The United States Military has spent a lot of time and money developing its Special Operations forces. These elite teams of security operatives are highly trained to shoot, move and communicate under duress, with little or no advance notice of their impending scenario. Most missions involve dynamic entry, assessment and neutralization of threats, all while achieving a primary objective.
Seal Team 6 is the most famous of all the Special Operations teams. These are the operatives that led the capture and termination of Osama bin Laden, the maritime rescue of American sailors on the Maersk and the recent recovery of foreign journalists held hostage by Al-Shabaab terrorists. The best of the best has handled the worst of the worst.
Imagine what you could get done if you had your own Seal Team 6.
Think it sounds crazy?
On the surface, this legendary team appears to have accomplished near-mythical tasks. Once you start to break their missions and objectives down into their most basic milestones, actions and counteractions, however, their methods become much simpler.
Like Seal Team 6, cybersecurity has become a household word and responding to security incidents has become a common occurrence. Intellectual property, sensitive data and bank accounts have never been more at risk, and detecting, containing and correcting security incidents requires planning, practice and grace under pressure. Once developed, your Computer Incident Response Team (CIRT), Special Operations Team (SOT) or whatever you call it (just don’t call it Seal Team 7, that’s taken) will give your organization a “force multiplier”.
Force multipliers are assets that give your organization a strategic advantage and increase the effectiveness and efficiency of overall operations. These assets, or teams multiply the force of your organization because they carry out tasks that would normally require much greater resources to accomplish. This is possible due to the highly trained and focused nature of the team.
And yes, you can have your own.
Here’s what you need:
- Find the right operatives – Incident responders are born, not made. This isn’t completely true, but it takes a certain mindset and attitude to gain situational awareness, remain calm and lead when an organization is under attack. These skills are tough to teach. You probably already know who your operatives are. If you don’t, stop here and look for a qualified security provider that already delivers Incident Response services.
- Select the right weapons – A good shooter can make a bad gun shoot well. You don’t need the most expensive security tools, but you do need to make what you’ve got work effectively. If you’re about to embark on a digital forensics mission, you better have the right tool in your bag. And carry a backup. Your tools should meet their requirements and work consistently.
- Train, train, train – Training is the most important of all, and it should incorporate the following:
- The basics – Every Navy Seal is required to qualify with a rifle every year, regardless of his or her rank. It’s part of being a Seal. The ability to shoot, move and communicate makes our Military the greatest on Earth. Your CIRT resources should understand the basics of threat modeling, analysis, communication and tool manipulation. No exceptions.
- Scenario drills – Your training should incorporate regular attack and counterattack simulations – these should be as real as possible. Good penetration testing is critical, but tabletop exercises and other drills are important parts of the program. Training should incorporate “unplanned” scenarios, performance assessments and any analysis that will help the team perform during a real situation.
- Bugout – Training should include handling worst-case scenarios, or what the Military calls SHTF. When things really get sideways, you need to know what to do, when to do it and who’s going to do it. Crisis Management should integrate with your Incident Response Plan.
Regardless of what industry you’re in or what size your company is, at some point you will become a statistic (if you haven’t already). A Special Operations team specifically trained and ready to handle incidents could mean the difference between an achieved objective and a botched mission.
You may not be hunting terrorists or saving foreign diplomats, but your CEO might just give you a Medal of Honor.
The Zappos hack this week made national headlines for a number of a reasons.
First, Zappos, a subsidiary of Amazon.com is a major brand recognized as a leading online footwear retailer. You don’t need to be female to know that Zappos sells just about every make and model of sandal, Skecher and pump known to man. And woman. And if you’re a woman there’s at least some chance that Zappos is your browser home page. I’ve seen it happen.
Second, the scale of the breach was massive. E-mail addresses, billing information, names and partial credit card numbers for an estimated 24 million individuals, making it one of the largest databreaches in recent history. The value of this data on the black market, using today’s cybercrime figures is in the tens of millions of dollars.
But in many ways the Zappos databreach isn’t unlike the countless other incidents we’ve witnessed lately. Which makes me wonder if we’re operationalizing information security this year any differently than we did last year. Or the year before that.
Of course history makes a great teacher, and this holds true for security, as well. And while they’re still grinding through the logs and other forensic evidence of this attack, there are some clear lessons to be learned here.
This is what I would do if I were Zappos:
- I would learn to be better at Public Relations – Because they expected a deluge of phone calls related to the hacking, Zappos said that they were temporarily turning off their phones, instead responding to inquiries by e-mail. “If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place,” the company’s e-mail to employees said. Now I’m no PR expert, but if I just pissed off 24 million of my customers by exposing them to identity theft, disabling their preferred mode of communication might not sound like a bright idea. Perhaps they missed the beating that RSA and Sony took for their PR guffaws.
- I would learn to be better at helping my customers during a crisis – Have you ever tried getting your organization of 150 people to change their password? Exactly. Now multiply that times 160,000. It’s the equivalent of sucking an Olympic size swimming pool through a McDonald’s straw. In this day and age, there should be a way to programmatically reset customer passwords, provide them a means for securely accessing the new password, or simply leaving the account disabled until such time that the customer wants to use the account again. I’m betting that a significant percentage of those 24 million accounts are inactive in the first place.
- I would learn to better protect sensitive information – Zappos was warned daily – possibly more frequently – by The NY Times, The Washington Post, the GreyCastle Security blog and other global media outlets that they were going to be hacked, but they proceeded to store names, billing addresses, e-mail addresses and partial credit card numbers together, in one database, potentially on one server, packaged neatly for the next disgruntled employee, hacker and other miscreant. I’m guessing that Zappos didn’t have the budget, the time or the resources to secure this information appropriately. It wasn’t a priority. Until it was too late.
- I would learn to be a security evangelist – Now that I’ve been owned by hacker(s) unknown, exposed my customers to incalculable risk and started racking up unnecessary Incident Response bills, I would help other companies avoid what just happened to me. “We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident,” the company’s CEO said. The biggest problem in our industry is not a technical one, it’s a psychological one. As long as Company XYZ believes that they have nothing worth protecting, and that this can’t happen to them, we’ll continue to experience these issues.
It’s not fair to single out Zappos. This blog could be written about thousands of other organizations. But so far security hindsight continues to be nearsighted.
Maybe Zappos should start selling eyewear.
On Friday an Albany police officer shot and killed a 19-year old male when a routine traffic stop turned violent.
The suspect and deceased allegedly reached for the loaded .22 caliber handgun that he was carrying after the SUV he was driving was stopped for a traffic violation. Officers shot and killed the man, claiming self-defense.
A public press hearing was held which quickly became explosive, a chaotic scene high with emotions.
While it is difficult to draw analogies between a shooting and cybercrime, one can draw some parallels between the physical and cyber realms. It is often difficult to know the best course of action in either. And in both cases, there is rarely enough time or information to make good decisions.
There are no absolutes in our business.
One can draw many conclusions about the potential outcomes of not neutralizing an allegedly enraged and armed suspect on the streets of downtown Albany. We can also make some assumptions about the effects of negligent or absent security controls in the workplace. When it comes to making difficult decisions about what to do or not to do and when to do it, things become hazy real fast.
On the street it can get you killed. In the workplace the worst is usually termination of a different sort.
And sometimes it’s hard to know what side you’re on.
Stratfor, Comodo, RSA and HB Gary all make a living securing other organizations, yet became targets themselves over the past year. According to public opinion, each of them became targets because of who they were – yet they became victims because they didn’t practice what they preached.
On top of that, each made bad decisions while under duress, whether it was latent customer communications or weak security remediation.
Friday’s press release in Albany was chaotic for a number of reasons. First, neither side had all of the necessary information and assumptions were made by both sides about what had happened. We saw this happen to RSA and the other victims in the court of public opinion, as well. It’s tough to know who’s to blame.
