D a t a B r e a c h R e p o r t a n d R e c o m m e n d a t i o n s P a g e | 1

Data Breach Report and Recommendations

Karan Kochhar
Northeastern University
College of Professional Studies
Masters of Project Management with Information Security Management
D a t a B r e a c h R e p o r t a n d R e c o m m e n d a t i o n s P a g e | 2


Abstract
The assignment is to compose a body of text of 8-10 pages based on the scenario provided. The
aim of the paper is to highlight all the deliverables mentioned in the provided scenario and offer
a recommendation. The report attempts to show the findings from the weekly discussions,
quizzes, ideas and knowledge gleaned from the readings, results of the experiments {using Cain
& Able(Brute force and Port monitoring), Havij (SQL Injection), Low Orbit Ion Cannon(DoS
and DDoS)} in putting theory into practices and my thinking and practice of Information
Security. And this report will also focus on my ideas for Information Security and how they have
transformed over the period of time during the course.

Keywords: - Information Security and Transformation












D a t a B r e a c h R e p o r t a n d R e c o m m e n d a t i o n s P a g e | 3


Scenario
You are the IT Manager for a fictitious bank called First Union Bank. You have discovered that a
hacker has broken into one of your competitors online banking system, and has accessed
sensitive customer data. Your boss is the Chief Information Officer of the bank and has called
an emergency meeting to create an approach to ensure that such an incident does not happen at
your bank. During this meeting, you are tasked with comingup with a plan to prevent such future
attacks. Your paper will describe this plan, as well as include the 4 deliverables as part of it. The
paper should reference different sources of material used in an appendix, such as books,
electronic databases, online or print articles, etc.
Deliverable#1
Penetrating the so-called secured networks and firewalls of banks, the hackers siphoned large
quantities of information that included customers checking and savings account data. Notably,
no financial losses to the customers have been reported so far. Hence, the primary motive behind
the attack is debatable. Though most cyber-attacks are aimed at financial gains, at times these
have political motives too. But as the checking and the saving account info of millions of users
have been compromised and the security team of the XYZ bank acted on the right time and
stopped the attack otherwise critical data would have been stolen which could have been resulted
in humongous amount of financial loss to the financial institution.
A software fault called zero-day, which allows hackers the remote connection of a computer,
was utilized to penetrate the security systems and as per the specialists the attack was done from
Latin America. According to security specialists, such sophistication is beyond the ability of
common hackers. The financial sector has always been a key target for cyber-attacks, given the
D a t a B r e a c h R e p o r t a n d R e c o m m e n d a t i o n s P a g e | 4


fact that the entire nations economy is dependent on them. The U.S. banking sector has
experienced frequent assaults of the like (mainly for financial gains), despite some of the large
banks spending hundreds of millions of dollar to safeguard their customer data and other
information.
First we as a Union bank, in order to tackle cyber-attacks, need to tighten Internet security,
developing strategies to upgrade computer systems and also increasing cooperation with other
countries. Further, companies offering internet security will be encouraged to develop new and
innovative products to counteract such attacks. While mere listing and coding of security
loopholes will not prevent future cyber-attacks, it should serve as a stepping stone toward
solving the extremely complex situation. And as per the law enforcement if there is any security
breach with a company then the company has to share that data with the competitors to safeguard
them against the same type of attack.
Information from companies is being collected in multiple locations using at least two different
approaches. In one approach, the Financial Services Information and Analysis Center, known as
FS-ISAC, circulated XYZ Banks data to help other companies assess whether they had been
attacked. The information included Internet protocol addresses linked to servers that the hackers
had used to communicate with the banks computers and then to extract data.
Deliverable#2
Biggest types of threats for our Bank and their mitigation steps are discussed as follows:-
1. Malware (steady threat)
Malware, short for malicious software, includes viruses, worms, spyware, Trojan horse
programs, etc. Malware has been a steady contender as a top threat for the past several years.
D a t a B r e a c h R e p o r t a n d R e c o m m e n d a t i o n s P a g e | 5


