Last week it happened again. News of the Quora Breach was officially announced late Monday afternoon in a company blog post and email directly notifying 100 million affected users. This kind of shocking news is no longer shocking, and everyone in the industry needs to prepare for the day it will happen to them. Instead of shaking fingers at Quora for falling victim, I’d like to point out a lot of things that Quora apparently did very well.
In my experience as a SOC manager in an elite military technology unit and a security consultant for leading financial and commercial enterprises, I have seen time and again that too much emphasis is placed on preventing breaches. Of course, prevention will always be a top priority in information security, but it can become a dangerous illusion to think that a perfectly secured perimeter will keep your organization safe. Every organization I have worked with was constantly under attack and fielding hundreds, even, thousands of security alerts per day. The harsh reality is, no matter how good your security is, eventually a hacker will manage to break through. The real question is, how will your organization react?
Response to Quora Breach was Fast
From a SOC manager point of view, the Quora breach seems to have been handled extremely well and the response times were much faster than other recent mega-breaches. According to Quora, the breach was discovered November 30 and users were notified and logged out just 4 days later, on the afternoon of December 3. In contrast, last year’s Equifax breach, that involved months of illegitimate access to sensitive credit data of 143 million people, took the company 6 weeks to disclose. The now infamous Yahoo! data breach of August of 2013, that affected all 3 billion user accounts, was disclosed 3 years later. The failures to secure accounts and notify users of breach led the company to pay out a $50 million settlement package to users and a $350 million drop in final price paid for the company by Verizon Communications.
Users show their appreciation of fast notification of Quora Breach on Twitter
So instead of the usual victim blaming, I think Quora needs to be applauded for their fast and comprehensive response. Though neither Cyberbit nor I have ever worked directly with Quora, I can make a few suppositions about what Quora did to prepare itself for the inevitable breach that allowed it to respond so well.
- Risk Assessment: A risk assessment involves mapping out all assets that are vulnerable to cyberattacks and then determine an appropriate monitoring approach for each.
- Incident Response Plan: Quora clearly had a well thought out Cybersecurity Incident Response plan; a detailed set of procedures entailing exactly who does what, when and how in the unfortunate event of a major cybersecurity event. The Incident Response Plan clearly delineates who needs to be notified and involved in every step of decision making, step-by-step protocols for operating the incident (security and IT teams, executive management, legal department, notifying law enforcement, users and third-party vendors, public relations, etc.)
- Penetration Testing – The organization should perform periodic penetration testing to identify vulnerabilities in and to the organization network. The goal is to know, fix or patch those security issues before a hacker does.
- Practice IR Plan and Crisis Management: I recommend every organization have an incident response plan in place and run a full simulation drill at least once a year. The more realistic drills are, the bigger the payoff in the event of a major cyber breach. A large financial institution I worked with ran an all-out cybersecurity crisis management drill that involved every member of the organization and was so realistic they even had swarms of hungry reports waiting outside the offices to bombard executives with tough questions.
- Awareness Training: Carry out periodic cybersecurity awareness training for all members of the organization. This can include brief updates about the latest phishing techniques and hands-on practice identifying and reporting suspicious behavior.
- External Security Experts: The Quora breach brings to light the fact that most organizations, even one of the world’s largest social media platforms, don’t have the ability to handle cybersecurity entirely internally. In their blog post and email, Quora states they have ‘retained a leading digital forensics and security firm to assist’. Companies should take steps to both build and train their internal teams and select an excellent external team of security experts. External firms must be identified and engaged before a breach happens, to make sure all procedures are understood and clear, and give teams a chance to simulate how they will work together in the event of a major breach. Have a clear, comprehensive and well-rehearsed plan in place can make all the difference in responding quickly and avoiding costly delays and mistakes.
Practice Makes Perfect
There is nothing ‘perfect’ about getting hit with a cyber breach, but with planning and practice you can be prepared to respond ‘perfectly’. The recent Quora breach sets the bar for a new standard of fast, effective response to data breaches. Every organization needs a thorough incident response plan. Make risk assessment, penetration testing, and realistic training a regular part of ongoing operations. Running full-scale simulations of a variety of attack scenarios will allow your team to practice and perfect operating each specific type of attack. In addition, attack simulations give you a chance to test out playbooks and identify vulnerabilities in your architecture or inefficiencies in your response plan so they can be addressed promptly before a hacker exploits them. We all dream of building an impenetrable network, but until that dream comes true, be ready to be breached.
Yarden Altmann is a Cyber System Analyst at Cyberbit