IRISS CERT

Ireland's first CERT (Computer Emergency Response Team)

Consumers

Corporate

  • Malware - Malware found in our company infrastructure!

  • Website defacement - Company's website page defaced!

  • Cardholder Data Compromise - Customers’ card holder data stolen!

  • Insider breach - An employee stole/exposed confidential company information!

  • IP Breach - Company’s Intellectual Property(IP) information is breached!

  • PII Breach - Customer’s Personally Identifiable Information (PII) is breached (not card holder data)!

 

 


 

Breach Guidance Description &Tips

 

My identity is stolen!

Incident Name

Online Identity Theft

 

Description

Online Identify theft is a form of crime where your personal information is stolen by one or more cybercriminal(s) and then used to impersonate you, usually for financial gain.
In some cases, cybercriminals might use private messages they obtain from your emails and social networks to embarrass you publicly and damage your reputation.
Cybercriminals may steal personal information in several ways such by installing malicious code on your personal computer to direct you to fake websites or take control of your computer in other ways without your knowledge to obtain information like usernames, passwords and/or credit card details. 
Additionally, cybercriminals may send emails that falsely claim to be an established legitimate enterprise or individual in an attempt to scam you into surrendering private information.

Many online businesses today also store personal information about customers on websites which provides another way for your personal information to be accessed, without your permission or knowledge.

 

Top Recovery Tips

Tip 1:

Don’t Panic. Identify any unauthorized withdrawals.

Think about what personal information may be at risk and contact the concerned authorities to report the fraud as soon as you find out.

 

Verify with your bank, online payment institutions (Paypal for example) and CC provider to check no unauthorized withdrawal has been made. If any such transactions are identified contact your bank and other financial institutions to freeze your accounts. In any case, make sure you change your PIN numbers and secure codes.

 

Tip 2:

Change all your passwords in all websites and/or applications.

Ensure you change your passwords for all online accounts. Use a password that is long, strong and unique, with a combination of upper and lowercase alphabets, numbers and symbols.

 

Don't use information that could be easily linked to you (such as name, date of birth, family member names, phone numbers, the names of pets or hobbies, etc.).

 

Tip 3:

Clean up your machine! Make sure you scan your devices with antivirus software to detect any malicious content. Update the security software, web browser, 3rd party software (like Java and Adobe) and operating system to protect against viruses, malware, and other online threats and automate updates if the option is available. Format if necessary, advised in case of rootkits.

 

Go to Top>>

 

I have virus on my machine!

Incident Name

Malware

 

Description

Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
Malware programs can range from being simple annoyances (pop-up advertising) to causing serious computer invasion and damage (e.g., stealing passwords and data or infecting other machines on the network).

Types of malware include viruses, worms, trojan horses, spyware, ransomware, etc. Viruses require the spreading of an infected host file and replicate themselves to cause havoc on a computer's hard drive by deleting files or directory information. In contrast worms are standalone software and do not require a host program or human help to propagate. Trojan horse is any program that invites the user to run it, concealing harmful or malicious code. Spyware can gather data from a user's system like the Web pages a user visits or personal information, such as credit card numbers without user knowledge. Ransomware is a type of malicious software installed by a cybercriminal that denies access to your files or system until you pay a ransom. Ransomware usually either encrypts your personal files/folders or locks the screen of your system.

 

Top Recovery Tips

Tip 1:

First things first - clean up your machine! Make sure you scan your devices with antivirus software to detect any malicious content.

 

Update the security software, web browser, 3rd party software (like Java and Adobe) and operating system to protect against viruses, malware, and other online threats and automate updates if the option is available. Format if necessary, advised in case of rootkits.

 

Tip 2:

Change all your passwords from all websites and/or applications. Ensure you change your passwords for all online accounts. Use a password that is long, strong and unique, with a combination of upper and lowercase alphabets, numbers and symbols.

 

Don't use information that could be easily linked to you (such as name, date of birth, family member names, phone numbers, the names of pets or hobbies, etc.).

 

Tip 3:

Identify any unauthorized withdrawals. Verify with your bank, online payment institutions (Paypal for example) and CC provider to check no unauthorized withdrawal has been made.

 

If any such transactions are identified contact your bank and other financial institutions to freeze your accounts. In any case, make sure you change your PIN numbers and secure codes.

 

Go to Top>>

 

My mobile phone is lost or stolen!

Incident Name

Mobile Phone Theft

 

Description

Mobile phone devices/smartphones are vulnerable to theft or loss, which can put you in danger as one or more individual(s) may gain access your personal information.

Mobile devices are indispensable for most people nowadays and they may store some of your most private conversations and confidential information. Your smartphone may now be your wallet, phone book, family photo album, email account, social media life, etc. — all rolled into one device. This information in addition to the device itself is of high value to thieves thereby posing a huge risk of mobile device theft.

