Only report absolute and total facts to customers because what might make you look less-bad in the short term might make you look like a real idiot later. Be completely up front about what happened and only release what you know to be fact, not what you believe to be true.<\/strong><\/p>\n

In fact, as we would find out two weeks after the initial report, the breach included significantly more information than just the post, thread, and user tables. It, in fact, contained unencrypted credit card information, which was explicitly rejected earlier.<\/p>\n

In several instances, there was some sarcasm and blatant rudeness on the part of the iNet staff toward paying customers. In my opinion, this is not acceptable behavior by any company.<\/p>\n

Lesson #4<\/h3>\n

Sarcasm in Public Relations is a Bad Idea<\/strong><\/p>\n

Here is one example of the public interaction between customers and iNet. The question asked by WHT Client:
\n“Is this really a 24 hour job?”<\/em><\/p>\n

Response from iNet:
\n“No. We decided to take our sweet time about it. After all, why would we want the forum on line?<\/em><\/p>\n

Listen; if it could have been turned back on in 30 seconds, it would have been. There’s no reason for us to needlessly wait.”<\/em><\/p>\n

This is clearly unacceptable – and this is only one example of places where the discussion crossed a respectful boundary between business and consumer and turned needlessly personal.<\/p>\n

The handling of the public relations during the entire course of this incident was inconsistent and, at some points, down right unprofessional. This is never a good way to handle a public disaster such as this.<\/p>\n

One thing that bothered me about the whole series of incidents was that WHT never sent an all-user email notifying all customers of the breach. Had Matt never shown me the thread, I would have never known anything about it – and my username and encrypted password is sitting on someone’s desktop somewhere ready to be attacked. I do not appreciate that – let alone being one of the paying customers whose credit card details were exposed. Several customers were reporting being on the list of credit cards stolen, but had not been contacted by iNet several hours after the incident.<\/p>\n

Perhaps future incidents should use email instead of public forums to communicate information to the clients? Posting a public FAQ (which iNET did do) that is updated frequently is much more efficient than having users blasting questions away in a forum and then getting treated disrespectfully as a result of their questions.<\/p>\n

The notification of the attack should have been immediate – whether or not there were user names, passwords, credit cards, or anything else. Customers have a right to know immediately if there is any<\/strong> possibility that their personally identifiable information was compromised.<\/p>\n

Technical Response<\/h3>\n

The technical side of things I have to be less critical of because I am not privy to the information the techs had at what time during the events. I am not making the case that because WHT was hacked that their technicians are incompetent – no system is fully secure. I have been hacked. If you haven’t been hacked, you will one day be in their position.<\/p>\n

But as an Information Assurance student, it is taught that we must always be prepared to respond immediately and precisely with a strategy that is effective. The response to the attack is where the lessons are learned from this perspective, so you can respond better in the future.<\/p>\n

However, there are standard security practices that were not followed or ignored before, during, and after the attack that made the situation even more difficult on iNET.<\/p>\n

Lesson #5<\/h3>\n

You must know where your information is at and know what your databases contain. Perform regular audits to ensure data remains where it should be, at the proper level of business classification and in compliance with regulations.<\/strong><\/p>\n

Let’s say you take your 3 year old child to a water park and instead of watching them, you lay down and read a book and your child later drowns without you knowing it (you laugh, but I’ve seen it happen all too often.) \u00a0This is the equivalent of what happened with information in the databases – there seems to have been no care as to where sensitive information was stored or how it was stored, allowing for the unencrypted credit card numbers to even be stored in the first place. Just like letting a 3 year old swim without you watching, this was unthinkable.<\/p>\n

Lesson #6<\/h3>\n

If a system is compromised, assume all data was compromised, not just what you’ve found pieces of around the internet.<\/strong><\/p>\n

It was stated repeatedly in the initial phase that “Only certain tables were affected.” This statement was completely ignorant of all security practices. Just like if a virus penetrates a classified network, you treat that classified information as potentially released and you respond accordingly.<\/p>\n

The fact that WHT did not know the CC numbers existed in the database is no excuse for the claim that only certain tables were affected. Private messages were a prime target for anyone who would have been looking for sensitive information – and of course, why wouldn’t a targeted attack look for something like this? Better yet, if the attacker took bits of several tables, wouldn’t it be safe to assume that the attacker took a dump of the entire database?<\/p>\n

Lesson #7<\/h3>\n

Lock down your systems after they have been compromised.<\/strong><\/p>\n

The backup systems were initially compromised on March 22 and detected a short time thereafter. From the information that was gathered, the credit card information was taken from the database on March 25. Not only that, but the hacker could identify how many users had changed their passwords (just over 1,500) since the first notification.<\/p>\n

This is also unacceptable. If you know you have been compromised, pull the network cable out until you get a handle on what is going on and who you are dealing with. If you don’t – continued access can lead to even more significant damage. It is more acceptable to be down for a few days than be repeatedly and consistently compromised over and over.<\/p>\n

Conclusion<\/h3>\n

It is clear that WHT has made many embarrassing missteps over the past few weeks and their actions have hurt their customers and their image. The difference between a customer leaving a business and a customer forgiving a business is not whether or not the business got hacked, but it is the quality of response after they did get hacked.<\/p>\n

This situation provides a learning experience for all of us in the web industry. We must take the lessons learned over the past few weeks and apply them when it is our turn to face this type of crisis.<\/p>\n","protected":false},"excerpt":{"rendered":"

A very wise man, George Washington, once said “If we don’t learn our history, we’re doomed to repeat it.”  This quote is certainly true in the security industry, as you must always be watching and learning – adapting as situational changes occur all around us.  It is essential to look at the mistakes of others and learn from them. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"yoast_head":"\n