Asking These Big Questions Will Help You Predict Future Compromise
Over the past few weeks, I've had arguments with friends in the information security echo chamber about whether it was prudent of me to make public comments about the security the beleaguered Healthcare.gov website when I had not actually performed a formal assessment of it. My answer -- that I'd assessed all I needed to reach my conclusions -- failed to satisfy some.
Tue, January 07, 2014
CSO — Over the past few weeks, I've had arguments with friends in the information security echo chamber about whether it was prudent of me to make public comments about the security the beleaguered Healthcare.gov website when I had not actually performed a formal assessment of it. My answer -- that I'd assessed all I needed to reach my conclusions -- failed to satisfy some.
Some of this disagreement stemmed from the fact that I was speaking of strong indicators, not evidence, of trouble. Did I go too far in my conclusions? Time will tell.
Could I have been less abrasive about how I stated my conclusions? Always.
But the experience raised a much larger question: I was assuming that incident assessment was more universally understood than it is. My statements therefore seemed black-box and arbitrary, and that's never my intent.
Lest I re-kindle the debate, let me move completely away from Healthcare.gov and into general incident response and how I walk into a place where I've never been and help figure out (a) if there is a problem; (b) if there is, how big it is, and (c) where do we start to fix the most broken stuff the fastest.
In the past, when an organization asked me to help them understand a compromise, I started by asking questions designed to disqualify avenues of investigation. I often start with two big ones. Of course, these are not the only questions I ask, but they are among the first ones, because the wrong response is so strongly correlated with other horrible practices and habits of security guttersnipes:
Can we take a look at your network logs, flow records or analysis and/or traffic capture for the last few days?
Can I see your latest network scan results?
The answers to these questions are often telling. In many cases, I'm far less interested in what the logs and captures say than the fact that they exist in a form that is accessible by someone in a reasonable amount of time, and that they can in fact be accessed and presented in a form that allows them to be analyzed.
You would be shocked at just how many organizations fail completely at this request.
The "latest scan results" is asking the all-telling question, "Do you know, within a 25% margin of guesstimation, how many endpoints are connected to your network?"
If the company fails these two basic questions, I am certain to find a major mess. Those things didn't cause the mess, but their presence indicates an inattention to security detail, lack of procedural integrity, failure to backstop and a directionality of spending that historically have shown to be conditions present in an organization that has been compromised.