If your system has been hacked, what would your first reaction be?
Speaking for myself, I think I would want to know who did it and figure out how it was done. That’s my personality, to learn the who, what, and why of a situation first, and then focus on the damage control. I suspect that this is human nature for a lot of people, too.
On the other hand, when I asked that question to a security professional during an informal conversation, his response was this: Find out what information was hacked and determine whether the FBI needs to be involved immediately. You have to figure the data had already been compromised, he said, so you’ve got to work on minimizing the damage.
According to Edward J. McAndrew, assistant United States attorney and cybercrime coordinator with the U.S. Attorney’s Office in the District of Delaware, and Anthony DiBello, director of strategic partnerships for Guidance Software, the security professional I spoke with is on the right track. When a hack happens, it is important to resist human nature regarding the hacker (at least immediately). Instead, you want to focus on mitigating damage and data loss and providing information to law enforcement so the cops can identify and take action against the bad guys.
Contacting law enforcement doesn’t seem to be a priority during the immediate post-breach phase. For instance, Digital Guardian asked dozens of security professionals what steps to take after a data breach. Granted, a breach doesn’t necessarily mean the network was hacked – it could have happened via a lost cellphone or laptop – but I found it interesting that contacting law enforcement was not included in the comments, not even in the most detailed responses of action steps to take. If your company suffered another type of break-in or property loss, that would be the first step. So why isn’t it a priority when data is compromised or stolen?https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
It could be that we still haven’t reached the point where we consider electronically stored information in the same way we consider physical property, although I do think that is changing. It could also be a cultural or territorial thing – IT staff not wanting to admit or be held responsible for the hack happening under their watch. Or it could simply be that there is no protocol in place on how or when to report a hack to law enforcement. So McAndrew and DiBello have come up with the information that is helpful for the authorities to use to find cyber criminals, adding that these tips will also be dependent on the type of incident and other factors. But overall, it is a starting point for IT and security staff to create an incident reporting protocol if none is in place. The tips include:
- Identify and contact information for individuals responsible for various components of incident response (legal, IT, senior management, outside consultants, etc.).
- List information about discovery of the incident and steps taken since the discovery of the incident.
- Compile information relating to past incidents that may be related to the current incident.
- Share information about past contact with law enforcement agencies about other incidents. [This can allow us to quickly cross-reference historical information].
- Provide identification of information systems and components involved and their locations.
- To the extent they can be shared, give results (even partial) of internal investigative reports or forensic examinations conducted by non-law enforcement personnel regarding the incident.
- Identify signatures for detected malware, spyware and the like.
- Prepare system logs (DNS, servers, etc.) relating to the incident.
- List IP addresses and other external identifiers believed to be involved in the incident.
- Provide network maps, locations and data flows relating to the incident, including vendors and cloud service providers.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba