With all the buzz in the new about data breaches lately, one of the big concerns a lot of organizations have is that they don’t know whether they’ve had a breach or not. One of the challenges is that most organizations aren’t really sure what to look for. If you know what you’re looking for, you at least have a place to start. If you have a solution that automates the process to see if you can find what your looking for, that’s even better.
For example, if you’re concerned about whether your email address has been compromised, the site ShouldIChangeMyPassword.com can help. You simply enter your email address and it will search for it in the data files of a bunch of the publicly released data from compromised businesses (including the Epsilon breach, Gawker media, and a ton of others). If your email address is in one of the breached data sources, you will be notified as to the extent of the compromise, like this:
This is a great use of automation, coupled with available data, to find evidence that you’ve been compromised.
The challenge with enterprise security is a lot more complex. You often don’t know what you’re looking for (subtle changes across your infrastructure), or you don’t know where to look (which log would it be in? are you even logging the right things in the first place?)
Also, don’t underestimate the value of preparation – I’m still a huge advocate of starting with secure configurations based on best-known methods, then continuously monitoring for changes, comparing those changes to your policies and standards, and aggressively pursuing any unexplained variance (after all, pretty much any breach is going to leave some detectable evidence that you will find using this approach). This is another place automation can help, obviously.
Unless you’re Sony, it’s not as easy as just typing something into your browser to find out if you’ve been compromised. So what about you and your organization? What methods are you using to determine whether you’ve been breached?