While it is not a new threat concept, most of the banks still do not have adequate controls to
reduce the risk to a manageable level, and new types of malware are introduced daily.
Mitigating Controls:
Install antivirus software Ensure antivirus software is installed on all systems and set to
look for updates hourly.
Install antispyware In many cases, antispyware is included in the antivirus product.
Manage patches Incorporate a process to ensure all software stays up-to-date. Besides
installing Microsoft patches, also make sure to patch other software such as Adobe and
Java.
Limit local administrator access Without local administrator access, many types of
malware cannot install or run. Note, in some cases, critical software requires users to run
as local administrators, but where possible it is best to remove this level of access.
Restrict the use of removable media (e.g. USB drives) When removable media, such as
USB drives, are not controlled, employees may plug personal drives with infected files
from other systems into your network.
Filter email SPAM filters help to keep emails that contain malware or links to websites
with malware out of your employees inbox.
Control Internet content Since a vast majority of malware originates from the Internet,
restricting and/or monitoring Internet access can reduce the number of vulnerable sites
that are visited.
2. Social Engineering (rising threat)
We train our employees to provide excellent customer service. Most traditional social
engineering attacks capitalize on this vulnerability. Below are a few types of social engineering
attacks we see in banks today. Note many of these attacks are actually originating from foreign
terrorist groups, some of which are funded by foreign governments. So, many of the people
attacking us are in a sense just showing up for work each day.
Phishing The term "phishing" was originally used to refer to attacks via instant
messaging; however, phishing attacks of today are usually done via email. For example, a
perpetrator could send an email to bank customers. The email appears to come from the
bank and asks them to visit a website and input confidential information (i.e. bank
account, credit card, etc.). If a customer responds, then the perpetrator succeeds.
Spear Phishing Spear Phishing is a targeted phishing attack in which the perpetrator
makes the message appear to come from your employer.
Whaling Whaling is similar to phishing, but uses company biographies and online
profiles to specifically target executives or Board members. For example, if your bank has
a bio of each of your executives, and in the bio of your President, it states he graduated
D a t a B r e a c h R e p o r t a n d R e c o m m e n d a t i o n s P a g e | 6


from TTU and enjoys playing golf, then your President might get a fraudulent email
asking him to play in a charity golf tournament for TTU and send him to a spoofed
website to gather information (e.g. credit card, etc.).
Vishing (voice phishing) Vishing is similar to phishing, but solicits confidential
information over the phone instead of email.
SMiShing SmiShing is similar to phishing, but uses SMS text messages.
Pharming Pharming is where the attacker redirects a websites traffic to another,
fraudulent website.
Dumpster Diving A perpetrator digs through trash in bank dumpsters to pull
confidential or critical information.
Mitigating Controls:
General technical controls such as a firewall, internet content filtering, antivirus software,
anti-spam software, and patch management can help reduce or eliminate many phishing
attacks.
Security awareness training Train employees on how to spot and avoid social
engineering attacks.
o Do not trust any site you are not familiar with.
o Do not click on hyperlinks in emails. Instead, type in the address or copy it into
your browser.
o Verify websites asking for confidential information are secure (the browser
address for a secure website begins with "https://").
Testing Regularly conduct social engineering tests to see how your employees will
react.
3. Mobile devices (rising threat)
Bank IT departments are feeling an increased pressure to support more mobile devices on the
bank network. At first, many banks tried to standardize on one type of phone, typically the
Blackberry due to the control they received from the Blackberry Server. However, with the craze
of the iPhone and other such smart phones, we see a push (generally from upper management) to
expand the types of supported mobile devices. Sometimes a smart phone can seem indispensable
and we wonder how it was ever possible to work without it! However, high-risk companies must
always maintain a balance between accessibility and security.
Mitigating Controls:
Technical controls:
o Blackberry Server Blackberry devices can be managed through a central
Blackberry Server, and security controls can be pushed through IT policies. The
D a t a B r e a c h R e p o r t a n d R e c o m m e n d a t i o n s P a g e | 7


Blackberry server currently provides the most security options, including password
controls, remote wipe, and encryption.
o Microsoft Exchange Server via Microsoft Exchange ActiveSync (EAS) - iPhones
and Windows Mobile devices can be centrally managed through Microsoft
Exchange. Some security controls that can be configured through Security Policy
include: remote wipe, enforce password, minimum password length, maximum
failed password attempts (before local wipe), password complexity, and lock after
inactivity. Note: beginning with Windows Mobile 6, you can control storage card
encryption.
Patch management Vulnerabilities in smart phones continue to be found, and new
patches are released; however, for most smart phones, there is currently not a good way to
force patches to the devices. In many cases, updating the software on smart phones turns
into a manual process.
Training Train employees to treat their smart phones (phones that receive email or store
data) similar to a laptop. Keep it safe and secure, and report it immediately if it is lost or
stolen.
4. Internet attacks (rising threat)
Banks continue to rely more and more on the Internet as a mechanism for promoting and
delivering products and services. By moving to the Internet, we are expanding our threat
landscape from local or regional threats to global threats. We must be diligent to take the care
needed to protect ourselves and our customers from unwanted attacks.
Mitigating Controls:
Technical controls Firewall, Intrusion Detection System (IDS), patch management,
antivirus software, etc.
Multifactor authentication Multifactor authentication is used to authenticate or verify
the identity of a person. The three types of authentication that can be used include:
something you know (i.e. password), something you have (i.e. debit card), and something
you are (i.e. finger print).
Two-way authentication (also called mutual authentication) Two-way authentication
refers to an end user authenticating themselves to a server, and the server authenticating
itself to the user in such a way both parties are assured of the others identity. This
authentication process is most commonly done by requesting a username from the
customer, then displaying a known and preapproved image or statement to the customer
(authenticating the server) prior to the customer entering his or her password.
Secure forms - Use secure forms (rather than email links) for Internet communication
with your customers, therefore eliminating the possibility of your customers sending
confidential information in clear text over the Internet.
D a t a B r e a c h R e p o r t a n d R e c o m m e n d a t i o n s P a g e | 8


