Evernote reported a Security Incident. When there’s an event like this there are many ways a company can mishandle notification.
Scott Fendley, the ISC Handler who posted the note, did a nice job of speaking to the Incident Handling procedure Evernote employed:
From an incident response point of view, I will have to commend Evernote for how they are handling the situation.
It appears that their security operations was able to detect the incident in a reasonable period of time (within a day). In addition, their communications/PR arm responded with good initial recommendations in the news article. And while there is not much technical information yet, they were able to limit some of the questions about how they stored passwords (one way hash with salting). It is my guess that Evernote has been preparing for the eventuality that a security breach would occur, and prepared all of the appropriate parties to respond.
Protect, Detect, Respond, Recover. Remember to not just focus on one or two of these within the continuum.
The part I want to highlight is how the Evernote team and not just their Security Operations dealt with this. Too often companies will expect their InfoSec specialists to do it all: the normal Incident Handling cycle (identify, contain, eradicate, recover, and lessons learned) plus handle the notification and communications. When dealing with a Security Incident it is critically important that the InfoSec and other technical teams are focused on handling the event. Management, help desk, and in this case the PR team can best help by levering their skills communicating and running interference.
I look forward to Evernote proving us with a detailed report of what happened and how they handled things.
Of course, don’t forget:
And if you use Evernote, change your credentials soon to limit your personal exposure.
I’m a huge Evernote fan and user. This just reinforces for me why it’s a service I’ll continue to patronize.