 

Top Recovery Tips

Tip 1:

Don’t Panic. Report the loss and disable your phone number and/or your phone. If you misplace your phone or believe it is stolen, report the loss to your network provider and keep records of the date and time you called them, the name of the person to whom you spoke to, and what you have been informed.

 

In addition, you can do one of the following:

  • Disable your phone number (not your account). This will prevent from any further charges being applied to your account.
  • Disable your mobile phone device. This will prevent anyone from using the phone across any network, even if the SIM card is changed (keep in mind that once the phone is disabled, it may not be able to be used again, even if you get it back!). Some network providers may not provide this service. If they do, they will use your IMEI number to block your hand set and account details. Ask for confirmation in writing that your phone has been disabled to prevent the thief making any fraudulent charges on your account.
  • Disable both your phone number as well as your mobile phone device. To be safe you can choose to disable your phone number as well as your hand set (keep in mind that once the phone is disabled, it may not be able to be used again, even if you get it back!).

 

Tip 2:

File a police report immediately. Report the theft to the police and attach a copy of the IMEI (International Mobile Equipment Identity) number with the report. If your phone is stolen and the thief makes too many calls especially international calls, you might end up being asked to pay a hefty bill.

 

Some phone companies may require proof that the phone was actually stolen, versus it having been lost. For these reasons a police report is necessary. It serves as evidence, which will make your network provider more cooperative. You may also open an investigation with your network provider if necessary.

 

Tip 3:

Identify any unauthorized withdrawals. Verify with your bank, online payment institutions (Paypal for example) and CC provider to check no unauthorized withdrawal has been made.

 

If any such transactions are identified contact your bank and other financial institutions to freeze your accounts. In any case, make sure you change your PIN numbers and secure codes.

 

Go to Top>>

 

 

Malware found in my infrastructure!

 

Incident Name

Malware

 

Description

Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
Malware programs can range from being simple annoyances (pop-up advertising) to causing serious computer invasion and damage (e.g., stealing passwords and data or infecting other machines on the network).

Types of malware include viruses, worms, trojan horses, spyware, ransomware, etc. Viruses require the spreading of an infected host file and replicate themselves to cause havoc on a computer's hard drive by deleting files or directory information. In contrast worms are standalone software and do not require a host program or human help to propagate. A trojan horse is any program that invites the user to run it, concealing harmful or malicious code. Spyware can gather data from a user's system like the Web pages a user visits or personal information, such as credit card numbers without user knowledge. Ransomware is a type of malicious software installed by a cybercriminal that denies access to your files or system until you pay a ransom. Ransomware usually either encrypts your personal files/folders or locks the screen of your system.

 

Top Recovery Tips

Tip 1:

First things first - Isolate the threat and notify relevant persons! If anyone in your organization suspects a malware incident, first step is to isolate the threat by performing one of the following actions:

  • Disconnecting the individual system or portion of the network. (Recommended)
  • Switching off the system to prevent further spread of the malware. Note that using this method might make it harder to gather evidence.
  • Leaving the system switched on and connected to the network to allow help desk personnel to remotely troubleshoot the system. However, leaving the system connected might infect shares/other machines and upload data or download other malware.
Based on initial assessment, notify relevant persons of a possible malware incident.

 

Tip 2:

Confirm the infection. Gather all possible information to confirm whether the infection actually exists. The infection could be an isolated incident affecting a single system, an outbreak affecting multiple systems, or even a false alarm. Therefore, it is imperative that confirmation of infection is obtained before taking any further steps.

 

Tip 3:

Clean, Restore or Rebuild the system. Depending on the level of infection decide whether to clean, restore system state, or rebuild the system and perform the appropriate action. If performing a rebuild, determine the risk to the data stored and make a backup of the system to preserve a snapshot of the state prior to re-installation. This is useful in case you forget to copy something you later need, and for evidential purposes (please note, if backups are made with the infected operating system running, the malware may continue to infect or destroy the data). If performing cleaning, follow the steps below:

  • Identify and kill malicious processes.
  • Identify and delete malicious autorun entries.
  • Reboot and repeat the previous steps.
  • Delete associated files and folders.
  • Run a full scan with your installed antivirus product.
  • If disinfection is applied successfully, connect to the network again. If possible, connect to a separate network first to verify everything is indeed back to normal or not. Perform an online scan with another antivirus product than the one you have installed.
Malware may be a result of insider breach. If you are concerned that the malware is introduced by an insider, refer to the Insider Breach section.

 

Go to Top>>

 

Company's website page defaced!

 

Incident Name

Website Defacement

 

Description

Website defacement involves an attack on a website that results in changes in the visual appearance of the site or a webpage.
It is typically done by system crackers, who break into a web server and replace the hosted website with one of their own. Usually, this is done by getting access to the administrator’s account using SQL injections.


