Breaches, Buys, and Backpedaling - The Week of 4/4/2011

It's been a busy news week in information security. Opening out of the gate with news of the planned  acquisition of NetWitness by RSA, The Security Division of EMC. It's a better headline than the last one that we witnessed from RSA, but could the two be related? Likely not, however, the timing is not without its merit - intentional or otherwise - as it comes fast on the heels of an RSA blog post detailing how the supposed "APT" attack compromised elements of the SecurID product line. Add to that excitement a major data breach at a US data handling company and we've got a news trifecta.

Regardless of any marketing spin that results from the event, we're in agreement with IANS Faculty member Rocky DeStefano (a former member of the NetWitness team) who notes that "no business buys NetWitness for a 'compliance check box'; they buy it because they care about security..." From a PR and IT standpoint, it's clear that having access to the assets of NetWitness couldn't come at a better time for the vendor. However, we share Rocky's interest in the questionable fate of the vibrant, non-revenue generating, user community cultivated by NetWitness.

As if all the news out of RSA didn't provide enough to ponder (and we're happy to discuss it in more detail with our clients, using IANS Ask An Expert process) the story stealing the headlines this week is the Epsilon data breach - publicized for many as a result of alerts like this one from BestBuy (PDF link). The list of affected companies seems to keep growing (our friends at ThreatPost have created a solid list of these here). The common link: the RSA IP compromize began as a spear phishing attack which will likely be the same type of attack used on any individuals or organizations whose personal identification can be correlated with their contact information (aka email address) from the compromised Epsilon data. So, what can you do as a potential target? It's largely a set of simple steps:

• Ensure that, as a consumer, you’re aware of the companies affected with whom you’ve done business. Notifications are taking place primarily through email but are being parceled out day by day. Remember that having done business with companies directly or through a partnership means you may not easily recognize the name of the firm whose data was breached. For example, a customer with an LL Bean credit card may not think of Barclay’s Bank of Delaware as the company they dealt with. Keep an eye on current and formerly used email addresses.

• The status of activity at the moment is notification, meaning that any email looking to solicit further information from customers is likely to be fraudulent. There are very strict guidelines for how companies notify consumers when a breach takes place. Step 1 is notification; anyone (person or business) reaching out to do anything more is dubious at best.

• In general, any new contacts from companies or out-of-the-norm activities requesting action from users are probably spear phishing attempts (spear phishing - noun a targeted attack aimed at compromising sensitive information using personal details to establish trust). This is the way that any correlated information (email address and identity information such as name) is most likely to be used, so be on the look-out.

• Educate users: the more users are trained and educated to spot and react appropriately to a spear phishing or other social engineering attempts, the less likely your company is to be next in the chain of companies affected - and have your CNN moment.

The true extent of the breach remains to be seen: we may all simply see a flood “Vi@gra” emails in our junk folders, but we stand to potentially see a massive uptick in complex spear phishing attacks and other social engineering tactics. The best advice; if it seems suspect or too good to be true, it probably is - even if the contact is couched as aiming to help breach victims. Companies are interested in damage control and containment in these instances. They are not proactively going to go above and beyond simply notifying customers of the breach, at least not at this point.