Deflecting and Responding to Data Security Breaches
February 2006
The growth of Internet communications and
Web applications has increased exponentially in the past 5 years and, as a result,
all businesses must watch out for the new breed of risk created by the networked
economy.
by Saundra Kae Rubel,
edited by Gary E. Clayton, Esq.
www.privacycg.com
Companies of all sizes are being affected by data security breaches now more
than ever. Not a week goes by where there isn't a newsworthy data loss event.
With businesses being dependent on their computer networks and the data in them
for success, a lack of proper planning for data security incidents will leave
a company in a precarious position. Companies such as ChoicePoint and BJ's Wholesale
know just how precarious: Choice Point's data security breach lead to a $15
million dollar fine by the Federal Trade Commission,1 and BJ's has set aside $16 million dollars to recover from it's data security
incident.2
Is your company prepared to defend against and respond to a security breach?
If not, does it know how to get prepared? Effective risk management is an integral
part of any network and data security program. Protection of a business' assets—including
information systems and confidential and proprietary data—must be embedded in
every organization's mission. The standard risk management processes—risk mitigation,
evaluation, and assessment—can be applied to the area of computer and data security.
Threats to the network must be mitigated, potential vulnerabilities analyzed
and the proper controls put into place to limit exposure.
Understand Your Risk
Preparedness for a security event of any kind calls for a better understanding
of what types of events might occur. A security incident refers to an adverse
event in an information system and/or network, or the threat of the occurrence
of such an event. A security incident can include any of the following events.
- Unauthorized access by employee, contractor, or third party
- Root or system level attacks to any host or system
- Compromise of restricted confidential service accounts or software areas
- Denial of service attacks to infrastructure, confidential service accounts,
or software areas
- Large scale attacks of any kind (worms, sniffing attacks, etc.)
- Threats, harassment, or criminal offenses involving individual user
accounts
- Compromise of individual user accounts
- Compromise of desktop systems
- Forgery, misrepresentation, or misuse of resources
- Workstation, computer, laptop, PDA, Blackberry, Backup, CD-Rom loss
or theft
- Any act of violation of an established policy
Implement Policies and Procedures
Preparedness for a security event also calls for well-defined policies and
procedures. For example, when a security incident occurs, the ensuing investigation
may warrant taking intrusive steps, such as monitoring activities of employees.
Without any policies to the contrary, your employees might have an expectation
of privacy during an investigation. With the proper policies and established
procedures, however, you can more effectively pursue your determined objectives
when responding to an incident.
Policies can have some common elements which will allow for consistency across
departments. Each policy should contain at a minimum: purpose, scope (who the
policy applies to), actual policy statement, acknowledgement statement with
voluntary or mandatory participation, the stated process the policy supports,
general requirements, user requirements, definitions, objectives, how and when
the policy is updated, sponsor of the policy, custodian of the policy, and revision
history.
Assign Responsibility
Whether an organization has a fixed security department or part-time security,
staff must be assigned certain functionality in case of an incident. Depending
on the size of the company, there may be a need for a complete security department;
some companies will have a chief information officer (CIO) who will also handle
security incidents.
A computer security incident response team (CSIRT) is a group of professionals
within an organization who are trained to respond to an information system or
data security incident. This select group of individuals follows a specific
plan when activated during a breach (or potential breach).
This team's role is investigation and problem solving. Team members should
include among others:
- Management personnel and mission owners with the authority to act
- IT security program manager (or other individual responsible for the
security program)
- IT system owners
- Business or functional managers
- IT auditors
- Technical personnel with the knowledge and expertise to rapidly diagnose
and resolve problems
- Communications representatives who can keep the appropriate individuals
and organizations informed and can develop public image control strategies
as necessary
The CSIRT must create a mission statement that aligns with the corporation's
goals. Typically, each team behaves in one of two ways: proactive or reactive.
Proactive behavior includes security awareness, education, and analysis of user
behavior and event logs. Reactive behavior is most often utilized due to an
incident.
Develop a Formal Plan
What's a team without a plan? A documented plan for responding to security
incidents (or potential incidents), commonly called an incident response plan
(IRP), is a necessity for effectively handling the internal and external issues
surrounding a crisis. An IRP:
- Prevents a disjointed, noncohesive response
- Confirms or dispels whether an incident occurred
- Enables legal and law enforcement to prosecute malicious entities
- Promotes accumulation of accurate information
- Establishes controls for proper retrieval and handling of evidence
- Protects privacy rights established by law and policy
- Minimizes disruption to business and network operations
- Provides accurate reports and useful recommendations
- Provides rapid detection and containment
- Establishes priorities
- Minimizes exposure and compromise of proprietary data
- Protects the organization's assets and reputation
- Educates senior management
- Promotes rapid detection and/or prevention of such incidents in the
future
For an IRP to be successful, the maintenance of the program is an ongoing
process that must be kept current and reflect organizational/infrastructure
changes and newly discovered vulnerabilities as they occur. In addition, an
IRP should be a key component to a well-rounded Information security program
that includes policies and procedures, a compliance monitoring program and an
intrusion detection system.
However, the scale of a response is dictated by the nature of each individual
organization. An organization that does little e-commerce can more easily disconnect
their network at a moment's notice without much harm to it's revenue, while
an organization whose mainstay is e-commerce may want to invest more resources
into developing an in-depth IRP.
Each plan will be different and a one-size plan does not fit all. The plan's
success is based on willing participants, streamlined processes, management
support and knowledge of where data lies in the organization. If you have not
already done an audit of where data exists in both manual and electronic format,
it would be a good time to consider this as part of the overall preplanning.
If you do not know where your data is, it is hard to know that it's been lost
or compromised, or what to remediate when an incident occurs. Having data maps
and data flows are extremely helpful in incident response scenarios.
Determining If There Has Been an Incident
In most cases, staff will already have a good idea if there has been an incident.
However, the extent of the incident might not be known. Here are a few suspicious
events to be aware of when preparing a plan to follow.
- Hardware problems
- Software problems
- Accidental deletion of system or user files
- Malicious user
- A strange process running and accumulating a lot of CPU time
- Intruder logged into system
- Virus has infected system
- Someone from a remote site is trying to penetrate the system
- The corporate Web site has been defaced
- Hacked user account
- Hacked root account
- Denial of service (DoS) attack
Data security involves the education and systematic training of employees.
Policies must be enforced and security should be a part of an organization's
overall mission. Risk managers will need to cost-justify information security,
understand security best practices, gain senior management support, and integrate
security into all data handling practices.
Saundra Kae Rubel,
CIPP, is a consultant with Privacy Compliance Group. She has over
7 years' experience in implementing privacy management practices into business
processes. She specializes in security and data protection issues and has served
as a member of the California Office of Privacy Protection Task Force on California Information-Sharing Disclosures and Privacy
Policy Statements. A member of the InfraGard and High Tech Crime Investigation
Association (www.HTCIA.org),
Ms. Rubel works with organizations to ensure their business practices meet international
data protection regulations. She was awarded the Certified Information Privacy
Professional (CIPP) designation in October 2004.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.