Article

CSI 2007: Disclosing a data breach? Not so fast!

Bill Brenner, Senior News Writer

ARLINGTON, Va. -- One of the first considerations for a company that may have had a data breach is when and if to disclose the incident. Of course, doing so is the law in many states. But security experts at the CSI 2007 conference urged companies not to move too quickly, because a poorly-executed notification can make matters worse.

Before those notification letters go out, the company needs to get a clear picture as to what data was taken, how it happened and if an attempted brea ch was even successful, the experts said during the Computer Security Institute's (CSI) Tuesday proceedings.

"Don't be too quick to disclose until you have all your facts straight," said Gib Sorebo, senior information security analyst for San Diego-based Science Applications International Corp. (SAIC).

Sorebo said it's important for the company's legal counsel and communications team to work together on the proper wording of a notification letter, because one that's short on details and steeped in legalese can cause further frustration among customers and business partners -- opening the door to nasty rumors on what may have happened. A good disclosure emphasizes clearly what information has been affected, what steps are being taken to detect criminal activity and keep further breaches from happening, and what affected customers can do to ensure they don't become victims of fraud.

It also helps to offer compensation for credit monitoring and other costs, he said.

Requires Free Membership to View

Assume a breach will happen
The question of how to deal with a disclosure was part of a larger discussion Tuesday about how companies can prepare for a data breach. While it's ideal to prevent one from happening in the first place, experts said everyone should assume their company could someday be hacked and have an ironclad plan in place to react smoothly and effectively if it happens.

Sorebo stressed the importance of having policies and procedures dictating the appropriate response and outlining who would do what in the event of an incident.

"Develop and train an incident response team to be able to act quickly and do things like setting up a call tree in the event of an incident," he said. "Make sure the technology is in place beforehand to detect activity on the network, such as IDS and log correlation."

If a company is deploying a lot of laptops and other mobile devices, he said it helps to keep back-up tapes because it can help the incident response team determine what exactly is on a lost laptop, which, incidentally, should always carry encryption.

Incident responses splintered, chaotic
Lawrence Dietz, managing director of information security and legal support at Tal Global Corp. in San Jose, Calif., said that too often, incident responses are splintered and chaotic, with each department chasing its own individual agenda. The goal of his presentation was to teach attendees how to launch a collective incident response that combines traditional investigation techniques with data forensics to meet the needs of IT, HR, legal and law enforcement.

He suggested incident response teams use case studies to paint pictures of how the company may be compromised and what the outcome will be based on various types of responses. He presented a series of mock incidents and invited the audience to discuss how they would handle certain aspects of a response.

Among other things, Dietz recommended responders create a checklist in advance so they can quickly get their priorities in order, and draw up theoretical scenarios top executives can easily understand.

"The way to impress an executive is to make it really, really simple," he said. "They want to easily be able to categorize things that might happen and see a breakdown based on likelihood and potential impact. Having a very simple mechanism to define these things allows you to quickly measure the seriousness of the incident."

People first, assets second
He added that a company must consider the people it does business with first and its assets second. Furthermore, he said, while a cross section of the company should be represented in an incident response, too many people can muck up the works.

"The more people involved, the more likely the investigation will be fouled up," he said.

As for IT issues to consider, Dietz agreed with Sorebo that the more log keeping and monitoring technology a company has, the better the evidence will be if an investigation is ever needed.

"The right technology installed ahead of time is a good insurance policy, so companies should look at whether they have adequate content filtering, data leak prevention (DLP) and endpoint forensics tools deployed or selected," he said.