JRB - Fotolia

Manage Learn to apply best practices and optimize your operations.

How should CSIRTs respond to email extortion schemes?

The 2014 Sony Pictures hack highlights the importance of responding appropriately to email extortion. Learn what steps executives should take to best manage the situation.

After the 2014 Sony Pictures hack, information emerged that top Sony executives received extortion emails prior to the hack. This highlights the need for executives and executive admins to understand how to handle these situations. Can you provide some advice on how to train/prepare non-security staff that may receive ransomware/extortion emails? We're looking to offer consistent guidance for employees on what to do, what not to do, whom to contact, etc.

Should an enterprise pay a ransom for information or computers taken hostage? Ethically, the answer is no. Practically, given the criticality of the asset, you might have to. If not paying the ransom has an adverse effect on the viability, reputation or financial position of your business, then the choices are few. If the business can accept the business loss, then it should not pay the ransom, and should focus its attention on containment and preventing reoccurrence.

Whenever an executive or executive admin receives what appears to be an email extortion scheme with ransom demands, first and foremost, they should not respond to the email. This should go without saying, but recipients of extortion or threatening emails are people with human emotions, such as fear and panic, and are subject to reactionary responses that could worsen the situation. To make it simple, here is a list of what not to do:

  • Do not reply to the email.
  • Do not panic.
  • Do not delete the email.
  • Do not click on any images or links highlighted in the email.
  • Do not save the email on your hard drive or external storage device, such as a USB drive.
  • Do not forward the email to anyone in or outside the organization.
  • Do not keep it a secret from executive management.
  • Do not call, email or use social media to tell friends or colleagues of the incident.
  • Do not immediately call local law enforcement, FBI or Secret Service.

What needs to be done immediately is to alert the company's CSIRT (Computer Security Incident Response Team). If a company doesn't have a CSIRT, it should start gathering and testing one. CSIRTs can then quickly determine the severity level of the incident to take the next steps for containment, remediation and control. The CSIRT usually contacts executive level managers, but if the incident involves them or their executive assistants, they should instead call a designated senior manager or CISO to begin the investigation.

Depending on the incident severity level, the CSIRT Lead and executive management will determine if they should call local and/or federal law enforcement. The CSIRT call list will have all current law enforcement contact names and phone numbers.

While executive cybersecurity training is becoming a recurring topic of late, and is mentioned at C-level executive conferences such as the National Association of Corporate Directors (NACD), World Economic Forum, Clinton Global Initiative, Fortune's Women's Summit and the Wall Street Journal's CEO Council, there is no formalized executive cybersecurity training available today.

It can be difficult to get executive management to sit through training and even more so for cybersecurity. However, that dynamic is rapidly changing. Executives are realizing poor security programs after a breach, hack attack or major security incident can hold them personally liable and subject to financial penalties or incarceration.

Executives will stay current on cybersecurity issues if it becomes a recurring topic in boardrooms. Cybersecurity needs to be integrated with boardroom discussions as a normal part of doing business. There are many different ways to integrate the security discussion with typical boardroom discussion, such as public companies determining if cybersecurity risks should be included in their risk factor disclosures in the Form 10-K filing with the SEC, or senior management regularly reporting the organization's state of cybersecurity, enterprise security governance and compliance to the board of directors.

In my opinion, cybersecurity awareness training is the responsibility of the CISO. Executives are pulled in many different directions that all demand their attention and when an incident occurs, such as email extortion schemes or breaches, they should be well versed in the incident response protocols. Otherwise, they will paint themselves in a corner and the response to the crisis will be reactive, impulsive and invariably with unfavorable results.

Do not exclude executive level management and administrative staff. It is critical that they know firsthand what to do in the event of an extortion communication. Integrate cybersecurity into the boardroom as a recurring state-of-cybersecurity report to raise and keep awareness current. Encourage topics to include cybersecurity insurance, cybersecurity policies, current cybersecurity event scenarios and how they affect the company. Ensure that all executives and their administrative assistants are present during cybersecurity discussions.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Check out the best way to implement an incident response process when you're short staffed and how to handle an incident in a cloud environment.

This was last published in July 2015

Dig Deeper on Information Security Incident Response-Information