What is eXpress badging's cyber incident and breach response process?

Here is the process of what to do if a cyber breach happens within the local server or the Veonics Portal.

Insurance and Physical Security

Express Badging Services, Inc. is protected by General Liability, Cyber Security, and Errors and Omissions (E&O) insurance.  Our facility has external CCTV cameras covering our parking lot and building access.  Internal CCTV cameras cover all elevator ingress and egress on all floors. The building is further controlled by a door access control system that restricts public access to the building during defined schedules (business hours) and requires key access afterward. 

  • General Liability $2m/$1M | E&O/ Cyber $2M | Workman Comp
  • Express Badging Services, Inc. will never work on a customer’s premises as the rule
  • Our building is secured by time-zone controlled door access with CCTV on all floor

Insurance Process Coverage 

Breach Response Costs, covered by Beazley Insurance Company, Inc., means the following fees and costs incurred by the Insured Organization with the Underwriters' prior written consent in response to an actual or reasonably suspected Data Breach or Security Breach:

  1. for an attorney to provide necessary legal advice to the Insured Organization (eXpress badging) to evaluate its obligations pursuant to Breach Notice Laws or a Merchant Services Agreement;
  2. for a computer security expert to determine the existence, cause, and scope of an actual or reasonably suspected Data Breach, and if such Data Breach is actively in progress on the Insured Organization’s Computer Systems, to assist in containing it;
  3. for a PCI Forensic Investigator to investigate the existence and extent of an actual or reasonably suspected Data Breach involving payment card data and for a Qualified Security Assessor to certify and assist in attesting to the Insured Organization's PCI compliance, as required by a Merchant Services Agreement;
  4. to notify those individuals whose Personally Identifiable Information was potentially impacted by a Data Breach;
  5. to provide a call center to respond to inquiries about a Data Breach;
  6. to provide a credit monitoring, identity monitoring, or other personal fraud or loss prevention solution, to be approved by the Underwriters, to individuals whose Personally Identifiable Information was potentially impacted by a Data Breach; and
  7. public relations and crisis management costs directly related to mitigating harm to the Insured Organization are approved in advance by the Underwriters at their discretion.

Notify and Meet with Task Force

  • Executive Team
  • Internal IT Team
  • Contracted IT Team
  • Contracted Cyber Protection Team
  • Contracted Legal Counsel

Identify and document the incident

  1. When was the breach noticed?
  2. What date/time was the first occurrence?
  3. Which services, systems, etc., have been affected?
    1. PII Data
    2. Financial/Payment information
    3. Aggregated badge photos and data
    4. Employee information
    5. Corporate Intellectual and Confidential Content

What was the cause of the attack?

  1. Accidental (or Employee Error)
    1. Sending a Document to the wrong recipient
    2. Not Understanding Security protocols and procedures
  2. Intentional (or Employee Misuse)
    1. Getting around permissions or protocols that are in place
    2. An ex-employee or contractor who is disgruntled causes problems

What type of attack is it?

  1. Hacking/Computer Intrusion (includes Phishing, Ransomware/Malware, and Skimming):
    1. The fact is that nearly all the hacking activity is accounted for by a few methods. Along with using stolen credentials and brute-force methods, which deal with weak credentials, other everyday hacking actions include using backdoors (44%) and SQL injection (8%). Exploiting buffer overflow vulnerabilities made the top 10 everyday hacking actions, but only 1% of the incidents were observed.
  2. Weak and Stolen Credentials, a.k.a. Passwords
  3. Password attacks – Password attacks are a combination of brute force attacks that are used to gain access to insecure passwords. A hacker uses a program that tries multiple passwords to access a user’s data until a password work.
  4. Overly complex access permissions
  5. Not forcing security policy on mobile devices
  6. Backdoors
    1. A backdoor is a means to access a computer system or encrypted data that by-passes the system’s customary security mechanisms.
    2. A developer may create a backdoor to access an application or operating system for troubleshooting or other purposes. However, attackers often use backdoors that they detect or install themselves as part of an exploit. Sometimes, a worm or virus is designed to take advantage of a backdoor created by an earlier attack.
  7. SQL injection
    1. SQL injection is a hacker’s method to penetrate a network. The idea is to execute SQL code for fraud inside an application or web page. An example may be if a website requires a login and a perp would like to bypass this, they may try using SQL injection. Most sites that require a login will have three things... A username, password, and a submit button of some nature. When the submit button is executed, it usually talks to a database of some flavor. Consequently, the application will decide based on whatever was typed in the Username and Password fields. Therefore, a hacker might type SQL code in these fields to create a new user or by-pass the Login altogether.
  8. Buffer overflow
    1. A buffer overflow is when a running program attempts to write data outside the memory buffer not intended to store this data. When this happens, we reference a buffer overflow or buffer overrun situation. A memory buffer is an area in the computer’s memory (RAM) that temporarily stores data. This kind of buffer can be found in all programs and stores input, output, and processing data.
    2. An example of data stored in buffers is login credentials or the hostname for an FTP server. Also, other data temporarily stored before processing can be stored in buffers. This could be anything from user input fields, such as username and password, to input files that import specific configuration files. When the amount of data written to the buffer exceeds the expected amount of data, the memory buffer is overrun. For example, this happens when a username with a maximum of 8 bytes is expected, and a username of 10 bytes is given and written to the buffer. In this case, the buffer is exceeded by 2 bytes, and an overflow will occur when it’s not prevented from happening. This often happens due to bad programming and the lack of input sanitization.
  9. Phishing – Email or phone calls that seem official to gain access or personal information is called phishing. They frequently take the guise of known, credible entities—such as a person’s bank. Various misrepresentation and outright deception levels are employed to defraud or gain information. Who committed the attack, and do they have a plan? (external or internal?)
  10. Ransomware – Ransomware is often, but not exclusively, used on businesses that need access to time-sensitive data, such as hospitals. A hacker gains control of the company system and locks it from use. A ransom note is left within the virus. The company or user is extorted to pay money for data to be restored, or their data is destroyed.
  11. Malware – Any virus, including worms and Trojans, is malware.
  12. Skimming – Using devices to capture transmitted data for fraudulent purposes electronically.
  13. Insider Threat: Employees know the most about where most sensitive data exist and, in some cases, how it is protected, so they can inflict significant damage if not adequately monitored or security protocols put in place.
  14. Data on the Move: We live in an increasingly mobile world, so another concern has to be when laptops or flash drives are stolen or backup tapes are lost in the mail.
  15. Physical Theft: physical data theft can be as simple as plugging a USB drive into a sensitive port or uploading data to a personal cloud storage location.
  16. Employee Error/Negligence/Improper Disposal/Lost: People make mistakes all of the time, so once assume an employee or a vendor’s employee could cause a PII data security breach at some point in time.
  17. Accidental Web/Internet Exposure: The likelihood of unintentional exposure increases as an organization migrates more data to cloud-based applications and infrastructure. All parties must practice security best practices at all times.
  18. Unauthorized Access: This data breach is attributed to a lack of access controls. Precisely, poorly monitored admin privileges or the lack of controls regarding privilege levels within specific applications or even across network resources.

Isolate and Remediate any damage.

  1. Close any access points to deny further access to the Network (s)
  2. Isolate any identified personnel involved
  3. Begin the remediation process
  4. Execute developed communication protocols

End of Incident & Exit Plan 

  1. Manage the incident using standard project management procedures
  2. Develop a Gantt chart for tracking
  3. Document completed actions and milestones
  4. Reflect, assess, and better plan Cyber Incident Management if/when needed again.
  5. Review quarterly as a topic in our lunch and learns.