Not Guilty or Innocent? There’s a Difference.
Tuesday, July 5th, 2011 will be remembered by many as a day when the United States Justice system failed.
The Casey Anthony verdict, handed down in front of an estimated audience of 130 million television, radio and web viewers shocked a nation. After 33 days of testimony, 400 pieces of evidence and more than 90 witnesses, the State of Florida could not prove beyond a reasonable doubt that Casey Anthony was indeed the perpetrator in the case. The verdict has hit a nerve with many, frustrated with the notion that someone as “guilty” as Casey Anthony could now walk despite a mountain of circumstantial evidence.
In this great land we call America, we are innocent until proven guilty. Those on the wrong side of the law have learned to abuse this right, twisting it until its original intent is no longer recognizable. Like the highly-publicized Casey Anthony case, claimants from businesses of all types find themselves in court attempting to recover losses from malware attacks, reputation assassination and the $250,000 missing from their bank account. Those that find themselves prosecuting – CEOs of banks and credit unions, general managers of fast food chains, Provost’s of local colleges and other business leaders – beware. If you plan on recovering financial or legal losses from a security breach or incident, the burden of proof is yours.
Information security can be a dirty job. There have been many occasions where I’ve been called in to help new clients respond to and recover from databreaches and security incidents that they weren’t prepared for. As a security professional, these requests elicit a series of pre-programmed responses:
- Is the incident contained?
- What is the extent of the damage?
- Is the attacker or payload still resident?
- What recovery mechanisms are in place and will they work?
- What legal and regulatory reporting is necessary?
Whether you subscribe to NIST, ISO, ITIL or other standards, there are a number of steps to ensure successful incident handling. As was learned in the Casey Anthony case, none is more important than the proper collection and handling of evidence. The following are a number of recommendations that will keep you from making serious errors when performing any type of forensics activities:
- Have a plan – First, assume that you will experience a security incident. It will happen, I promise you that. That being the case, having a plan is the number one thing you can do to help your business respond to one. Identify the types of incidents that are possible, who will lead the response team and the basic steps you will take to recover. The previously named standards are an excellent resource for process frameworks, there’s no need to reinvent the wheel.
- Use certified professionals – Asking your team to completely, accurately and legally respond to a security incident is like asking the Pakistani Army to capture Osama bin Laden. It will be messy and you won’t get the desired outcome. Enlist professionals to assist with forensics, evidence collection, chain of custody and legal advice. The money spent here will be recovered in the court room.
- Minimize change – Until the professionals arrive, minimize change to the affected environment. Leave the PC, server, room, facility or any other asset exactly as it was following the event, if possible. In certain cases, this may not be possible if said assets are incurring further damage. Evidence preservation and incident containment need to balance.
- Minimized contact – If possible, minimize or eliminate human contact with the environment.
- Document everything – Keep a log of everything that occurs, beginning with the instantiation of the event. Take pictures, write logs, do whatever it takes to capture everything.
There are some in the security industry that will tell you that there’s little we can do to avoid being a victim of a security incident. While I believe that there are reasonable mechanisms for protecting your business, realistically speaking most of us will become a statistic. Those that are prepared will respond, recover and go on with business. Those that are not, will not.
By learning a few basic maneuvers, we can avoid becoming the next State of Florida. After all, there’s a difference between “Not Guilty” and “Innocent”.