What we do know is that a young man is dead. And intellectual property worth hundred of millions of dollars was compromised. These are indisputable facts. Despite lengthy investigations, this may be as close as we ever get to the honest truth in either case.
There are no absolutes in our business.
Those committed to providing honest, effective security will work tirelessly to perfect their fundamentals and plan for the unexpected. Like good public defenders, good security providers will posess strong situational awareness, true aim and flawless decision-making ability.
Great security providers will be able to do all of that while taking enemy fire.
Any organization that is developing or managing an information security program will inevitably face the question – how much is enough?
Regardless of the size, industry or complexity of an organization, knowing how much of an investment to make in security can be a challenge. There is no shortage of headlines, hacks, vendor recommendations and budgetary constraints, but none of these will answer the following common questions:
- How secure am I?
- Am I more secure than I was last year?
- How much should I be spending on security?
Now some of you are probably already thinking, shouldn’t an effective Risk Management program give me these answers? The answer is yes and no.
Risk Management is critical to the maturation of any security program, and is an effective tool for determining the deficiencies – and thus priorities – of the organization. It can even provide, relatively speaking, a measure of each weakness as a function of the organization’s risk tolerance. It provides clear direction and prioritization for security efforts based on a deterministic system of measuring threats, vulnerabilities and controls. What it doesn’t provide is a tactical view of performance against those risks.
Enter security metrics.
Where Risk Management is the car, security metrics are the car’s navigation system. Risk Management provides a steering wheel for setting direction, and gas for setting urgency. The navigation system will tell you how long it’s taking you to get where you’re going, and compare that to how long it should have taken you. These metrics are important in answering the questions above, but are also helpful in measuring overall security performance.
Determining an appropriate set of security metrics isn’t as easy as it sounds. Charting out the number of blocked port scans at your edge is pretty much worthless these days, as is the percentage of spam e-mail. Unfortunately these are the numbers that are readily available.
To develop a measurement system that will be useful, you need to build metrics to address two audiences; 1. You. 2. Your CEO.
The first set is important because as they say, you can’t manage what you can’t measure. Having a set of metrics that makes your life easier will save you time and provide the evidence you need to support your critical initiatives. It will also help with daily operations, like forensics, tuning and monitoring.
The second set is important because at some point, your CEO is going to ask you the aforementioned questions. The better you can answer them, the more likely your budget will be approved.
Here are some metrics to consider:
- Risk Assessment Coverage – How many of my assets (people, documents, facilities, applications, networks, etc.) have been evaluated by Risk Management within the past 6 months? Past 12 months?
- Percent of Changes with Security Review – How many of the configuration changes in my environment have been reviewed by Information Security personnel? Of those changes that weren’t reviewed, how many resulted in downstream rework or were the root cause of security violations?
- Mean-Time to Incident Discovery (or Recovery) – Of the organizational incidents classified as security incidents, how many did we discover (versus our customers, partners or other third-parties) and how long did it take? Secondly, how long did it take to recover from critical incidents?
- Patch Policy Compliance – How often are we violating our patch policy for critical security patches?
- Percentage of Trained Employees – How many of our employees have received effective Security Awareness Training? Of the personnel that have not received training, what is the percentage that have been involved in avoidable security incidents?
The above metrics go far beyond a typical firewall report, which does more to describe active threats than actual performance. Once you start trending these over time, you start to get a much deeper sense of true security maturity, rather than just raw data. You’ll also get a sense of progress, one way or the other.
(For some other ideas, check out the CIS Consensus Information Security Metrics)
Someone once said that if you don’t know where you’re going, you can’t get lost. That strategy is perfectly fine for the retired, vacationers and Jamaicans, but if you’ve got somewhere to be you need a plan.
Get your metrics right and the next time your CEO asks “how secure am I” you can say.. “No worries mon.”
