CLIENT ALERT: Actions to Protect Your Cybersecurity After the FireEye Hack
On December 8, FireEye Inc., one of the world’s largest cybersecurity companies, announced that an unknown hacker had successfully stolen tools that are used by FireEye’s red team to test the security of its clients. These tools are among the most sophisticated in the world for hacking into a company’s computer network. Knowing that these powerful tools are in the hands of bad actors, companies should assess what impact this has on their risk of attack and what steps they should take to mitigate this risk.
Two Approaches to Cybersecurity
Generally, companies pursue two approaches to protecting the security of their computer networks and systems. The first is to work from the inside, to have a regular cadence of applying security patches to internal systems, to build firewalls, malware detection, data loss prevention systems, intrusion detection and similar elements to protect their systems from the outside. The second approach is to hire a team of cybersecurity experts, known as a “red team,” to try to penetrate the business’s computer system from the outside, just as a malicious hacker would do. When the red team locates vulnerabilities in the cybersecurity perimeter, it reports those vulnerabilities so they can be remediated.
Legal Risks Created by FireEye Hack
While the motives of the attackers are unknown, it is possible that they might use, sell or leak the red team tools stolen from FireEye to perpetrate future attacks on other targets. The good news is the FireEye has released a set of countermeasures that are designed to detect and block the use of the stolen tools. Any business that wants to protect itself from misuse of the red team tools can do so by downloading the countermeasures from FireEye’s publicly accessible GitHub site and implementing them into its own cybersecurity systems, accessible here.
Aside from the cybersecurity risks posed by the theft of FireEye’s hacking tools, the knowledge of this hack and the availability of countermeasures raises an important legal question for businesses: What is the legal risk if an entity does not deploy FireEye’s countermeasures and is subsequently victimized by a cyberattack that deployment of the countermeasures would have averted? If systems are damaged or customers or suppliers are harmed by a breach, the failure to deploy safeguards could very well be viewed as negligence or even gross negligence, as well as a failure to maintain adequate cybersecurity as mandated by state data security laws, the Federal Trade Commission and other regulators. Considering these risks, companies should consult with their IT personnel to determine the necessity and feasibility of deploying countermeasures to the stolen FireEye tools.
Actions to Take Now
No business, no matter how well prepared, is completely immune from the risk of cyber hacking. Therefore, prudence would dictate the following practices:
- Take steps to assess your cybersecurity risk and take advantage of reasonable steps to address known risks and implement the security practices noted above.
- Conduct periodic (at least annual) penetration testing of your cybersecurity systems to identify any existing vulnerabilities, preferably at the direction of outside counsel to preserve privilege.
- Have a good understanding of who possesses sensitive information belonging to the business and ensure that data is being stored on an encrypted platform.
- Have an incident response plan in place for how to react when an attack occurs, conduct annual tabletop exercises and update plan as required.