This article can also be found in the Premium Editorial Download "Information Security magazine: Spotlight on the incident response hot seat."
Download it now to read this article plus other related content.
|Opinion: Security Isn't Just Technical|
Follow the Plan
An incident response plan dictates who should handle incidents, and how to isolate and investigate breaches, restore systems to operation and harden the infrastructure against similar attacks. What's often missed or underestimated is how to control the flow of information outside the organization once a breach becomes public.
"If you look at the major disasters involving customer information, the biggest thing that slips through has been the miscalculation of the future impact," says Rebecca Whitener, an EDS fellow and its director of security and privacy. "Not fully understanding the kind of uproar that can occur when individuals are at risk, or when they feel their privacy or other valued rights have been threatened, really turns the tables."
Enterprises shouldn't downplay or mislead the severity of a breach, but instead be as straightforward as investigators will allow. In ChoicePoint's case, though the breach was discovered six months ago, investigators wouldn't allow public disclosure until after an arrest and conviction were made. ChoicePoint had a plan for dealing with the actual incident and followed it to the letter.
Its first move was to call the Los Angeles county sheriff's office and notify them of the breach. A sting eventually netted a 41-year-old Nigerian citizen, Olatunji Oluwatosin, living in Hollywood, who pleaded no contest to felony identity theft charges and was sentenced to 16 months in jail. Investigators say he's part of a ring that set up fraudulent accounts posing as check-cashing institutions and debt collectors to gain access to ChoicePoint's 19 billion records. The identities of approximately 750 individuals have been identities compromised.
ChoicePoint may have helped catch one of the bad guys involved, but its real challenge going forward is repairing its battered reputation.
SB 1386 forced ChoicePoint to publicly disclose the breach. The regulation, which several states and the federal government are considering emulating, requires companies doing business in California to disclose security breaches in which individuals' personal information may have been compromised (see "Disclosure Loopholes"). By following the law and admitting someone had compromised its data, ChoicePoint became the poster child for bad data gatekeepers.
"People are starving for this type of story because it's never disclosed," says Kevin Mandia of computer forensics firm Red Cliff Consulting. "Firms that have mature information security programs are ready for the media circus, no question. If you have a mature program, and if any threat becomes a reality, the plan kicks in. There's no question the CSO, general counsel--all are absolutely prepared for this."
Enterprises generally must be compelled by regulations or other outside pressure to publicly disclose a security breach. None want to become the next ChoicePoint. None want to see the value of their company's stock plummet almost $8 a share in three weeks as Choice-Point's did.
Most would rather concentrate on how to properly respond to an incident, rather than explain away news stories that confuse network hacks with fraud and scams.
"You should probably rely on individuals who have the information available and can translate what's going on in an organization to the media," says EDS's Whitener. "One of the biggest issues companies face is inaccuracy.
If communication is channeled through the appropriate person in an organization, inaccuracies are lessened."
Dry Runs Make Perfect
Delayed communication also delays remediation of a problem. So does an incident response plan that isn't put through its paces at least quarterly by teams that are assembled in advance and kept current.
Security managers can also take this opportunity to evaluate the data their company must protect. While a CSO must assess the data risks associated with information systems, vulnerabilities are often traced to people and processes.
Relying solely on technology to mitigate risk is foolhardy (see "Security Isn't Just Technical").
All of this is part of a comprehensive risk assessment, a crucial precursor to an incident response plan.
"If you're saying you have no time to run a drill like this," says ISS's Gray, "ask yourself if you're too busy to go out of business."
This was first published in March 2005