As major vulnerabilities gain public attention, being able to craft a public response is no longer a distant thought — it’s an essential part of any incident response program. Business is now and forever entwined with the servers, systems and devices we use on a daily basis. Our ability to patch new vulnerabilities affects not only our own security, but that of every partner and customer we interact with. Like the latest strain of the flu, each new vulnerability requires a new set of responses and controls to limit its impact, and the people who interact with your business want to know you’re taking appropriate steps.

In my role as Akamai’s senior global security advocate, I’ve been involved with writing and publishing many of these incident response notifications. With so many high-profile data breaches making headlines, it’s becoming an increasingly important part of the regular incident response process. Gone are the days when only IT professionals and technicians were interested in the latest security vulnerabilities. Today, these incidents show up on the nightly news, and regular consumers who trust their data to various organizations and service providers are taking notice.

Addressing Known Vulnerabilities in the Public Eye

Why would your customers or partners want to know that you’re reacting to a vulnerability? Since you have their data, their systems are connected to yours, and a hole in your defenses may enable an attacker to access their data. In recent years, many businesses have been compromised due to vulnerabilities in systems attached to the organization’s network, such as air conditioning or printing systems, which is why third-party security is top of mind for auditors. If you haven’t received an audit questionnaire from a customer or partner business yet, you likely soon will.

Stories of large companies losing credit card data and other sensitive customer information have made headlines so frequently that the general public has largely ceased to pay attention. These breaches have, unfortunately, become part of the fabric of daily life. Widespread attacks such as WannaCry and NotPetya, however, are still fresh enough in the public consciousness that people still pay attention to this type of threat. When a company is breached due to a known vulnerability, customers and partners naturally want to know why it hadn’t been patched already.

Composing Your Incident Response Notification

It’s not very difficult to form a public incident notification for a new vulnerability, especially compared to the effort required to mitigate potential threats. More than anything, customers and partners want to know that you’re aware of the problem and taking appropriate steps. No one likes to hear that the company he or she relies on to protect data was caught flat-footed when an attack struck.

The good news is that the majority of the work required to create a public incident response message is covered by steps your organization should already be taking. The major difference is that your public message will need to be focused on the information your partners and customers absolutely need to know and nothing more. You want your customers to know that you understand the vulnerability and how it affects the systems you’re responsible for, but giving too much information invites questions you have neither the time nor the resources to answer during a crisis. If it’s really important to the customer, you can have that conversation once the immediate emergency has passed.

Any public incident response message should have three basic sections: a high-level description of the vulnerability, a summary of how it affects your systems and your response strategy. It’s good to open with a single paragraph that encapsulates all three of these points simultaneously at the highest level possible.

Providing a brief explanation of a new vulnerability is important because it shows that your team understands the problem well enough to summarize the important details quickly. It takes mastery of a subject to boil it down to the bare essentials, which your notification should reflect.

Keep It Simple

The next step — defining how the vulnerability affects your systems and how you’re responding — is the most important part of the process. It’s also the step at which organizations are most likely to provide too much information. It’s crucial to be as honest and truthful as possible without divulging more details than necessary. Explain to your audience how the vulnerability affects your organization at the highest level possible without sounding like you’re throwing up your hands.

By necessity, what you expose to the public is only a small fraction of the total information your team will collect internally. There’s no need to list every server and system that might be exposed. In fact, your customers don’t even necessarily want to know those details. They just want to know the big picture of how your organization is affected and how you’re keeping their data safe.

This message should come from a senior member of either the security or IT department, but that will vary by organization. It’s important to involve senior management and other teams, such as legal and PR, in the messaging since it will be public. Your customers can tell the difference between a blog post crafted by a security professional and one written by a lawyer.

Stay Out of the Headlines

If everything comes together, a good public incident response message will be short, with just enough detail to let customers know that the organization takes the threat seriously and has taken appropriate steps.

Being open and upfront about your response makes your customers and partners feel more comfortable, proves that you’re competent and improves your company’s security reputation immeasurably. On the flip side, an erroneous or dishonest response notification can harm your reputation even more. Tell your customers what they need to know and let your incident response team do the work of investigating the vulnerability behind the scenes. That way, your organization can bolster its defenses and close security gaps before the next headline-grabbing security breach hits.

Listen to the podcast: Get Smarter About Disaster Response — 5 Resolutions for 2018

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…