When Is A Malware Event A “Security Breach”?

Recent data breaches at 2 banks underscore what has always been a thorny issue for companies that collect and manage sensitive information:  When does a compromised PC constiture a data breach?

According to ComputerWorld’s Robert McMillan, One bank recently detected traffic destined to an unusual IP address, and discovered a keylogger installed on a company laptop.  It notified 50 customers that their data may have been exposed.  Another bank found that a compromised laptop had been used as a jump-off point for an attacker to access a customer database containing credit card, SSN and other sensitive information.  514 credit cards are being re-issued in that case.

The actions taken by these banks are admirable, and errs on the side of caution.  It is not uncommon for companies large and small to detect a malware infection and simply wipe the system, eliminating the symptoms while not addressing the potential exposure of their customers’ information or uncovering the how and why the attack was successful.  Forensic examinations are hard work, and time consuming.  But so is rebuilding your reputation.  There is the spectre of liability to deal with.  What few incidents are reported is generally a small percentage of what is actually taking place.

These 2 examples are BANKS.  Banks have large IT and security budgets, and employees are generally more security aware than most businesses.  So, how are these systems getting compromised?  Pure speculation from this point on, but;

  • Both systems noted appear to be transient laptops.  They often leave the comfortable security controls present within the company perimeter.
  • Were they patched against all known Operating System and application vulnerabilities?  Laptops are the hardest systems to keep patched due to their mobility.
  • Anti-virus is pretty common, but so is the practice of providing laptop users with admin privileges.  They can interfere with updates, scans, and can also be used to the attackers’ advantage when installing malware.
  • Web content filtering is one of the controls that is usually in place at a large financial institution, but is probably not present on the home-user LAN or while on the commuter train.  Drive-by web attacks are very very common these days.
  • While in transit, it is also possible that the laptop owner could have used a “free wireless” connection to maintain connectivity.  This is a common, and extremely dangerous practice, as you are trusting a middle-man that is providing something for no obvious gain, to handle and potentially capture all of your communications.
  • The possibility of unapproved software downloads, installations, and even allowing family members to use the equipment could have resulted in a Trojan.
  • There is also the potential that the users themselves were involved or complicit in the installation of the malware.  Unsavory, but not unheard of.

The possibilities are virtually endless.  Be aware of the risks and take reasonable precautions to counter the likely threats in your organization.  In this day and age, any time there is malware that makes any kind of outbound communication attempt, an investigation should be made as to where, why and what was communicated, as well as how the malware got onto the system.  In my humble opinion, if data was moved outside of the company, it should be considered a breach.  These guys made the right call.

There is much more information contained in this interesting article.  Read it and start making Incident Response plans that go beyond the standard “Got malware?  Nuke it!!” discover what data might have been compromised, and act accordingly.