Presented at Cyber Security Summit Sept 26-27, 2018

1. PROPRIETARY & CONFIDENTIAL March 4, 2010Affect Strategies

2. PROPRIETARY & CONFIDENTIAL March 4, 2010Affect Strategies
MANAGING A HACK:
Orchestrating Incident Response to Preserve Brand
Reputation
Sandra Fathi
President, Affect
Email: sfathi@affect.com
tweet: @sandrafathi
web: affect.com
blog: techaffect.com
Cyber Security Summit
Chicago
Sept 26-27th, 2018

3. PROPRIETARY & CONFIDENTIAL 3@sandrafathi
SECURITY EXPERIENCE

4. PROPRIETARY & CONFIDENTIAL 4@sandrafathi
CRISIS EXPERIENCE
• Data Breaches, Identity Theft, Website Hacks, Malware (Multiple Companies)
• Product Recall for Potential Lead Poisoning (Baby Product)
• Hurricane Sandy, Hurricane Irene (ConEd)
• Worker Strike, Manhole Cover Explosion, Building Explosion (ConEd)
• Hit & Run (By Company Employee)
• Sexual Harassment and Executive Misconduct (By CEO)
• Executive Arrest for DUI
• Terrorist Activity Interrupts Operations (Tech Company)
• Foreign Mafia Threats on Executives (Tech Company)
• Employee Kidnapping/Release by Militia (Tech Company)

5. PROPRIETARY & CONFIDENTIAL 5@sandrafathi
ANATOMY OF A BREACH
How does it start?
• IT discovers a breach
• Customers alert company regarding an issue
• Anonymous post on a social network
• Employee finds data for sale on the dark web
• A journalist calls
• A hacker makes contact

6. PROPRIETARY & CONFIDENTIAL 6@sandrafathi
BASIC INSTINCTS
1. Triage – Stop the bleeding
2. Diagnose – Identify the nature of the breach
3. Investigate – Find the root cause
4. Repair – Implement technical fix
5. Communicate – Inform executive team
• Inform legal counsel
• Inform marcom
• Inform authorities
• Inform customers
• Inform media
Takes too long
Doesn’t always happen

7. PROPRIETARY & CONFIDENTIAL 7@sandrafathi
SELF-PRESERVATION
Justifications
• We don’t know if data was accessed
• No critical data was accessed
• It’s fixed. We’re out of danger
• Very few customers were impacted
• We don’t want to bring more attention to it
• We don’t know all the facts, so we’ll wait until we do
• We don’t want to appear incompetent
• We don’t want to lose our jobs, customers, revenue etc.

8. PROPRIETARY & CONFIDENTIAL 8@sandrafathi
ALL 50 STATES

9. PROPRIETARY & CONFIDENTIAL 9@sandrafathi
ALL 50 STATES

10. PROPRIETARY & CONFIDENTIAL 10@sandrafathi
WHO’S IN THE ROOM
Crisis Drills/Tabletops
• Tech Leadership
• Executive Leadership
• Legal Counsel
• Operations
• Communications***
Photo Credit: CyberBit

11. PROPRIETARY & CONFIDENTIAL 11@sandrafathi
FOUR PHASES OF CRISIS
COMMUNICATION

12. PROPRIETARY & CONFIDENTIAL 12@sandrafathi
I. READINESS
Anticipating a Crisis
1. Crisis Mapping (SWOT Analysis)
2. Policies & Procedures (Prevention)
3. Crisis Monitoring
4. Crisis Communications Plan
• Crisis Action Plan
• Crisis Standard Communications Templates
• Crisis Drills
Photo Credit: CyberTraining 365 Blog

13. PROPRIETARY & CONFIDENTIAL 13@sandrafathi
THREAT MAPPING
HR Sales Marketing Finance IT
People
Products
Facilities
Environment
Information
Other
Rank Order
High Risk
to
Low Risk

14. PROPRIETARY & CONFIDENTIAL
CHANNEL MAPPING

15. PROPRIETARY & CONFIDENTIAL
II. RESPONSE
1. Develop materials:
• Messages/FAQ
• Prepared statements
• Press release template
• Customer letters
2. Train employees
• Awareness
• Anticipation
• Organizational Preparation
3. Prepare channels:
• Hotline
• Dark site
• Social Media
4. Data Breach/Customer Assistance
Resources
• Microsite/Landing Page FAQ
• Identity Theft Remediation Services
• Force Password/Account
Information Change
• Special Customer Advocate/Team

