So You Think You’ve been "Pwned"… Now What?

I had the opportunity to speak on cyber-criminal methodology last month Ingram’s IT Security Boot Camp in New Orleans. After the presentation, a great conversation arose over cocktails regarding incident mitigation. And after swapping some channel war stories about it with a few of our solution providers, a great question was brought up to me:

“So Chris, what exactly DO we do when a security incident occurs?”

I only wish the answer was as straightforward as the question. But fear not, good readers, there are guidelines out there to help you and your customers plan out your response strategies.

In general, it’s a good idea to keep in mind the following when developing an incident response plan (in no particular order BTW):

– Liability/obligation under law (HIPA, SOX, HITECH etc)
– Adherence to security policies (or modification if they are insufficient)
– Minimal interruption to normal business processes whenever possible.

It seems that the biggest challenge is not having a tested game plan in place for when an incident occurs. Like most challenges, if everyone knows what their roles and responsibilities are and are confident they can execute on them, it’s more likely that the damage will be kept to a minimum.
There’s a wealth of good information out there on how to set up a Computer Security Incident Response Team, or CSIRT for short. has done a lot of research into this area and has published some very detailed guides.

Here’s another big question: When does one report an incident to law enforcement, and who exactly does it get reported to?

When (or if) an organization report an incident will depend on several factors, such as legal obligations, policies, severity, likely impact, and the like. However enforcement officials recommend sooner than later, as the byte trail can get cold very quickly.
As to the question of who to report it to, it will depend on what resources you have available in your area. It’s a good idea to get to know your local FBI and U.S. Secret Service offices, since they do most of the investigating (Note: the Secret Service specializes in financial fraud cases). The Internet Crime Compliant Center is a good site to have handy when reporting an incident. Please keep in mind that if you feel it’s a critical or even life-threatening situation (think someone tampering with a patient database of blood types), get law enforcement involved immediately.

In addition, many metropolitan areas have established CSIRTs within the law enforcement community. If your region has one it would make sense to get to know them as well. And if you’re worried about agents with sunglasses cordoning off your business with huge yellow tape, don’t be – that’s Hollywood stuff. The last thing responding authorities would want to do is interrupt business or raise suspicion.
In the end, the best and most affordable way to handle incidents is to prevent them! It’s not realistic to believe that everything can be stopped, but designing security into the solutions you offer goes a long way to help keep the damage mitigated.
If approached from a business standpoint, what’s more cost effective – a generically configured laptop lost or stolen in the wild with sensitive customer information on it, or one that perhaps costs a little bit more for up-front but came with solid disk encryption and authentication technologies? A few dollars spent now can sure save you from a lot of recovery fees, legal fees, and lost clients down the road.
And for solution providers, I can’t think of a better value prop – one that helps hold and even increase margins while building that Trusted Advisor status we all hope to achieve with our clients. When a breach hits they’ll thank you for your foresight..hopefully with their business.

Please note: the above article does not represent legal advice, and shouldn’t be construed as such. Please seek professional legal counsel when building an incident response plan to understand what obligations you and/or your business may be under.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s