Most Companies Lack Post-Attack Plans

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More .

While the industry focuses on keeping corporate networks from being
attacked, very few companies actually have a planned response for when they
are attacked.

And most security analysts agree that it’s not a matter of if a company will
be attacked. They will be hit. It’s just a question of when and how hard.

“Bad things are going to happen,” says Kenneth Citarella, deputy chief of
the Investigations Division of the Westchester County District Attorney’s
Office. “What are you going to do when it happens? It’s a critical time.
The worst thing is to find out that you screwed up and ruined evidence or
otherwise ruined your chance of making things right. You’ve got to know what
to do before it happens.”

Firewalls, VPNs and intrusion detection software are heavy hitters in the
security market. IT administrators, naturally, are constantly searching for
new ways to keep intruders — whether it be hackers or worms or viruses — out
of their systems. Where the plan falls apart is what to do once security is
breached.

And it doesn’t help the situation that there are very few clear answers.

Law enforcement agents, forensic experts and corporate security
administrators have different goals — so they also have different ideas
about how to handle an attack. Should you bring the network down? Should you
leave it running? Should you call the police in immediately?

Law enforcement agents generally recommend that you shut the machine in
question down immediately. If it’s a desktop or laptop computer, unplug it
and lock it up.

Experts in the commercial world say IT should poke around a bit to figure
out if the attack came from the inside or the outside; what part of the
system was affected; was information changed or deleted; what’s the extent
of the damage? They say you need the answer to these questions to decide if
law enforcement needs to be called.

There’s no one agreed-upon answer.

“This disagreement… it’s been a problem for a long time,” says Chet
Hosmer, president and CEO of WetStone Technologies, Inc., a digital security
company based in Cortland, N.Y. “The key is to have some level of
understanding before the attack happens. Have an action plan of what you’re
going to do. Portions of your system need to be working so you have tough
decisions to make… You don’t want to be making big decisions like that
under fire. You have to figure out before hand what your plan will be.”

Part of that plan should be deciding when law enforcement should be called
in. Most security breaches go unreported. That means most attackers go
uncaught and unpunished, fully capable of attacking again. Calling in law
enforcement, however, can lead the company down a long, expensive and
embarrassing path.

“Companies need to realize that an investigation and prosecution is going
to be hard work — for the company,” says Citarella of the DA’s office.
“When you call law enforcement, know what you’re in for… We will cost you
money. Personnel and resources will be diverted from making your company
money. You will underestimate the amount of evidence needed… When it comes
time for a grand jury or a trial, all the plans you’ve made for your
employees to work on projects or go to conferences go out the window.

“You are not going to control events,” he adds.

And Citarella points out that once law enforcement is called in, the company
can’t simply send them away.

“Once you bring it to law enforcement, you cannot back out,” he says.
“You cannot call off the prosecutorial dogs.”

But Citarella is quick to point out that security breaches need to be
reported far more than they are today. And they largely are going
unreported. A recent study by the Aberdeen Group, an industry analyst firm
based in Boston, noted that reported security incidents are expected to top
200,000 this year. Aberdeen analysts say they expect the number of
unreported incidents to hit 15.9 million this year.

“Getting even is wonderful,” says Citarella. “And it generates more
deterrence. Customers also feel better knowing you’re trying to protect them
rather than trying to cover something up.”

Another key step — both in handling an attack and in generating deterrence —
is to have a policy governing employee use of the corporate network, email,
the telephone system and hardware. Every analyst interviewed says it needs
to be made clear employees cannot expect any privacy in the workplace.
Taking that step alone, eases evidence gathering and a digital
investigation.

“You have to have a policy,” says Frantz Sainte, president of STMC LLLC,
an IT forensic service out of Stamford, Conn. “It has to say that employees
have no right to access or data in the workplace. They shouldn’t have any
expectation of privacy.”

Sainte, and other security experts, also advise IT administrators to have a
pop-up window appear when the computer is being booted up. The window should
offer a policy reminder that the employee needs to click on, and thus
acknowledge, every day.

Here are some tips from law enforcement, industry analysts and digital
forensic experts on how to plan for handling an attack:

Have a relationship already established with your local police, FBI
office or Secret Service office. Making contact before a crisis, gives you a
familiar face to work with and familiarizes them with your business and the
extent of your network.

Figure out which law enforcement agency is best suited to handling a
situation for you. According to Ed Appel, COO of the Joint Council on
Information Age Crime, 80% of U.S. police departments have 25 or fewer
sworn-in officers. Who has the resources and the training to handle a
digital crime?

Law enforcement agents advise that once you know something is wrong,
call the police or other agency immediately. “If IT does something
themselves, they could ruin evidence,” says Appel. “It’s like walking
through the blood on the rug.”

Law enforcement also advises IT managers to unplug the machine in
question and lock it up if possible. That will ensure that the evidence is
unaltered and establish a chain of custody.

Forensic experts and some industry analysts recommend that a company
first call a forensic firm to figure out exactly what has happened and how
extensive the damage is. That will help you figure out if you need to call
in the police.

All analysts recommend that a strict record be kept of events, as
well as of who had access to the system from the time a problem was noticed;
who touched it, and exactly what was done to it.

If you have a mirrored system, consider pulling the secondary drives
to preserve and hold for investigation.

If the attack is ongoing, it may be best to shut the system down to
stop the damage.

Make sure the attack is truly over before you bring the system back
online. WetStone’s Hosmer notes that the biggest damage usually is done when
IT thinks the attack is over and brings the system back online, just to have
it damaged even further.

Everyone in IT will want to see the system and see what’s going on.
Limit that. Defense lawyers will look for anyone who had access to the
system and could have altered or planted evidence. The fewer people touching
the system, the better.

Interview your employees. Had they noticed the system acting
strangely? Were there any recent anomalies? When did it start?