I’m not talking about trick-or-treating, I’m talking about Information Security. (Hooo-hoo-hoo-hoo-hoo-haa-haa-haa-haa-haa)
- Wear a well-fitting outfit – If your costume doesn’t fit, or if it makes you sweat or gives you a rash, you’re going to end up taking parts of it off. Then you’ll spend the rest of the night explaining what you are and possibly forfeiting bounty. There’s no point in getting into something that you’re not going to use, it wastes time, money and energy, and you pretty much get nothing out of it. Your security program should fit like a catsuit. Black.
- If you see something, say something – Too often we’re hesitant to make the call when we see something that’s out of place or just doesn’t feel right. As human beings we are programmed to not get involved, but done appropriately it can help prevent problems from occurring. It might be a ghost, it might be an intruder. Be safe, not sorry.
- Stay away from dark houses – In the best case you’re wasting your time, in the worst case you’ll end up wandering into a bad place. There’s plenty of low-hanging candy out there, don’t get distracted by the latest curiosity. We all know what curiosity did to the cat.
- Use sidewalks and driveways – If you’re cutting across lawns or jumping fences because you think you’re going to make better time, chances are decent that you’ll end up in an open septic tank. Or a drainage ditch. Or getting caught on a pole. Shortcuts rarely are, that’s why we have standards. Stick to lighted streets and pathways. And trust me on the septic tank thing.
- Know your route – Have a plan and stick to it, but remember that your plan should account for change. If the police have closed Lincoln Drive off because someone egged Mr. Goldman’s place, be prepared to take Washington. It may get messy out there and there are no guarantees. Review your plan regularly to maximize your progress.
- Don’t walk those streets alone – Strength comes in numbers. Find people to go with you on this harrowing journey, chances are they’ll know something about the streets you’re walking and they’ll help you avoid traps that you would have fallen into otherwise. It’ll be more fun, too. And don’t be afraid to call for help if you see trouble, there are experts out there that specialize in dealing with problems.
- Check your candy before eating it – This one seems obvious, but when something is given to us we’re usually so excited we just can’t wait to open it up. Once it’s opened it’s too late, and it usually ends up installing a rootkit and stealing our banking credentials. Or giving us a toothache. Don’t judge that candy by its wrapper, and don’t even take it if it’s not coming from a trusted source. The apple from Mrs. McGillicutty is probably fine, but I wouldn’t touch that popcorn-ball-thing you got from Old Man Haversham.
- Don’t talk to strangers – There are a lot of bad people out there, and they do bad things. They’ll take your candy. They’ll even take that popcorn-ball-thing you got from Old Man Haversham. Only get involved with people you trust. If you’re going to be spending time with them, you should know where they come from, what they do for a living and if they’ve had a vendor risk assessment from a trusted security provider.
- Pace yourself – Running from house to house will only wear you out, and chowing a bag full of Reese’s will make you sick. It’s going to be a long night, and the successful will recognize that this is a continuous process. Ring door bell, collect candy, run to next house, repeat. Master your pace, master your success. Stick to your security priorities. Do too much at once and you’ll just end up exhausted and nauseous.
- Enjoy – Too many of us are heads down in the mission and we forget to stop and smell the candy corn. It’s not just about collecting the biggest bag of candy, it’s about the experience. Yes, we all have a serious job to do, but we won’t be able to take it seriously if we don’t love what we do. So love it. Eat it like candy.
This past Saturday I woke up early and suddenly found myself running from bloody, muddy, brain-hungry zombies.
No, the world hadn’t suffered a raging viral infection. And no, I wasn’t a movie extra. It was the first annual Run for Your Lives Zombie 5K race near Baltimore, MD. There were thousands (OK maybe hundreds) of zombies to avoid, a dozen obstacles to overcome and endless fields of mud. There was blood. Whole pools of it. And there were several “teachable moments”.
Now in many ways, I feel like I’m better prepared than the next guy for the impending Zombie Apocalypse – my cardio level is above average, I prefer moving around at night and I love me some good baked beans. I also consider myself a bit of a survivalist, and I keep an ample supply of batteries, bleach and duct tape ready to go for when things get apocalyptic.
