It’s a fox television special waiting to be made: When hackers attack. There’s blame and blunder, sensationalism and surprise, and a theme song whose sinister refrain reminds you that no one?not you, not your competitor?really knows the best way to respond to an information security breach.
With pervasive fears about terrorism, security threats have proven all too real. Our antidote to the doom and gloom? A guide for what not to do when you get hacked. So take a moment to learn from the mistakes that others have made. Because your chance to avoid these worst practices might be just around the corner.
Deny, Deny, Deny
Not admitting that you have a problem is the first step to not recovering. In a recent CIO survey of CIOs and other top IT managers, only 41.1 percent of the 600 respondents said they would know when their systems were under attack. Time and again, studies show that companies are simply not aware of security breaches.
“You’ll hear companies say, ’I’ve never been hacked,’ when what they really mean is, ’I’ve never detected that I’ve been hacked,’” says Bruce Schneier, author of Secrets & Lies: Digital Security in a Networked World, and CTO and founder of Counterpane Internet Security in Cupertino, Calif. Once a company starts monitoring its systems for intruders, he says, “they’re amazed at the amount of activity going on that they never had any window to see.”
Then there are those pesky employees who retaliate after messy layoffs. In August, for instance, The New York Times reported on an IT executive who caused up to $20 million in damage when he sabotaged the computer systems of the New Jersey chemical company that had laid him off. Cases like that underscore the fact that the majority of security breaches are by insiders.
Your employees, on the other hand, are hardworking, loyal and honest. That must be why, in that same CIO survey, 34 percent of the respondents indicated that they don’t store critical data on a restricted or confined system, away from other company information that requires less security. In other words, once intruders are in, they can get access to anything and everything.
On the flip side, there’s the tale of MIT. A couple of years ago, officials at the tech-savvy university reported that a hacker had altered grades in its computer system. The next day, they sheepishly retracted the statement, explaining that a teaching assistant had made a data entry error.
When business and IT employees think they’re under attack, they panic. They call all the wrong people, they start rebooting or unplugging computers, and in the process they often do more damage?either to data, business continuity or the organization’s reputation?than the intruder would have done. This is especially true when companies have installed intrusion detection systems, which generate false positives that security experts need to sort through for the real problems. “While it’s true that most companies may not know that they’ve been hacked, those who have taken a lot of precautions can find that they have hundreds of alerts,” says Jay Ehrenreich, senior manager in the cybercrime prevention and response group at PricewaterhouseCoopers in New York City. “The question is, which are the ones that you really want to focus on, and how do you know for sure? That’s the next level of the problem.”
The only way to prevent chaos is by establishing a clear incident-response plan, which explains whom employees should call when they suspect a problem, how and when this information should be shared with other employees or the media, and how the company will fix the problem. Most companies, though, are well-poised for a panic attack. Again, according to the CIO survey?a veritable guide to worst practices?only one-third of the respondents said they had a procedure for responding to a security problem.
Destroy The Evidence
Ed Skoudis, author of Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses and vice president of security strategy at New York City-based Predictive Systems, recalls several cases where evidence was stricken from a court case because it had not been adequately protected. In one especially memorable incident, a company that used a surveillance video to explain how a room was laid out inadvertently provided evidence against itself. The surveillance video showed that a safe containing evidence had been left wide open. “They weren’t locking the safe because they didn’t think what they had was important,” Skoudis says. “You need to protect the information you gather.” Even if you don’t need it for court, it can help you figure out what happened and how to fix the problem.
When investigating a security breach, a company should make a digital image of the relevant hard drive before doing anything else, like opening a file and changing its last access date. This image will include not only the files on the hard drive but also parts of the drive that contain evidence of deleted files. The original evidence must be locked up and have a clear chain of custody. Meanwhile, the image can be used for the forensics investigation.
“Change one bit, you must acquit,” as Ehrenreich of PricewaterhouseCoopers likes to say when discussing the effervescent quality of digital evidence.
But who wants to mess with justice, anyway?
Whatever you do, don’t call the authorities
Skoudis remembers another instance in which a large brokerage company got a call from hackers who claimed to have planted a logic bomb that would crash the company’s computers at a certain time?unless the company paid them big bucks. The technical staff found no evidence of tampering, so the company ignored the call. Sure enough, the company’s systems, which processed millions of dollars of transactions an hour, crashed at the appointed time. The next time the extortionists rang, the company knew that the threat was real and got law enforcement involved.
Law enforcement officials can look for patterns, collect evidence and sometimes put hackers behind bars, and this doesn’t necessarily mean having your company’s name dragged through the mud. Yet most companies haven’t figured out that reporting a security breach can help not just them but also business as a whole. “When you give criminals impunity, it emboldens them,” explains FBI Agent Mark Bowling in Milwaukee. “It’s simple criminal psychology.”
A whopping 36 percent of companies report hacks, according to the latest study done by the Computer Security Institute and the FBI. So you’re off the hook. Someone else will fix the problem, and if you ignore hackers they will go away. Better yet, pay them off and then offer them jobs. You can trust them, right? (See number 1.)
Ignore rumors, they’ll go away
In late October 2000, a security breach at Microsoft made headlines around the world. Early reports indicated that the intrusions may have lasted up to three months. But unnamed sources soon turned into company spokespersons, and the time frame dwindled to about 12 days. In the end, careful observers were sure only that the software giant’s source code may or may not have been involved.
A year later, many experts still point to this as a classic example of what a company should not do when news of a hack becomes public information?specifically, speak with separate and conflicting voices. “When you’re hacked, you can’t let the public think you’re part of the cover-up,” Schneier says.
When customers need to know about a problem, or when information about the problem is already in the press, the logical thing to do is issue a formal, factual statement about the fact that you’ve been a victim of a crime. But why not just rely on word of mouth? News will get out?and some of it might even be true.