fines - Contractual fines - Costs incurred in remediation - 3rd party legal liability Incident Response - IT Forensics - Legal & Regulatory review External areas - Public Relations - Notification management - Stakeholder Communication - Remedial Service Provision Time Short-term implications - Loss of efficiency & delivery - Internal reporting mayhem - Management’s focus on incident, not on business - Costs incurred in response - Customer interface overload
- 14. Stakeholderfocus&attention Resourcedemand Time IT anomaly Discovery, IRT- team involved Escalation to MIM Stakeholder notification according the process SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
- 15. Stakeholderfocus&attention Resourcedemand Time Client’s FSA’s information request Legal (external), and internal Sec resources tied to find answers A client demands explanation; Who, why, how, scope, remediation? -> KAMs try to manage National Data Privacy Ombundsman requests information SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
- 16. Stakeholderfocus&attention Resourcedemand Time COMMS department demands info to prepare statements in advance External PR company involved 1st forensics report: The breach larger than expected SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
- 17. Stakeholderfocus&attention Resourcedemand Time CEO: prepare a statement to BoD Escalation to the Management Team IRT+MIM+CMT organization in place SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
- 18. Stakeholderfocus&attention Resourcedemand Time Closed accounts hinder internal operations Client’s tender process freezed CMT decision: To isolate a suspected system. Reporting to client’s FSA Several units require instructions from CMT SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
- 20. Succesfull business makes you a potential target This case was a textbook example Although prepared, the level of business disruption came as a surprise You have firedrills – why not cyberdrills ? © F-Secure Confidential SUMMARY
- 21. SWITCH ON FREEDOM © F-Secure Confidential