It’s fairly likely that you or someone you know has been directly affected by at least one of the many major data breaches to have rolled through the headlines over the past 12 months…
It’s pretty confronting to hear about a trusted provider in the news or to realise that your records may be involved, but unfortunately by the time you’ve received that “Dear valued client” notification in your inbox, all the dirty work has been done, and there’s a fairly high chance that someone has accessed, exfiltrated and maybe even on-sold data containing your personal information.
Is it any wonder then that recipients are feeling frustrated by the quality, context and detail of the information provided in security alerts and notifications that feel generic “intentionally vague”? This does not help in a crisis situation, which for many people and organisations, the disclosure of their personal or sensitive data or information represents.
So, to help understand what security notifications are actually telling you, we’ve decoded the meaning behind common security-related messaging so you can better assess what’s happened, how it relates to you, and what to expect next.
Threats, vulnerabilities, incidents, detections, breaches – They’re all the same thing, right?
Believe it or not, in the world of IT security these terms do mean subtly different things! Understanding why and how they are used will help you understand the likelihood that you’ve actually been affected and how worried you need to be.
Firstly, vulnerability – If you have been notified of a “vulnerability”, generally this means that through routine scanning, some sort of “gap” has been found in your or your providers’ security. It might be an old or weak password, it might be an unpatched operating system, it might be that you haven’t enabled MFA on your account yet… It does NOT mean, however, that an attack is underway or even imminent.
It means that you’ve left the back gate open, and it’s a good idea for you to head out and close that gate sometime soon.
Security Threat Alerts or Notifications
A threat alert or threat notification, however, usually relates to a known or new attack type or pathway that has emerged somewhere in the wild specific to a particular technology, software or system, or has been detected in certain telemetry collected from your services or systems.
This means there’s a dodgy car now circling the block, and you don’t know if the back gate is open or closed. So, you need to find out and close it, lock it and put an alarm on it as soon as you can.
Examples of these kinds of threat alerts include:
- Alerts published by the Australian Cyber Security Centre or technology vendors, advising organisations to check if they are using a particular devices/system and to update/patch.
- Those emails you get from apple, google, amazon when they’ve registered a log-in from a new device (“Was this you?”)
- When your provider messages you about recent scams or fraud incidents that have been reported, and how you can take steps to prevent getting caught!
Threat Detected, Verified or Security Incident Notification
A sign that things have escalated and something very serious is afoot is when you start receiving threat detection, verification, or security incident notifications. This kind of wording should alert you to fact that there is an imminent or in-progress malicious activity underway, and immediate action is going to be required.
On a personal level, this might be notification of suspicious card transaction, or notice of a recent login to your account from some far-off locale. In this case, you will likely need to take immediate action to block access or have someone block access immediately to mitigate any potential harm.
An intruder has broken in, so you let the dogs out, chased the intruder back out the gate, changed the locks, and called your family and the police.
If you’re a business, however, security incident notifications are a lot more complex and depend on your provider, their security commitments to you, and your IT service arrangements. Businesses in the Asia-Pacific are reportedly subject to upwards of 5,000 potential threats (“attempts” to gain access) in any given day. It is physically impossible for your IT team, much less your lone IT Manager, to identify and investigate each of these and determine which might be legitimate and which might be malicious. When you hear those statistics about a malicious actor having access to a system and sitting and waiting for 200-plus days, this is why…they’ve essentially gotten in under the radar and then evaded detection.
The only effective way to combat this issue and be assured that malicious actors will be detected, verified and resolved within minutes is to add managed cyber threat detection and response (MDR) capabilities to your IT services stack.
In the case of active or verified threat detection however, there is no guarantee you will hear about it in real time. Given the criticality of neutralising an in-progress attack, it’s more than likely that security specialists will be working on getting your attacker out the back gate again and assessing what damage they’ve done, rather than engaging with the comms team.
However, it won’t be too long after this that you might start hearing about what’s happened in the media and that “Dear valued client…” email won’t be far off from hitting your inbox…
“Dear valued client…” How to read between the lines
If you’ve received a notification from a trusted provider that they’ve experienced a data breach or cyber-attack, they will likely have already confirmed that a security incident has taken place. By this stage, their communications to you should indicate that the attack has been stopped and the attacker’s access has been blocked. As required under Australian regulations, breached organisations now need to investigate further and notify affected parties.
So as far as you and your personal information are concerned, there is likely one of three things actually happening behind the scenes at that point in time.
- “We’ve alerted the relevant authorities and an investigation is currently underway. In the meantime, here’s what you need to know.”
Translation: We know a malicious actor has had access to our environment, the breach has been verified and contained and now were looking into what they did and what they touched. We’ve started the reporting process because we know there’s sensitive or personal data involved.
Basically, the gate is closed and relocked, but we’re now checking what’s been moved, damaged or stolen.
- “Investigations have uncovered the following kinds of your personal data have been affected. Here’s what you need to do now.”
Translation: Preliminary investigations are complete, and we have identified that certain types of data and/or certain people’s data have been accessed or exfiltrated.
The back yard is secure again, but there are some things out of place or missing. Here’s our first-pass list at what we think is affected.
- “We apologise for the disruption. We’re working as quickly as possible to remedy the situation…”
Translation: Our systems are services are down – it may be something innocuous, or it may be something very sinister like a ransomware attack, in which case, systems and data might not be accessible by anyone at the company or by clients.
This is possibly one of the worst-case scenarios, where someone’s got your attention at the back gate, you’ve gone down to talk to them, but they’ve then pushed you out the gate and locked you out of your own yard! You’ve let your family and the neighbours know, but can’t do anything else now except wait for the locksmith and the police, and hope you’ve got some good insurance that will cover you!
What you SHOULD do and What you CAN do
Publicly released security incident and data breach notifications are full of long, long lists of options for you to access assistance as well as general cyber safety advice. Yes, you need to watch out for suspicious transactions and yes, you need to be alert to possible phishing attempts, but isn’t there something that you can start doing now?
Amongst all this “helpful” information though, your provider will have provided you with at least that first-pass list of what the malicious actor may have accessed in their environment. This will often look like a list that includes items like Financial information compromised, Credit card account/numbers compromised, Personal loan details/account number compromised… This should be your prompt to start reviewing the kinds of accounts and access you have with this provider and what kind of other information you have provided them with in the past, and how current that data still is. This might include identification documents, account numbers, card numbers, health record access, billing and payment details, or log-in details or integrations to other apps, online portals or services etc.
If you don’t have a record of what you have with who and where, this step is going to bite! So, take our advice now and start identifying, reviewing and centralising what personal and sensitive data you have provided and to whom and how. And by the way, we DO NOT MEAN a little book or an excel spreadsheet (shudder…); we mean
- Identifying personal, sensitive or account data or information you provide, transmit or store with another party
- Finding out how your providers of choice are protecting your data and what assurances or guarantees they can give you.
- How long your personal, sensitive or account data remains in other parties’ possession even if you stop using their services.
- Using a reputable paid personal or family password manager/vault for private use and a well-supported enterprise-grade password manager/vault for business use
- Stay on top of where your data is, how it’s used, by who and for what subscriptions and services.
Talk to Maxsum today about undertaking an IT Security Assessment to determine what data you have and where and your potential exposure to security incidents, or to introduce Managed Cyber Threat Detection and Response capabilities to your IT services stack.