16. PROPRIETARY & CONFIDENTIAL
PREPARING A RESPONSE
1. Don’t delay
2. Acknowledge situation
3. Acknowledge impact and victims or potential victims
4. Commit to investigate
5. Commit to sharing information and cooperation with relevant
parties
6. Share corrective action plan if available
7. Respond in the format in which the crisis was received**
@sandrafathi

17. PROPRIETARY & CONFIDENTIAL
PUBLIC BREACH NOTIFICATIONS
@sandrafathi
1. What happened?
2. What do we know?
3. Who/what was impacted?
4. How do we feel about it?
5. What are we going to do about it?
6. When are we going to do it?
7. Who is involved in this process?
8. When/how will we communicate next?

18. PROPRIETARY & CONFIDENTIAL
CUSTOMER
COMMUNICATION
1. Introduction: Why are we contacting you?
2. What happened?
3. What information was compromised?
4. What are we doing to remedy the situation?
5. What can you do to prevent/mitigate further risk?
6. Where can you find more information?
@sandrafathi

19. PROPRIETARY & CONFIDENTIAL
III. REASSURANCE
Who to Reassure? - All Stakeholders: Customers, Prospects, Public,
Shareholders, Employees, Partners, Media etc.
1. Develop full response plan
• Policies & procedures
• Technology
• People
2. Put plan into action: Immediate remedy
3. Communicate results of plan and impact
4. Reaffirm commitment to correction
5. Demonstrate results of program
@sandrafathi

20. PROPRIETARY & CONFIDENTIAL
IV. RECOVERY
Rebuilding reputation, trust and customer loyalty
Implementing preventative measures for long-term crisis mitigation
and/or prevention
1. Review need for operational, regulatory, environmental and
employee changes
2. Develop long-term plan including policies and prevention tactics
3. Reassess crisis plan
4. Regain customer/public trust
@sandrafathi

21. PROPRIETARY & CONFIDENTIAL 21@sandrafathi
CASE STUDY: EQUIFAX • March – Apache vulnerability discovered,
patch issued next day
• May-July – Hackers infiltrate Equifax servers
with more than 9,000 requests. ~145M
records are accessed, nearly 44% of US
Population
• July 29 – Equifax discovers breach
• Sept 7 - Equifax issues public statement
• Sept 8 – Equifax shares plunge 13.7%
• Sept 12 – CEO apologizes in USA Today Op-Ed
• Sept 15 - Equifax announces CIO & CSO are
retiring
• Sept 21 – Equifax admits sending victims to
bogus website ‘securityequifax2017.com’
• Sept 26 – CEO retires
• Oct 3 – Former CEO testifies for the first time
(of four) in Congress

22. PROPRIETARY & CONFIDENTIAL 22@sandrafathi
MEDIA REACTIONS

23. PROPRIETARY & CONFIDENTIAL 23@sandrafathi
CONSEQUENCES TO DATE
• CEO, CIO, CSO ‘Retire’
• 2 employees indicted for insider trading (CIO & Developer)
• CEO testifies at 4 Congressional hearings
• 8 State bank regulators impose orders for increasing security, auditing and
reporting
• CA passes law imposes sanctions/fines for each data breach (up to $750 per
record, effective Jan 2020)
• AL & ND penalties for delayed notifications (60 days/$10K and 45 day/$5K)
• Federal bill for FREE credit ‘freeze’ and ‘thaw’ from all three large bureaus
(previously $5-$10 each)
• 30+ Consumer class action suits

24. PROPRIETARY & CONFIDENTIAL 24@sandrafathi
BEST PRACTICES I
1. Implement Policies to Address Potential Vulnerabilities
2. Establish a Regular Review Cycle for Crisis Preparation
3. Establish Inter-Departmental Cooperation
4. Establish a Framework for Response
5. Build a Crisis Communications Toolkit

25. PROPRIETARY & CONFIDENTIAL 25@sandrafathi
BEST PRACTICES II
6. Know Where & How to Respond
7. Prepare Your Employees in Advance
8. Establish Assistance Services for those Impacted
9. Know the Relevant Legal & Regulatory Requirements
10. Be Honest, Be Transparent

26. PROPRIETARY & CONFIDENTIAL March 4, 2010Affect Strategies
Sandra Fathi
President, Affect
Email: sfathi@affect.com
tweet: @sandrafathi
web: affect.com
blog: techaffect.com
Slides Available: Slideshare.net/sfathi