Defacements may include the defacer's pseudonym or a codename along with content that intends to mock at the system administrator for failing to maintain server security. Sometimes defacement is done just to show off a system cracker's skills or other times as a distraction to cover up more evil actions such as deleting essential files from the server or uploading malware.

 

Such defacements are usually targeted towards government organizations and religious websites and typically perpetrated by activists (or hacktivists) working against the principles and ideals of the sponsoring organization.

 

Top Recovery Tips

Tip 1:

First things first – Preserve evidence and clean up your website! 
As soon as you discover the defacement, backup all your website data as well as database to preserve evidence for investigation purposes. Take the site offline especially if you suspect presence of malicious content. If required deploy a temporary web server up to date with applications that offers the same content as the compromised web server or show the site as “Temporary unavailable”. Displaying static content will prevent further infection.


In case of shared hosting, notify your ISP/host. Make sure you immediately change all passwords (FTP, database access, email, Control panel etc.). Scan for malicious content and do a thorough clean-up of your website. Update to latest patches of operating system & other software.


In case of a serious attack, restore the most recent and clean backup of the website and any database supporting it. Update the site with any missing code or data since last backup. Make sure you regularly update the Content Management Frameworks (CMF) such as Joomla or Wordpress, as many defacements exploit CMF’s vulnerabilities. Also, if any of the plugins, widgets, or modules you are using are vulnerable then replace them now.

 

Tip 2:

Investigate how your website was breached – Find out what attack vector was used - XSS, SQLi, easy FTP password, etc. and patch it. Examine all logs including FTP logs. Check for any changes in dates and permissions for files with static content. Scan the code as well as the database for malicious content. Also have a look at the site analytics to get an indication about who is targeting the site.

 

Tip 3:

Inform your customers about the breach and force a password change.
Inform all customers about the breach and provide an explanation as to how it happened. If your website requires user authentication, and you suspect or have evidence about passwords being compromised, ask all customers to change their passwords.

 

Go to Top>>

 

Customers' card holder data stolen!

 

Incident Name

Cardholder Data Compromise

 

Description

Cardholder data compromise occurs when cardholder account information is stolen due to a breach in the merchant’s payment system.
According to the Payment Card Industry Data Security Standard (PCI DSS), a cardholder is a customer to whom a payment card is issued or any individual authorized to use the payment card; and merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Cardholder data could be compromised from sources like Payment system database, card reader, Loss/theft of property that contains cardholder data, etc.
Cardholder Data includes:

  • Primary Account Number (PAN)
  • Cardholder Name
  • Expiration Date
  • Service Code

Sensitive Authentication Data includes:

  • Full magnetic stripe data or equivalent on a chip
  • CAV2/CVC2/CVV2/CID
  • PINs/PIN blocks
By stealing this sensitive authentication data, a thief can impersonate the cardholder and use the card for illicit activity.

 

Top Recovery Tips

Tip 1:

Don’t Panic. Immediately isolate the compromised system(s) and preserve evidence. When a data compromise occurs or is suspected it is imperative that you contain the damage quickly to protect customer data and preserve evidence in case of a forensic investigation. Subsequently, work towards identifying the root cause for the incident. If you are a merchant, produce an accurate record of events for authorities.
Remember to comply with requirements that the payment card brands like American Express, Discover, JCB, MasterCard, Visa, etc. have. These requirements include notification timelines and the use of certified companies specializing in incident response.

 

Tip 2:

Notify relevant authorities. Notify the incident to the relevant authorities and also consider the following audience for notification:

  • Cardholders
  • Employees
  • Customer service
  • Shareholders
  • Analysts
  • Media
  • Partners
  • Regulators
  • Legislators

Once the compromise is confirmed, immediately acknowledge responsibility for the compromise and express regret for its impact. Inform customers about the solution/plan for recovery.
The cardholder brand in consultation with your merchant bank, will determine whether or not an independent forensic investigation is required on the compromised entity.

 

Tip 3:

If illegal usage of card data is suspected or possible, contact your local law enforcement.

Cardholder data breach may be a result of insider breach. If you are concerned that the cardholder data is compromised by an insider, refer to the Insider Breach section

 

Go to Top>>

 

An employee stole/exposed confidential company information!

 

Incident Name

Insider Breach

 

Description

Insider breach incidents are caused by employees of an organization who have or at some point had access(physical or remote) to an organization’s assets (data, network, systems, etc.), and intentionally or unintentionally abused that access thereby negatively impacting the security of the organization’s information or information systems.
Intentional Insider Breach
Intentional insider breaches may be triggered by several factors, including but not limited to:

  • Financial benefit
  • Outsider recruitment
  • Desire for revenge
  • Desire to hold on to intellectual property

Unintentional Insider Breach
Insider data breach can also be caused unintentionally by accidental disclosure of data through websites, email, fax, improper disposal of records, loss of equipment, or by an internal employee falling victim to a social engineering scheme.

