Deflecting and Responding to Data Security Breaches

February 2006

The growth of Internet communications and Web applications has increased exponentially in the past 5 years and, as a result, all businesses must watch out for the new breed of risk created by the networked economy.

by Saundra Kae Rubel, edited by Gary E. Clayton, Esq.
www.privacycg.com

Companies of all sizes are being affected by data security breaches now more than ever. Not a week goes by where there isn't a newsworthy data loss event. With businesses being dependent on their computer networks and the data in them for success, a lack of proper planning for data security incidents will leave a company in a precarious position. Companies such as ChoicePoint and BJ's Wholesale know just how precarious: Choice Point's data security breach lead to a $15 million dollar fine by the Federal Trade Commission,¹ and BJ's has set aside $16 million dollars to recover from it's data security incident.²

Is your company prepared to defend against and respond to a security breach? If not, does it know how to get prepared? Effective risk management is an integral part of any network and data security program. Protection of a business' assets—including information systems and confidential and proprietary data—must be embedded in every organization's mission. The standard risk management processes—risk mitigation, evaluation, and assessment—can be applied to the area of computer and data security. Threats to the network must be mitigated, potential vulnerabilities analyzed and the proper controls put into place to limit exposure.

Understand Your Risk

Preparedness for a security event of any kind calls for a better understanding of what types of events might occur. A security incident refers to an adverse event in an information system and/or network, or the threat of the occurrence of such an event. A security incident can include any of the following events.

• Unauthorized access by employee, contractor, or third party
• Root or system level attacks to any host or system
• Compromise of restricted confidential service accounts or software areas
• Denial of service attacks to infrastructure, confidential service accounts, or software areas
• Large scale attacks of any kind (worms, sniffing attacks, etc.)
• Threats, harassment, or criminal offenses involving individual user accounts
• Compromise of individual user accounts
• Compromise of desktop systems
• Forgery, misrepresentation, or misuse of resources
• Workstation, computer, laptop, PDA, Blackberry, Backup, CD-Rom loss or theft
• Any act of violation of an established policy

Implement Policies and Procedures

Preparedness for a security event also calls for well-defined policies and procedures. For example, when a security incident occurs, the ensuing investigation may warrant taking intrusive steps, such as monitoring activities of employees. Without any policies to the contrary, your employees might have an expectation of privacy during an investigation. With the proper policies and established procedures, however, you can more effectively pursue your determined objectives when responding to an incident.

Policies can have some common elements which will allow for consistency across departments. Each policy should contain at a minimum: purpose, scope (who the policy applies to), actual policy statement, acknowledgement statement with voluntary or mandatory participation, the stated process the policy supports, general requirements, user requirements, definitions, objectives, how and when the policy is updated, sponsor of the policy, custodian of the policy, and revision history.

Assign Responsibility

Whether an organization has a fixed security department or part-time security, staff must be assigned certain functionality in case of an incident. Depending on the size of the company, there may be a need for a complete security department; some companies will have a chief information officer (CIO) who will also handle security incidents.

A computer security incident response team (CSIRT) is a group of professionals within an organization who are trained to respond to an information system or data security incident. This select group of individuals follows a specific plan when activated during a breach (or potential breach).

This team's role is investigation and problem solving. Team members should include among others:

• Management personnel and mission owners with the authority to act
• IT security program manager (or other individual responsible for the security program)
• IT system owners
• Business or functional managers
• IT auditors
• Technical personnel with the knowledge and expertise to rapidly diagnose and resolve problems
• Communications representatives who can keep the appropriate individuals and organizations informed and can develop public image control strategies as necessary

The CSIRT must create a mission statement that aligns with the corporation's goals. Typically, each team behaves in one of two ways: proactive or reactive. Proactive behavior includes security awareness, education, and analysis of user behavior and event logs. Reactive behavior is most often utilized due to an incident.

Develop a Formal Plan

What's a team without a plan? A documented plan for responding to security incidents (or potential incidents), commonly called an incident response plan (IRP), is a necessity for effectively handling the internal and external issues surrounding a crisis. An IRP:

• Prevents a disjointed, noncohesive response
• Confirms or dispels whether an incident occurred
• Enables legal and law enforcement to prosecute malicious entities
• Promotes accumulation of accurate information
• Establishes controls for proper retrieval and handling of evidence
• Protects privacy rights established by law and policy
• Minimizes disruption to business and network operations
• Provides accurate reports and useful recommendations
• Provides rapid detection and containment
• Establishes priorities
• Minimizes exposure and compromise of proprietary data
• Protects the organization's assets and reputation
• Educates senior management
• Promotes rapid detection and/or prevention of such incidents in the future

For an IRP to be successful, the maintenance of the program is an ongoing process that must be kept current and reflect organizational/infrastructure changes and newly discovered vulnerabilities as they occur. In addition, an IRP should be a key component to a well-rounded Information security program that includes policies and procedures, a compliance monitoring program and an intrusion detection system.

However, the scale of a response is dictated by the nature of each individual organization. An organization that does little e-commerce can more easily disconnect their network at a moment's notice without much harm to it's revenue, while an organization whose mainstay is e-commerce may want to invest more resources into developing an in-depth IRP.

Each plan will be different and a one-size plan does not fit all. The plan's success is based on willing participants, streamlined processes, management support and knowledge of where data lies in the organization. If you have not already done an audit of where data exists in both manual and electronic format, it would be a good time to consider this as part of the overall preplanning. If you do not know where your data is, it is hard to know that it's been lost or compromised, or what to remediate when an incident occurs. Having data maps and data flows are extremely helpful in incident response scenarios.

Determining If There Has Been an Incident

In most cases, staff will already have a good idea if there has been an incident. However, the extent of the incident might not be known. Here are a few suspicious events to be aware of when preparing a plan to follow.

• Hardware problems
• Software problems
• Accidental deletion of system or user files
• Malicious user
• A strange process running and accumulating a lot of CPU time
• Intruder logged into system
• Virus has infected system
• Someone from a remote site is trying to penetrate the system
• The corporate Web site has been defaced
• Hacked user account
• Hacked root account
• Denial of service (DoS) attack

Data security involves the education and systematic training of employees. Policies must be enforced and security should be a part of an organization's overall mission. Risk managers will need to cost-justify information security, understand security best practices, gain senior management support, and integrate security into all data handling practices.

---

Saundra Kae Rubel, CIPP, is a consultant with Privacy Compliance Group. She has over 7 years' experience in implementing privacy management practices into business processes. She specializes in security and data protection issues and has served as a member of the California Office of Privacy Protection Task Force on California Information-Sharing Disclosures and Privacy Policy Statements. A member of the InfraGard and High Tech Crime Investigation Association (www.HTCIA.org), Ms. Rubel works with organizations to ensure their business practices meet international data protection regulations. She was awarded the Certified Information Privacy Professional (CIPP) designation in October 2004.

---

¹United States of America (for the Federal Trade Commission) v. ChoicePoint Inc. (N.D. Ga.) (FTC File No. 052-3069). (last visited February 1, 2006.)

²BJ's Wholesale Club, Inc., In the Matter of, (FTC File No. 042 3160). (last visited February 1, 2006.)

---

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.