Secure website All customer sign-in pages and forms should be secure (encrypted via
SSL); however, it is best to secure the entire banks information website.
Training Train your customers to look for the normal indications of a secure website (a
lock at the bottom of an Internet Explorer window or https:// at the beginning of the
websites address).
Testing Conduct regular external security tests to see how visible and vulnerable you
are from the outside.

Deliverable#3
In the provided 2014 Data Breach Investigations Report the seventh it has carried out since
2004, Verizon claims that no organization is immune from a data breach, and details that 92
percent of security incidents are down to nine basic patterns. Worse still, just three threat patterns
cover 72 percent of security incidents across any industry. Approximately 75 percent of financial
sector incidents come from web applications attacks, DDoS attacks and card skimming, while
most attacks in the retail industry are tied to DDoS (33 percent) and POS intrusions (31 percent).
DDoS attacks were so prevalent in 2013 that Verizon has dedicated the attack method its own
study section for the first time.
Other highlights from the report include the finding that there were 1,367 data breaches in 95
countries over the last year, and that cyber espionage activity grew four-fold. For all this,
however, the standout point as touched on by several Verizon analysts was that data breach
discovery often takes weeks or months', allowing hackers to compromise the system and search
for valuable data to exfiltration. There is a statement mentioned in the data breach report
Compounding this issue is the fact that it is taking longer to identify compromises within
an organization often weeks or months, while penetrating an organization can take
minutes or hours.
D a t a B r e a c h R e p o r t a n d R e c o m m e n d a t i o n s P a g e | 9



Fig.1
The roles, responsibilities and action chart for the Data Breach Incident Response Team is as
follows:-
Data Breach Response Team
S.No Role Responsibility Actions
1 Incident Lead
Will Take lead for the data
breach incident
This person
will coordinate efforts among all groups,
notify
all the appropriate people within the
company
and externally, and create the
documentation
and timeline of activities, identify key
tasks, and
estimate costs.
2 Chief Executive Officer
Will take recommended
actions
Will take the required actions
3 Chief Financial Officer
Will cover finances and will
take recommended actions y
Incident Lead and CISO
Will take the required actions
4 Chief Information Security Officer
Responsible for aligning
security initiatives with
enterprise programs and
business objectives, ensuring
that information assets and
technologies are adequately
protected.
CISO teams will be
critical in helping identify what information
was actually compromised.
D a t a B r e a c h R e p o r t a n d R e c o m m e n d a t i o n s P a g e | 10


5 Chief Privacy Officer
Responsible for developing
and implementing policies
designed to protect employee
and customer data from
unauthorized access.
CPO personnel
will also work with counsel to find out
what is
required in the response.
6 Chief Compliance Officer
Responsible for overseeing
and managing compliance
issues within an organization,
ensuring that a company is
complying with regulatory
requirements and that the
company and its employees
are complying with internal
policies and procedures.
CCO personnel
will also work with counsel to find out
what is
required in the response.
7 Information Security Director
Responsible for technology
related to security within an
organization.
Will be
critical in helping identify what information
was actually compromised. A word of
caution,
though -- many IT individuals may be
under the
impression that they possess the skill set
and
training to do forensics on the data
compromise
(identification of how the breach
happened,
impact to any other systems, analysis of
what
was taken, ensuring the damage has
stopped,
etc.).
9 Legal team Director
Responsible for addressing
and managing the aftermath
of a security breach or attack
(also known as an incident)
and also managing all the legal
matters of the organization.
LTD personnel
will also work with counsel to find out
what is
required in the response.
10 Customer Care Director
Responsible for managing
their team to align customer
service department policies
and systems with the
company's objectives.
CCD personnel will play a critical role in the
incident if the employee or the customer
notification is determined to be a
requirement
11 Human Resources Director
Responsible for organization's
human capital management.
HR will be involved
when the breach has impacted employee
information and Customer Service will be
called
into action if the data breach impacts that
of
customers.
D a t a B r e a c h R e p o r t a n d R e c o m m e n d a t i o n s P a g e | 11


