Most Companies Lack Post-Attack Plans

While the industry focuses on keeping corporate networks from being attacked, very few companies actually have a planned response for when they are attacked.

And most security analysts agree that it's not a matter of if a company will be attacked. They will be hit. It's just a question of when and how hard.

"Bad things are going to happen," says Kenneth Citarella, deputy chief of the Investigations Division of the Westchester County District Attorney's Office. "What are you going to do when it happens? It's a critical time. The worst thing is to find out that you screwed up and ruined evidence or otherwise ruined your chance of making things right. You've got to know what to do before it happens."

Firewalls, VPNs and intrusion detection software are heavy hitters in the security market. IT administrators, naturally, are constantly searching for new ways to keep intruders -- whether it be hackers or worms or viruses -- out of their systems. Where the plan falls apart is what to do once security is breached.

https://o1.qnsr.com/log/p.gif?;n=203;c=204657336;s=9478;x=7936;f=201808231619130;u=j;z=TIMESTAMP;a=20403940;e=i And it doesn't help the situation that there are very few clear answers.

Law enforcement agents, forensic experts and corporate security administrators have different goals -- so they also have different ideas about how to handle an attack. Should you bring the network down? Should you leave it running? Should you call the police in immediately?

Law enforcement agents generally recommend that you shut the machine in question down immediately. If it's a desktop or laptop computer, unplug it and lock it up.

Experts in the commercial world say IT should poke around a bit to figure out if the attack came from the inside or the outside; what part of the system was affected; was information changed or deleted; what's the extent of the damage? They say you need the answer to these questions to decide if law enforcement needs to be called.

There's no one agreed-upon answer.

"This disagreement... it's been a problem for a long time," says Chet Hosmer, president and CEO of WetStone Technologies, Inc., a digital security company based in Cortland, N.Y. "The key is to have some level of understanding before the attack happens. Have an action plan of what you're going to do. Portions of your system need to be working so you have tough decisions to make... You don't want to be making big decisions like that under fire. You have to figure out before hand what your plan will be."

Part of that plan should be deciding when law enforcement should be called in. Most security breaches go unreported. That means most attackers go uncaught and unpunished, fully capable of attacking again. Calling in law enforcement, however, can lead the company down a long, expensive and embarrassing path.

"Companies need to realize that an investigation and prosecution is going to be hard work -- for the company," says Citarella of the DA's office. "When you call law enforcement, know what you're in for... We will cost you money. Personnel and resources will be diverted from making your company money. You will underestimate the amount of evidence needed... When it comes time for a grand jury or a trial, all the plans you've made for your employees to work on projects or go to conferences go out the window.

"You are not going to control events," he adds.

And Citarella points out that once law enforcement is called in, the company can't simply send them away.

"Once you bring it to law enforcement, you cannot back out," he says. "You cannot call off the prosecutorial dogs."

But Citarella is quick to point out that security breaches need to be reported far more than they are today. And they largely are going unreported. A recent study by the Aberdeen Group, an industry analyst firm based in Boston, noted that reported security incidents are expected to top 200,000 this year. Aberdeen analysts say they expect the number of unreported incidents to hit 15.9 million this year.

"Getting even is wonderful," says Citarella. "And it generates more deterrence. Customers also feel better knowing you're trying to protect them rather than trying to cover something up."

Another key step -- both in handling an attack and in generating deterrence -- is to have a policy governing employee use of the corporate network, email, the telephone system and hardware. Every analyst interviewed says it needs to be made clear employees cannot expect any privacy in the workplace. Taking that step alone, eases evidence gathering and a digital investigation.

"You have to have a policy," says Frantz Sainte, president of STMC LLLC, an IT forensic service out of Stamford, Conn. "It has to say that employees have no right to access or data in the workplace. They shouldn't have any expectation of privacy."

Sainte, and other security experts, also advise IT administrators to have a pop-up window appear when the computer is being booted up. The window should offer a policy reminder that the employee needs to click on, and thus acknowledge, every day.

Here are some tips from law enforcement, industry analysts and digital forensic experts on how to plan for handling an attack:

Have a relationship already established with your local police, FBI office or Secret Service office. Making contact before a crisis, gives you a familiar face to work with and familiarizes them with your business and the extent of your network.

Figure out which law enforcement agency is best suited to handling a situation for you. According to Ed Appel, COO of the Joint Council on Information Age Crime, 80% of U.S. police departments have 25 or fewer sworn-in officers. Who has the resources and the training to handle a digital crime?

Law enforcement agents advise that once you know something is wrong, call the police or other agency immediately. ``If IT does something themselves, they could ruin evidence,'' says Appel. ``It's like walking through the blood on the rug.''

Law enforcement also advises IT managers to unplug the machine in question and lock it up if possible. That will ensure that the evidence is unaltered and establish a chain of custody.

Forensic experts and some industry analysts recommend that a company first call a forensic firm to figure out exactly what has happened and how extensive the damage is. That will help you figure out if you need to call in the police.

All analysts recommend that a strict record be kept of events, as well as of who had access to the system from the time a problem was noticed; who touched it, and exactly what was done to it.

If you have a mirrored system, consider pulling the secondary drives to preserve and hold for investigation.

If the attack is ongoing, it may be best to shut the system down to stop the damage.

Make sure the attack is truly over before you bring the system back online. WetStone's Hosmer notes that the biggest damage usually is done when IT thinks the attack is over and brings the system back online, just to have it damaged even further.

Everyone in IT will want to see the system and see what's going on. Limit that. Defense lawyers will look for anyone who had access to the system and could have altered or planted evidence. The fewer people touching the system, the better.

Interview your employees. Had they noticed the system acting strangely? Were there any recent anomalies? When did it start?