Data Breaches

What is a data breach?

Generally, a data breach is a security incident where digital information is accessed or taken in an unauthorized manner. Enterprise risk management explains that there are five types of data breaches:

1. Malware
2. Phishing
3. Password Attacks
4. Ransomware and
5. Denial-of-Service

Malware is software whose purpose is to harm a device or computer. Phishing is a cyber attack that involves an attacker masquerading as a trusted entity to trick a user into willingly giving up sensitive information. Password attacks are those where an attacker guesses a users’ password through brute force or combination attacks. This attack is more often successful when the user has a weak password. Ransomware is when an attacker gets access to and holds data hostage until they get a reward. A denial-of-service attack is a breach in which an attacker manages to deny a user access to data they are authorized to look at. Physical theft can also cause a data breach.

Response and Preparedness

Data breaches can be complicated and costly to manage. The first way to prepare for data breaches is to have a preparedness plan in place before it occurs. A preparedness plan includes knowing who your first responders are. This should be a team with people familiar with the systems and security control of your organization and having a plan for how to identify and resolve the problem.

Here are 10 ways organizations can defend their networks and assets against a data breach:

1. Strong IT Policies
2. Strong Passwords
3. Strong anti-virus\anti-malware software
4. Strong firewall
5. Strong encryption
6. Security patching and Vulnerability scanning
7. User education
8. Data Loss Prevention capabilities
9. Log auditing
10. Backups

 

Prepared Plan Metrics

In the event a breach does occur the following metrics can be used to measure how effective an organization’s response is:

Mean Time to Identify (MTTI)

MTTI, which can also be called Mean Time to Detection (MTTD) measures how quickly an organization can identify an event and generate an alert. It determines how fast the organization is alerted when something suspicious happens anywhere in their digital environment. This metric is calculated by finding the difference between the start of any security event and its detection. Either by a technician or via monitoring tools. A detection skill ratio could be calculated by dividing the Mean Time to Resolution from the MTTI.

Mean Time to Notify (MTTN)

MTTN is a metric that measures the average time taken to notify a pre-determined list of contacts that a security incident has occurred. This metric is measured by finding the difference between the time someone is notified and the initial time the event was detected.

Mean Time to Analyze and Assess (MTTAA)

The time taken to contain and review the event. The mean time to analyze and assess an issue is the time it takes initial and second level responders to come to an understanding of what has occurred and then determine a way forward. Sometime the widespread nature and inevitable response of panic can lead to significant delays in properly assessing an issue and then charting a course forward for resolution. Once detected the MTTAA should not exceed 2 hours in most situations.

Time Taken to Gather Acquire an Image

This metric will measure the amount of time the chosen imaging tool takes to acquire an image of an affected device. This time will indeed vary depending on what kind of device is being imaged. The target times are as follows: 3 hours for workstation with a 500 GB or less hard drive. 1 hour for a tablet device. 2 hours for a cell phone device. 5 hours for a server. 2 hours for a network device. Should the tools chosen to acquire these kinds of images not be able to meet these target times an evaluation will be done to understand why and if another tool should be procured.

Escalation to a Higher or More Technical Individual or Team

Some security incidents require an escalation to a more advanced individual, engineer or team of individuals to assess and handle. This metric will measure, if necessary, how long it took the initial response team to escalate to a higher level of support. Processes should be established to clearly delineate when an escalation should occur to avoid significant delays in resolution of issues. The target time on this metric will vary depending on the incident but in general should not exceed 2-4 hours.

Mean Time to Fix (MTTF)

The MTTF metric can be used to measure the amount of time it takes to restore a service or a system or anything that causes a service outage. This includes infrastructure being taken offline due to a security incident or event. This could be a workstation for a user or it could be a server that houses lots of data and provides a service to the network. Depending on the organization a target time to fix should be 72 hours. This is an aggressive target but in many cases, it may be possible replace a system instead of making the impacted system operational again.

Mean Time to Know (MTTK) – The Root Cause of an Incident

The MTTK metric measures the amount of time it takes to determine the root cause of a security incident and the full extent of the incident including all who were affected and any data that may have been compromised. Depending on the organization a target MTTK time should be 30 days. As tools and experience increase on the team it is very possible that this time will decrease but it should certainly not increase. This includes the production of a formal root cause analysis report.

Mean Time to Verify (MTTV)

The MTTV metric can be used to measure the amount of time it takes to confirm the satisfactory resolution of a security incident with the parties affected. Depending on the organization the target time for this metric should be 14 days after the root cause report has been produced and finalized. This metric attempts to ensure that every stakeholder affected has received the best possible resolution to their issue that can be afforded.

Mean Time Between Security Incidents

As the security posture of the network improves, it is rational to expect there to be less security incidents. Therefore, one of the metrics that should be monitored is the average time between security incidents. Depending on the organization an ideal target time for this metric is 6 months. This time should continue to get longer as security practices and safeguards improve. If it is less than the target time an investigation into what can be done to meet the target time should be conducted.

Mean Time to Resolution (MTTR)

The MTTR metric is one that takes into account a few aspects of metrics listed above to measure them altogether. Those aspects include:

1. Collection of evidence
2. Validation of evidence
3. Reaction to evidence

 

Rouse, M. (2017, December). What is data breach ? – Definition from WhatIs.com. Retrieved from https://searchsecurity.techtarget.com/definition/data-breach

Written by: Marshall Frett & Pamela Katali