12 External Legal Counsel
Responsible for advising the
organization on issues
concerning legal rights,
obligations and privileges that
relate to its
management and its field of
operation.
Will
be responsible for deciding whether or not
consumers should be notified and the legal
requirements around what the notification
must
say.
13 Crisis Management Firm(External)
Responsible for developing
strategies designed to help an
organization deal with a
sudden and significant
negative event.
Will be implementing the strategies which
they have developed for data breach.
14 Police Department Will take the required actions Will take the required actions

Deliverable#4
As mentioned the LoanWrite application which was installed on the IPad has been compromised
because of some code bug which allows the remote user to take control over the iPad and
because of this bug the data from all the loan officers iPad has been compromised. As an action I
would recommend to uninstall the application from the loan officers iPad so the remote users do
not have any kind of further connection with the database of the bank. Secondly I would
recommend asking the effected customers to change their sensitive information (whatever
possible) so that there is less possibility of any further data leakage from any other source.
Thirdly we should compile a list in which we need to check what all data has been compromised
(SSN, Name, DOB, etc.) so that we can take actions or ask customers to take action accordingly.
All the recommendations prescribed in Data Breach Report by Verizon are discussed below with
explanations for agreeing or dis agreeing them.

D a t a B r e a c h R e p o r t a n d R e c o m m e n d a t i o n s P a g e | 12


Recommendation Agree/Disagree Explanation
Eliminate unnecessary data, keep tabs on
whats left
Disagree
As we don't know which data we need to use
when we think from a Bank's database
perspective. I feel we have to archive all the
previous data properly so that we can use
whenever required.
Perform regular checks to ensure that essential
controls are met.
Agree
Because we can't wait for an attack to happen
and then take the controlling measures as we are
dealing with one of the most sensitive data of the
customers so I feel we have to do checks
regularly to checks are we meeting the controls.
Collect, analyze and share incident data to
create a rich information source that can drive
security programs effectiveness
Agree
This is to and fro process if someone attacks our
system and we make a report out of it and share
with our partner banks then they will do the
same and by this we all can have protection for
the attacks.
Collect, analyze and share tactical threat
intelligence, especially indicators of
compromise(IOC's), that can greatly assist
defense and detections
Agree
This is to and fro process if someone attacks our
system and we make a report out of it and share
with our partner banks then they will do the
same and by this we all can have protection for
the attacks.
Without de-emphasizing prevention, focus on
better and faster detection through a blend of
people, processes and technology
Agree
The faster we can detect the attack faster we can
attack and can save our data.
Regularly measure things like "number of
compromised systems" and "mean time of
detection", and use these numbers to drive
better practices.
Agree
Once we have this stats we can average out how
much of our systems got infected and how much
time it took to get detected and using this we can
plan for remedies.
Evaluate the threat landscape to prioritize a
treatment strategy. Don't buy into one size fits
all approach to security
Agree
I totally agree that one remedy is good for all
problems as every problem has a different
protective/remedy measure.
D a t a B r e a c h R e p o r t a n d R e c o m m e n d a t i o n s P a g e | 13


Don't underestimate the tenacity of your
adversaries, especially espionage-driven
attackers, or the power of the intelligence and
tools at your disposal.
Agree
As we don't know whom we are dealing with
(Activist, Attackers and Spies) and what
organization do they belong to and what kind of
resources they have.















D a t a B r e a c h R e p o r t a n d R e c o m m e n d a t i o n s P a g e | 14


References
Bank Face Cyber attacks
http://www.zacks.com/stock/news/145453/Banks-Face-Cyber-Attack-Russian-Motives-
at-Work (Accessed on 14, October 2014)
JPMorgan Hackers linked to attacks at 13 other financial firms
http://www.claimsjournal.com/news/national/2014/10/09/256106.htm (Accessed on 14,
October 2014)
Data breach discovery takes 'weeks or months'
http://www.scmagazineuk.com/data-breach-discovery-takes-weeks-or-
months/article/343638/ (Accessed on 14, October 2014)
Emerging Cyber Threats
https://www.conetrix.com/articles/top-5-emerging-cyber-threats.aspx (Accessed on 16
October 2014)
Top 9 Security Threats
http://www.bankinfosecurity.com/top-9-security-threats-2011-a-3228/op-1 (Accessed on
16 October 2014)