All that being said, this weekend’s events reminded me that there’s no way to prepare for everything. Despite the semi-lighthearted nature of the 3.1-mile obstacle course, I found myself surprised – even shocked – on several occasions. Midway through the race I found myself deciding between diving into a muddy lake filled with 55-degree water or being attacked by a crazed horde of killer undead. This particular teachable moment taught me that hypothermia may be for a while, but dead is for ever.
So what does all of this have to do with information security?
Just like the doomsday scenarios that scientists, religious zealots and Al Gore all predict for the human race, there is no way to prepare for everything in information security. In fact, the best preparation may be in preparing to be unprepared.
The harsh reality is, most businesses have already been compromised, whether they know it or not. Yesterday my company met with yet another organization who has been the victim of cybercrime. Not only did this business suffer major losses, but two months later they are still unsure if the money-stealing malware has been eradicated.
Having an Incident Response plan is an important part of running a successful business. Detection of malware and anomalies, containment of incidents and processes for forensics investigations and business resumption should be regular discussions for all management teams. If you haven’t already done so, add a chapter to your plan that accounts for the “unexpected”. Failing to plan is planning to fail.
Hindsight, as they say is 20/20. I’ve already thought of a few things that I’ll do differently to be better prepared for next year’s race. Luckily, it’ll only cost me $57 to learn from my mistakes.
If you’re a business without an Incident Response plan, it may be a little more expensive.
There’s been a lot of chatter over the past week regarding the alleged breach of U.S. Military unmanned aerial vehicles, or at least the networks that they use to transport video streams back to Operation Command Centers in Nevada, or wherever their 19-year old operators and joysticks are positioned.
The media have speculated that a virus, introduced from external media penetrated critical networks and was doing bad things. The Government has done its best to misinform and parry, suggesting (and confirming in some way?) that whatever malware did make its way onto its networks is just a nuisance. It was even suggested that the malware was the military’s own, a weapon that somehow escaped the labs.
Of course, the Department of Defense doesn’t comment on classified networks, so there’s a good chance we’ll never know the real story.
The real question we should be asking is, who cares?
I don’t mean to sound glib, but if Uncle Sam says it’s not a problem, maybe it’s not? After all, even if video streams from Unmanned Aerial Vehicles (UAVs) were intercepted, intended targets likely wouldn’t have time to escape before they were made into Afghani pottery anyway, so what’s the big deal? Perhaps, you say, the enemy is collecting intelligence on UAV flight patterns, so that it can predetermine and thusly avoid detection. Perhaps.
Or perhaps this story is more important to the media than it is to the masses? Not unlike the incessant droning (sorry) on about malware being delivered to Android-based phones these days. It’s a [nearly] proven fact that over 10% of Android applications do things we don’t want them to do, whether they’re harmlessly hijacking GPS coordinates and personal information to push personalized ads to your browser or they’re outright malware stealing online banking credentials. Here’s the thing – people don’t care. Androids – and their applications, stuffed with privacy-violating “features”, are flying off the shelves.
And when will it be time to start vulnerability scanning our cars? We’ve already seen Subaru Outbacks compromised using integrated Wi-Fi, and many vehicles braking systems are vulnerable to attack. And let’s face it – OnStar is a mass botnet just waiting to happen. Don’t look for the “Hardened Security Vehicle” checkbox at your local auto dealer – they don’t care either.
Perhaps the Department of Defense is giving us the cold shoulder because they’re a little embarrassed. Perhaps they’ve declassified this information because it’s helpful for the information security community. Or perhaps it’s because redirection and confusion is all part of their Computer Incident Response Team (CIRT) procedure.
Or perhaps they’re just teaching us a lesson. If we can care so much about a remote control airplane flying over a desert 7,000 miles away that we’ve never seen and will never have any effect whatsoever on us, why can’t we care about the stuff we use every day?