A malicious insider could cause damage by introducing viruses, worms, or trojan horses in your organization's systems or network; stealing money; stealing or leaking sensitive information; stealing identities of specific individuals in the organization.

 

Top Recovery Tips

Tip 1:

Don’t Panic. Immediately isolate the compromised system(s) and preserve evidence. When an insider breach occurs or is suspected, it is imperative that you contain the damage quickly to protect customer data and preserve evidence in case of a forensic investigation. Subsequently, work towards identifying the root cause for the incident and execute your incident response plan if you have one. If required, call on third-party forensic and technical experts to help determine the source of the breach and the extent of the damage.

 

Tip 2:

Deactivate accounts of malicious insider and reset credentials. Make sure you deactivate all accounts associated with the malicious insider and reset all the credentials. Also ensure you have enforced separation of duties effectively by allowing least privilege access.

 

Tip 3:

Inform relevant persons and follow legal requirements: Inform employees, stakeholders, etc. about the breach if necessary after the identity of the malicious insider is confirmed. Also, if any sensitive information such as cardholder data is confirmed or suspected to be stolen, contact your local law enforcement.

Insider breach may result in many other incidents such as PII breach, IP breach, introduction of malware, card holder data compromise, etc. If you are concerned about such incidents being caused by an insider, refer to the specific breach section above.

 

Go to Top>>

 

Company’s Intellectual Property(IP) information is breached!

 

Incident Name

IP Breach

 

Description

An Intellectual Property breach involves stealing of ideas, results of creative and innovative endeavours, or even trade secrets, by individuals mostly for their own future economic interests.


The sources of IP breach include business competitors, company insiders, organized criminal gangs, nation-states, etc. To some organizations, breach of such information could cause loss of huge amount of money spent in research and development and may also provide the attacker a deep insight into future plans of the organization thereby affecting the organization's long-term competitiveness.

 

Top Recovery Tips

Tip 1:

First things first! Determine the source of the breach. When an IP breach occurs or is suspected, it is imperative that you identify the root cause for the incident and execute your incident response plan if you have one. If required, call on third-party forensic and technical experts to help determine the source of the breach and the extent of the damage.

 

Tip 2:

Notify relevant authorities. Once the occurrence of the breach is confirmed, notify the relevant authorities about the breach.

 

Tip 3:

If the stolen IP has been registered as a patent, trademark, copyright or trade secret, identify and follow your country’s legal requirements for IP breach.

 

IP breach may occur as a result of insider breach. If you are concerned that the IP breach may be caused by an insider, refer to the Insider Breach section.

 

Go to Top>>

 

Customer’s Personally Identifiable Information (PII) is breached (not card holder data)!

 

Incident Name

PII Breach

 

Description

Personally identifiable information (PII) is any information that could potentially identify a particular individual. PII breach involves the compromise, access and/or disclosure of personally identifiable information by unauthorized persons using either physical or electronic means.
According to NIST Special Publication 800-122, PII is ―any information about an individual maintained by an agency that

  • can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and
  • is linked or linkable to an individual, such as medical, educational, financial, and employment information

PII may also include other information such as personal characteristics, religion, education information, financial information, criminal record, etc.

PII can be of different sensitivity levels. Sensitive PII is information, which if lost, compromised, or disclosed by unauthorized persons, could cause substantial harm, embarrassment, inconvenience, or unfairness to the victim.

 

Top Recovery Tips

Tip 1:

Tip 1: Don’t Panic. Immediately isolate the compromised system(s) and preserve evidence. When PII data compromise occurs or is suspected it is imperative that you contain the damage quickly to protect other data and preserve evidence in case of a forensic investigation. Subsequently, work towards identifying the root cause for the incident. If required, call on third-party forensic and technical experts to help determine the source of the breach and the extent of the damage.

 

Tip 2:

Report the incident to relevant authorities. Once the damage is confirmed, notify relevant authorities. Certain factors should be considered before reporting the incident in order to assess the likely risk of harm –

  • sensitivity of the data information breached
  • number of affected individuals
  • probability the information is accessible and usable; and
  • chances that the breach may lead to any harm

.

 

Tip 3:

Find out if your country has laws outlining what an organization should do in the event of PII breach including specific requirements for notifying those impacted by the incident.

 

PII breach may occur as a result of insider breach. If you are concerned that the PII breach may be caused by an insider, refer to the Insider Breach section.

 

Go to Top>>

 

 

 

In Association With..


ISI TI-Accredited WARP