Infosecurity Professional - Issue 9 - ISC

First Things First
Rich Baich, CISSP, CISM, and principal
at Deloitte & Touche LLP, was CISO with
data broker ChoicePoint in 2005 when a
significant case of fraud at the company
unleashed a firestorm.
Baich says the fraud stemmed from a
Nigerian national who entered the U.S.
illegally and obtained a business license
using doctored phone and utility bills, and
then became a valid user of ChoicePoint’s
credit service. Once he was an authorized
customer, he was able to access enough
personal information—such as names,
addresses and Social Security numbers—
to carry out malicious, fraudulent acts
including identity theft.
“That was a direct relationship with
someone who became a valid user of
credit services,” says Baich. “And it was
one of the shots heard around the world.”
Published reports indicate the breach
compromised the information of an
estimated 163,000 people and resulted in
800 cases of identity fraud. ChoicePoint
was ordered to pay $10 million in civil
penalties, and $5 million to consumers.
One of the biggest lessons Baich
learned: to institute an appropriate incident
response and assemble the best
team, you must clearly spell out what an
incident is. “How an organization defines
an incident is at the core of how they
develop a response program,” he says.
Brandon Dunlap, managing director
of research at Brightfly, an information
security advisory and research firm,
agrees. He suggests defining each type of
incident—from an employee participating
in online gambling at work to a major
denial-of-service attack—and then using
those definitions to create a “triage map.”
The map should describe each type of
incident, the individuals or teams who
should be involved in the response, and
the processes included in the response.
“The point of the triage map is to
ensure that your countermeasures are
commensurate with what is at risk,” says
Dunlap. An employee downloading pornography,
for example, would not likely
carry the same risk as a hack attack on
the company servers.
Early Detection is Critical
Once your plan is defined, you should
focus on early detection.
In the past year, MANDIANT has
responded to approximately 40 incidents
involving everything from financerelated
attacks to advanced persistent
threats that are extremely complex in
nature and that attack both commercial
and government systems. If you want
to catch these “cancers” early, Lee says,
“50 percent of your time and discussions
should be focused on determining
whether you are detecting properly.”
Typically, law enforcement is first to
detect a data breach and report it to a
business—and often the first to leak it to
the press due to data breach notification
laws. Lee suggests building relationships
with law enforcement now, rather than in
the midst of an incident. A side benefit is
that they may be working on cybercrime
investigations, and this knowledge could
better help you prepare.
But so much the better if your company
is able to detect an incident first.
Early internal detection gives you control
in terms of mitigating damage to
your business, partners and customers.
(For instance, negative press surrounding
the ChoicePoint incident harmed
the company’s reputation and led to an
immediate 10 percent drop in its stock
value.) “You must have individuals manning
your systems who are truly dedicated
to monitoring your network for
potential evil that is out there and running
rampant,” says Lee.
Lee suggests housing all applications
and resources in one building. This centralized
approach requires a cultural shift
and “a ton of work,” he adds. For instance,
the infrastructure group often manages
company firewalls, while the security
group manages intrusion detection centers.
“These two groups don’t typically
talk to one another,” Lee says. “So how
can you correlate data between them?”
Letting go of certain gear and services
is a necessary part of the process.
“When [someone else] takes over it can
be like swallowing a bitter pill, but it’s the
only way to effectively monitor your network,”
says Lee.
The Response Team
Hansen advises putting together a security
team that works together seamlessly
and executes quickly because “time is,
The Ingredients to Incident Response
Rich Baich, principal at Deloitte & Touche LLP, says organizations are more proficient at
declaring and responding to incidents because they do a better job of fusing disparate
data. According to Baich, the next level of maturity requires an organization to have
appropriate intelligence collection techniques in place to collect data and perform
analysis to be proactive in their approach rather than reactive. He defines appropriate
incident response as the practice of detecting a problem, determining its cause,
minimizing the damage it causes, resolving the problem, and documenting each step
of the response for future reference.
“Keep it simple, and check off each box as you respond to these incidents. That allows
you to gather a proper chain of evidence if there’s a need to prosecute someone,” he says.
“Good, diligent practices not only demonstrate a focused response, but also allow you to
go back and review for lessons learned, or identify critical steps that were missed.”
Following are what Baich considers essential steps for an immediate data breach
response action plan:
1. Assemble the response team
2. Review and evaluate the report prepared by the investigation team
3. Isolate and contain the incident
4. Determine the level of severity
5. Assess the legal and financial consequences
6. Implement escalation and notification procedures
ISSUE NUMBER 9 InfoSecurity Professional 15