Some time ago there was a big discussion on Spiceworks about FedEx data leakage. Roughly 5 GBs of data was going from it daily to an IP address in Bulgaria. Since a third-party actually owned the system, they were somewhat limited in what they could do and was wondering what to do next.
Most of the advice posted in the Spiceworks post tread dealt with how to determine what was going out. In this blog we’ll try to think in terms of having things in place to guard against the day when we suspect something is going on.
1. Look at your risks
Determine what data you need to monitor and watch. What information has personal data in it, and what do you absolutely need to keep things running (user and email accounts and such)? Identifying this will help drive that 20 cent word “Mitigation” which we define as taking the worst thing that can happen and either eliminate the possibility of it occurring or minimizing the impact.
Part of the mitigation process might include configuring NTFS permission to deny anonymous access to certain files and to ensure only authorized individuals are hitting it. You may also want to know about certain events happened such as deletion or copying of files. Set up you’re auditing program, or set scheduled tasks on the file server to notify you when certain events occur.
2. Consider at least two scenarios
Your plan should have a couple of scenarios, everything from just one machine doing weird stuff to Denial of Service Attacks. Part of what you need to consider is laws in relation to data breeches. Part of the headache here is finding out governmental laws, and understanding how they apply to your particular case. Most will at a minimum include written notification and credit counseling.
3. Have a decision matrix
Several of the crucial decision you need to have mapped out is what to when a breech in discovered. Some the events you need to have mapped out are:
- What to do when the breech is discovered. Is it still happening? And then what do you do?
- Do you drop the Internet connection (creating a Denial of Service event on yourself and possibly tipping the cyber-crook that you’re on to them), or do just let it keep going.
- When do you call for additional help, and when do you call in Law Enforcement?
4. Who you going to call?
Obviously you’re going to want a Computer Forensic expert to help sift through all the files and etc. to determine what happened. There are several things you want to look for when it comes to an expert however:
- Experience: Has this individual or company ever done this before?
- Court: Is the investigator an expert witness. In short, are the credentials such that the court can recognizer has recognized them as an expert in the field
- Training: The investigator should hold several certifications in the field, and should be current as far as training is concerned. Things change fast in IT, and they need to keep up.
- Professional Association: What are they a member of?
5. Handle information
Part of your planning needs to include who key individuals are that need notification. One person that often not thought of is whoever handles Public Relations. While it’s doubtful that we in IT will be the party handling that, whoever does needs to know what information to put out, through what conduits, and most of all, not to give information they don’t know (for example, a reported asks “Who many people are impacted by the breech”? If the Public Relations Officer doesn’t know, their response should be something like, “We don’t have an exact number yet. Out forensic investigators are determining that and as soon as we have numbers, we’ll let you know”) or speculate. The best advice here is stick to the facts you have rather than look stupid later.