“The definition of insanity is doing the same thing over and over and expecting different results.” – Albert Einstein
Is it possible that there are companies that deserve to experience a security incident?
Some may call this unproductive thinking, but it seems that some businesses are exposing themselves to repeat attack due to how incidents are being handled. Here are some examples of recent and common behaviors that are putting businesses at undue risk:
- Victims of cybercrime are not reporting their incidents. This lack of reporting may on the surface appear to protect the victimized organization, but that notion is short-sighted. By keeping the details of the attack and attackers private, we cannot learn from the event. This lack of detailed information about events makes it much harder to prevent, detect and correct them when they occur again. Our inability or unwillingness to share information becomes a critical weakness when fighting cybercrime – this is especially common among small businesses. Knowledge is power.
- Victims of cybercrime are settling out of court. Believing that they’re saving their reputations and wallets, victimized organizations avoid prosecution of attackers or malicious employees. Without prosecution, bad people never become criminals, and they simply move on to their next victim. Background checks against bad people are useless unless they have a criminal record, and criminal records don’t exist without prosecution. The same bad employee could end up working for the victimized company again and again if they were determined and understood how easy identity theft was.
- Victims of cybercrime aren’t collecting or using event evidence to strengthen their security programs. Actionable intelligence is the equivalent of sights on a handgun, without these you’re chances of hitting your target become much, much lower. Security devices – firewalls, intrusion prevention, monitoring, anti-malware – record mountains of activity data during a security incident. Leveraging this information can help ensure that you’re less vulnerable to the same attack again.
As human beings we are programmed for self-preservation, these reflexes have helped us survive for millennia. However, it is these same survival reflexes that cause us to trade long-term pain for short-term gain. It takes considerably more thought and patience to factor the complex network of cause and effect relationships into our security decisions, but the juice can be worth the squeeze.
And as a bonus, Einstein wouldn’t have you committed.
It is said that any threat with enough resources or motivation will eventually find a vulnerability in a system. As I watched the overflowing Hudson River decimate the park, marina and restaurant behind my office, that theory became a staggering reality.
On Sunday, Troy, NY experienced its worst flooding since 1977. With record rainfall from Hurricane Irene, many area dams were at risk of failure and creeks and rivers were over their banks. Homes were flooded and vehicles were destroyed. Boats were lost from marinas, washed down the river along with tons of trees, barrels and other debris. The crowds of people who had gathered in front of the now-underwater Dinosaur BBQ added to the chaos.
Today however, just hours after the event, our city is already getting back to normal. Walking through the areas hardest hit by the flooding, it’s clear that recovery is well underway. The crowds have dissipated, the police tape is slowly disappearing, and businesses are getting back to normal operations. This recovery is occurring in large part because the first responders, law enforcement, FEMA and DHS personnel that responded to the disaster were prepared.
No one could have anticipated that Upstate New York was to be hit by both an earthquake and a hurricane in the same week. In fact, we were probably more likely to see a unicorn. But a good Incident Response plan assumes that we won’t necessarily have all of the intelligence, resources or time that we need to counteract a threat. A good Incident Response plan can also mean the difference between a business returning to normal operations, and a total disaster.
Security incidents come in all shapes and sizes. One day you may be responding to a malware outbreak, the next day you may be responding to the $250,000 that has been siphoned out of your company’s bank account. Irrespective of the type of organization, a good Incident Response plan should address the following:
- Containment – Whether isolating the latest worm or preserving evidence of a databreach for litigation, your containment strategy will vary depending on the incident. The most important considerations in this step are minimizing damage and neutralizing the threat without affecting your downstream mitigation options. It is important to understand your threat before enacting a containment strategy – an active shooter requires different counteractions than a perimeter attack.
- Mitigation – Once the threat is contained, it should be addressed. Again an understanding of the threat is important. In many instances, expertise in evidence preservation and chain of custody is critical, particularly in situations where legal proceedings are anticipated.
- Recovery – Rebuilding systems, restoring from backups or providing counseling for employees are all essential steps in the Incident Response process. Effective recovery requires advance planning and preparation, but it will provide significant returns if done properly.
