While CIOs often find themselves in the driver’s seat for managing IT focused risk decisions, there is little precedent on how to handle such an attempt by a researcher to profit from stolen data. In order to effectively lead your organization through this key decision, it is important that an outcome-focused approach be followed. The following points provide a suitable high level approach.
1. Define potential outcomes
The desired end state should drive the definition of the potential outcomes. This should include input from Legal, IT, PR, and other stakeholders to make the best overall decision for the business.
In this case, most would agree that an immediate response would be to increase the security monitoring of anomalous network activity, privileged accounts, and login locations.
An alternative response might include resetting passwords. However, this can create significant disruption to the business and would likely be considered an overreaction given that it is unknown if your company is affected at this point.
Determine if your company was impacted. Unfortunately, in the current case, Hold Security does not appear to have the capability to respond to the volume of inbound inquiries in a timely manner, nor is there a tool in place where you can check to see if your domain was affected. With this in mind, legal options should be evaluated with counsel to determine if they want to file a civil action in federal court to determine if your credentials were impacted and/or to file an injunction against use or retention of the credentials. At the federal level, a starting point would be Title 18 U.S.C., Section(s) 1831, 1832, 2314, 2315. As the aforementioned headquarters is in Wisconsin, one could begin by evaluating state code 943.20, 943.34 and 134.98.
2. Determine the impact of each option on the business
Each of the identified options will have a set of pros and cons. Work closely with the other stakeholders to determine what the direct and potential impact will be on the business. For example, a full reset of domain credentials will disrupt production, Web users, or even sales team members. Often disruptions of that nature will not be approved unless security is sure that credentials have been compromised. Be careful not to create additional business challenges through knee-jerk reactions.
3. Decide on the acceptable level of risk
Timing and external factors will drive the risk tolerance of your team. For example, if you are in the middle of a merger or acquisition and data obtained through stolen credentials could significantly impact the deal, it may be worth disrupting the business with an enterprise-wide password reset. In most cases however, it would not make sense until it has been verified that credentials have been compromised and you have received validation that the compromised credentials could lead to negative outcomes due to the sensitivity of the data protected by the stolen credentials.
4. Choose a course of action
Evaluate the outcomes, impact, and risk, and then make a decision. The collective team needs to agree that the decision is right-sized to the levels of commensurate risk and reward of the course of action. The important part is managing and communicating the residual risk regardless of the chosen outcome, even if the chosen outcome is to do nothing.
Overall, determining the proper balance between an expedient response time and the acceptable risk tolerance of your company will continue to be a challenge for CIOs and their peers. When possible, spend the time before an incident to establish policies and procedures for handling these situations as they can often be outside of the current crisis response and incident response plans drafted by PR and IT respectively.
J.J. Thompson is the Founder and CEO of Rook Security, an IT Security firm providing security strategy, crisis management, and next generation security operations services.
Prior to Rook, J.J. served Global 100 accounts through strategic incident & crisis response while at Ernst & Young. J.J. has been published in major industry journals and covered in Bloomberg, USA Today, Forbes, CSO and other major media outlets. Currently J.J. serves as the President of ISC2 Indianapolis, and previously as the President of the Silicon Valley chapter of the ISSA.
J.J. has has a degree in Management Sciences from The University of Iowa.
The opinions expressed in this blog are those of J.J. Thompson and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.