Avoid knee-jerk security theater after a cybersecurity breach

In the last few weeks we are seeing several major data breach events which trigger some comically wrong actions. These actions show that organizations move to the default mechanisms that are available to them, none of which will have a material value for Information and Data Security.

In this article we discuss bad examples, why those actions make little sense, and what are the right things to do instead.

Before we start

The recommendations we provide will be seen by some as too expensive a cost to transfer onto their customers, too prohibiting for business growth, or just not reasonable for their risk appetite.

That is a perfectly acceptable position, AS LONG AS you are transparent to your customers on what is your sincere security posture. There may/will be customers willing to pay less for a service and accept a more risky service.

We just ask people/companies not to do security theater claiming they care about security and then massively dissapoint their users.

The data breaches and the weird reactions

1. The US State department is offering a $10 million bounty related to information on the Cl0p ransomware gang which stole a massive amount of data by exploiting the MOVEit Managed File Transfer vulnerability.
2. The Australian law firm of HWL Ebsworth has obtained a court injunction to stop anyone dealing with client and employee data that was stolen when HWL Ebsworth was hacked and was subsequently dumped on the dark web.
3. The government entities of India have flatly denied that their CoWIN COVID vaccine portal was hacked even though a bot exposed the data on Telegram, and then pivoted to explaining that the data was exposed in "a previous data breach" - which would be a data breach on the same data set owned and controlled by the same government?

Why don't these reactions make sense

The knee-jerk reactions of all three entites are trying to show that they are "on top of the problem" due to massive pressure - either from the public, media, customers or political opponents. 

But the reactions are comical - even ridiculous - when viewed from a distance. Let's consider what will these reactions do?

1. A bounty issued by US law enforcement won't do squat to a group of criminals that are sitting snugly in a remote part of the world where the US jurisdiction is not recognized (anybody remember Edward Snowden?). These criminals already stole the data and are activelly blackmailing the owners of the data, including US government entities.
2. The legal injunction to stop the leaking of accessing client data will just hamper the investigation of the event since the only people in the jurisdiction of the Australian legal system are the people trying to understand what happened so we can all learn and prevent it from happening. The people that would like to abuse the data don't really care whether there's an injunction or not - they have already committed to being criminals.
3. The Idiocracy level of denial at all costs by the government institutions of India and transferring responsibility onto "some other data breach" means very little to the people whose data is exposed. To anyone able to put two and two together It became clear that the data breach is related to an unsecured API endpoint used between institutions and that some institution was compromised to extract the data. Even if we take the statement of "some other data breach" at face value, that "other" data breach still contains data that the government institutions should have secured and now needs to be transparent about. The trust is lost and these actions are simply burning any remaining hope of future trust.

A bit of diclaimer

Let's be clear - criminals should be prosecuted by law enforcement to the full extent (and abilities) of the law, but as a matter of criminal behaviour - not as a matter of information security risk reduction. Legal injunctions may be relevant, but they are in no way helpful for a signal converted into a stream of electrons that travels across computers worldwide.

What should and can we do

After a data breach incident occurs, it's time to be clear about one thing: The cat is out of the bag. There is no putting it back in. Digital data can be perfectly copied and disseminated for years to come.

After such incidents we need to learn faster and more, and implement better controls to prevent repeat and misuse of the data.

• For companies educate management, for governments penalize management  - Insist (and make regulation) on levels of security testing by vendors - even mandating publicizing of all security tests if necessary or making incomplete security posture a blocking factor for doing business with some types of institutions.
• For governments - To avoid making such controls a barrier to entry, make the tests part of the university currriculim, and have a win-win for education of engineers in security very early as well as offering these tests to companies at marginal cost or free.
• For companies and for governments - Insist on data being as ephemeral as possible - delete data as part of regular processes - especially if the data is no actively processed, is old etc.
• For companies educate management, for governments penalize management - on the risks of hoarding data "just in case they may need it several aeons later".
• For companies and for governments - Build a position of no-trust policy for all connections - your business partners are a vector of attack just as dangerous as the internet.
• For everyone - Insist on being transparent and learn from the data breach events. It may be a situation where we all accept that a data breach is not that big a deal, or if it is, we will all need to find better ways to process it.