Lastly your Incident Response plan should be governed by policy and handled by a team specially trained in response procedures. It’s not unusual to outsource some of your incident handling efforts. In fact, asking an internal team to perform technical forensics tasks or to understand the intricacies of evidence preservation could be like asking the Pakistani Army to capture bin Laden – it could get very messy and leave you without the desired outcome.
I had lunch in downtown Troy today, and if I hadn’t witnessed the flooding firsthand I would’ve never guessed that large parts of the city were underground 24 hours prior. Thanks to preparation, a trained team and a good Incident Response plan, today’s pizza tasted just like any other day.
Tuesday, July 5th, 2011 will be remembered by many as a day when the United States Justice system failed.
The Casey Anthony verdict, handed down in front of an estimated audience of 130 million television, radio and web viewers shocked a nation. After 33 days of testimony, 400 pieces of evidence and more than 90 witnesses, the State of Florida could not prove beyond a reasonable doubt that Casey Anthony was indeed the perpetrator in the case. The verdict has hit a nerve with many, frustrated with the notion that someone as “guilty” as Casey Anthony could now walk despite a mountain of circumstantial evidence.
In this great land we call America, we are innocent until proven guilty. Those on the wrong side of the law have learned to abuse this right, twisting it until its original intent is no longer recognizable. Like the highly-publicized Casey Anthony case, claimants from businesses of all types find themselves in court attempting to recover losses from malware attacks, reputation assassination and the $250,000 missing from their bank account. Those that find themselves prosecuting – CEOs of banks and credit unions, general managers of fast food chains, Provost’s of local colleges and other business leaders – beware. If you plan on recovering financial or legal losses from a security breach or incident, the burden of proof is yours.
Information security can be a dirty job. There have been many occasions where I’ve been called in to help new clients respond to and recover from databreaches and security incidents that they weren’t prepared for. As a security professional, these requests elicit a series of pre-programmed responses:
- Is the incident contained?
- What is the extent of the damage?
- Is the attacker or payload still resident?
- What recovery mechanisms are in place and will they work?
- What legal and regulatory reporting is necessary?
Whether you subscribe to NIST, ISO, ITIL or other standards, there are a number of steps to ensure successful incident handling. As was learned in the Casey Anthony case, none is more important than the proper collection and handling of evidence. The following are a number of recommendations that will keep you from making serious errors when performing any type of forensics activities:
- Have a plan – First, assume that you will experience a security incident. It will happen, I promise you that. That being the case, having a plan is the number one thing you can do to help your business respond to one. Identify the types of incidents that are possible, who will lead the response team and the basic steps you will take to recover. The previously named standards are an excellent resource for process frameworks, there’s no need to reinvent the wheel.
- Use certified professionals – Asking your team to completely, accurately and legally respond to a security incident is like asking the Pakistani Army to capture Osama bin Laden. It will be messy and you won’t get the desired outcome. Enlist professionals to assist with forensics, evidence collection, chain of custody and legal advice. The money spent here will be recovered in the court room.
- Minimize change – Until the professionals arrive, minimize change to the affected environment. Leave the PC, server, room, facility or any other asset exactly as it was following the event, if possible. In certain cases, this may not be possible if said assets are incurring further damage. Evidence preservation and incident containment need to balance.
- Minimized contact – If possible, minimize or eliminate human contact with the environment.
- Document everything – Keep a log of everything that occurs, beginning with the instantiation of the event. Take pictures, write logs, do whatever it takes to capture everything.
There are some in the security industry that will tell you that there’s little we can do to avoid being a victim of a security incident. While I believe that there are reasonable mechanisms for protecting your business, realistically speaking most of us will become a statistic. Those that are prepared will respond, recover and go on with business. Those that are not, will not.
By learning a few basic maneuvers, we can avoid becoming the next State of Florida. After all, there’s a difference between “Not Guilty” and “Innocent”.