This article can also be found in the Premium Editorial Download "Information Security magazine: How to dig out rootkits."
Download it now to read this article plus other related content.
The updated Federal Rules of Civil Procedure are making an internal forensics lab a valuable asset for controlling future litigation costs, Spernow says. The new e-discovery rules require that parties in a lawsuit be able to articulate where in their infrastructure they have data relating to the case, provide estimates for the cost of extracting that data and criteria for filtering out privileged information.
"The identity of the data is something that anybody in IT can do, to show where it lives," Spernow says. "But extracting and filtering it based on privilege becomes a forensics issue."
The Law Enforcement Dilemma
Deciding when to call law enforcement after a breach can be difficult. It usually involves weighing a lot of factors--whether there's criminal activity suspected, the extent of damages and risk of public disclosure.
While law enforcement can have great resources to track down culprits, an organization essentially gives up control of an investigation when it calls for official help, Spernow says. Plus, there's the risk that corporate "jewels" could end up revealed in a court case.
The FBI's Beeson says an organization should have a good idea of what happened and its losses--estimates of downtime, personnel and lost business--before calling law enforcement.
"We don't have the resources to open a case on every single computer intrusion reported to us," he says. "Sometimes we have to tell the victim, 'Your losses just aren't
Federal law requires a loss of $5,000 in computer intrusion cases, but federal prosecutors often raise the threshold much higher, he adds.
Besides having an incident response plan and preserving evidence properly, Jenkins says it's important for an organization to learn from a breach. Since the breach three years ago, which remains under FBI investigation, UW Medicine boosted its security dramatically. In addition to stepping up network monitoring with a Tipping Point network-based IPS, it also implemented host-based IPS/firewall systems and banned IRC and other peer-to-peer traffic.
This was first published in September 2007