Tripadvisor's summer survey on beach and pool etiquette recently revealed which antisocial behaviors most annoy vacationers. Unsurprisingly, smoking, playing music too loudly and chair-hogging all came out as being deeply unpopular. Fascinating, but why am I writing about this on a security blog you may ask?
Perhaps you think I'm just jonesing for a little vacation, but those that stopped by our booth or attended our party at Black Hat will know that Rapid7's theme for the event was “Life's a Breach”. Yes, yes, we know you're groaning, but we have this whole metaphor around riptides and Security Protection Factors (SPF) and protecting yourself from Undiscovered Vulnerabilities (UV) and…. Seriously, stop groaning!
So, being the very dedicated security professional I am, I volunteered to do some intensive “research” at the pool during Black Hat. Sadly though I was surrounded by the bad pool etiquette Tripadvisor's survey identified: loud music, chair hogging and smoking were all in full effect (or was that at the Rapid7 party?). Given our theme for the show, it was only a matter of time and cocktails before I started musing on bReach etiquette.
I want to be clear that I'm not pointing the finger here; we all know security is a complex matter and it is tragically all too easy to fall victim to an attack. Once that happens, it's no simple matter to respond: it's not like there's a standard process, or every situation is the same. Most of the time, it's not immediately clear what the situation even is, making good breach etiquette a tricky matter. That said, I think there are a few basic concepts organizations should keep in mind to avoid being a “breach bum”…
1) Communication is King
It's critical that organizations communicate clearly and in a timely fashion with their stakeholders, which includes their customer base. Even when you're not completely sure what the situation is, it's better to be upfront with customers so they're not reading 3rd party reports and wondering why you're not telling them anything at all. Where possible, give those affected some simple guidance on how they can respond to the risk (e.g., change passwords, back up data, etc). Once you do know the situation, clearly explain what was taken, what it can be used for, how it can impact individual users, and what the company will be doing to prevent it in the future. Some companies have even offered free identity theft protection services or insurance to those affected.
2) Sharing is Caring
Sharing threat information is vital for building a more secure internet ecosystem. Even though it takes swallowing your pride to admit a breach, sharing information can help others learn from your experiences. In the long run, if everyone becomes more open about what they've learned about what worked and what didn't, we'll all be richer for it.
3) The Truth Will Set You Free
Yes, being breached can be embarrassing, but that's no excuse for misleading people. It's tempting to try to reassure people, particularly worried customers, but they won't thank you for it if you tell them everything is fine one moment, and then discover it really isn't. We've seen several high profile companies have data leaked that contradicts public statements they've made about NOT being compromised. When it turns out that they have been breached after all, their credibility is that much worse for having given false hope.
4) It's OK to Ask for Help
If you don't have the right resources internally, don't be embarrassed to ask for assistance in incident response and root cause analysis. Asking for help could be the difference between a long term infestation and a temporary inconvenience.
5) Fool Me Once
Organizations should learn from their own experiences. We have seen organizations be compromised through a certain attack vector and then later fall victim to an attack from the same vector. Although the attackers are clearly in the wrong regardless of holes that may exist on a network, organizations need to make sure they learn from their experiences and diligently try to reduce the potential for being breached.
Tell us about your suggestions for breach etiquette in the comments section below.