Companies slow in reacting to breach notifications

When it comes to breach response, slow and steady will not likely win the race
When it comes to breach response, slow and steady will not likely win the race

According to TaaSERA CEO Scott Hartz, it’s a very mixed bag when it comes to how companies react when faced with evidence of criminal activity on their networks – to the point, he said, of some of them “being in denial.”

Hartz said that TaaSERA has notified companies of hundreds of machines trying to infect others, and some have cleaned up those machines within a matter of days or weeks.  Some investigated the issue and asked for additional information, and others have deployed software or requested our full data set to track external connections themselves. However, “some have not been as prone to act quickly,” he noted. “In some cases, we have received a more skeptical response along the lines of ‘we deploy all commercially reasonable security tools and practices and adhere to PCI DSS,’ or ‘TaaSERA who?’”

In many cases there’s simply a process issue. Unfortunately, while most companies have setup an email alias for reporting of external threats, they may not have processes in place to expeditiously deal with these external notifications. “If a company is notified by an agency with a three-letter acronym, they marshal all their resources to deal with the situation,” said Hartz. “In those cases, the breach or theft has already occurred. Most of those notifications are of PII [personally identifiable information] or IP beaches, and a majority of companies have a plan in place to deal with breaches, or at a minimum they know who to call. But if the notification is of a threat at an earlier stage of infection, ‘pre-breach,’ it may not be given the same level of importance or urgency.”

But then there are concerning cases of denial. One company (unnamed) that provides ATM, check cashing and personal check guarantee terminals has more than 25 IP addresses that are acting as malware control sites, Hartz said, of which a number are communicating with the Russian Business Network, a known cybercrime organization.

“They have been handling it internally for almost two months now, with no change to the number of malicious IPs we’re monitoring,” Hartz said.

TaaSERA looks to ensure computers under its control are not infecting an external party’s computer, either via links on its website that are infected with malware, or that redirect a user to a malware site, or worse: hosting systems that have been taken over by cybercriminals and are being used to launch other attacks from within a reputable company. As a result, it typically gathers evidence when it notices computers that are attacking and attempting to infect the computers of its customers.

“These are not just a company’s internal machines that are infected with advanced malware for which there are no signatures yet, but machines where we have observed communication outside their company’s infrastructure in an attempt to infect another company’s systems,” Hartz continued. “If a company has internal computers infected with malware or viruses, this falls under corporate risk, but if you are attacking other computers outside your infrastructure, there is a shared responsibility to eliminate the threat.”

He added, “We don’t call out these companies in order to embarrass them, but we believe companies need to act with the same urgency to eliminate pre-breach threats as they do post-breach, and create a safer cyber security environment for all.”


What’s Hot on Infosecurity Magazine?