Wednesday, August 27, 2008

The Need for Speed

The recent Best Western issue illustrates an important point, which was mentioned in many of the posted articles on this issue...

Compliance != Security

In the face of compromises or any other potential/verified breach, a quick response is essential. You don't know if you have sensitive data (PCI, PHI, PII, etc.) leaving your network, and your first, most immediate and natural reaction (i.e., disconnecting systems) will likely expose you to more risk than the incident itself. Wait...what? Well, here's the deal, kids...if a system has sensitive data on it, and was subject to a compromise (intrusion, malware infection, etc.), and you cannot explicitly prove that the sensitive data was not compromised, you may (depending upon the legal or regulatory requirements for the data) be required to notify, regardless.

So...better to know than to not know...right?

What you need to do is quickly collect the following items:
  1. Pertinent network (i.e., firewall, etc.) logs
  2. Network packet capture(s)
  3. Full or partial contents of physical memory
  4. An image acquired from the affected system
Of course, this assumes a great deal...that you have a CSIRP in place, that you've already identified systems that store/process sensitive data, and that you've got the tools and training to collect any of this data. Some of it is fairly trivial...collecting firewall logs may simply be as easy as a call to your NOC. Collecting packet captures is as simple as having a Windows laptop with Wireshark installed, or Linux laptop. Tools for dumping the contents of RAM have recently taken a surge forward, and acquiring an image from a live system (can't shut that server down??) is as straightforward as getting a copy of FTK Imager.

Remember to DOCUMENT everything you do! The rule of thumb is, if you didn't document it, you didn't do it.

What other tools are available? In the case of Best Western, as well as any other organization with remote systems (located in distant data centers or storefronts), something like F-Response may prove to be extremely valuable! If you're not sure about F-Response and don't believe the testimonials, give the Beta Program a try. With the Enterprise Edition of F-Response already deployed (or simply pushed out remotely as needed), getting the data you need is amazingly straightforward!

So why do all this? Why go through all this trouble? Because you will likely have to answer the question, was sensitive data leaving my network? The fact of the matter is that you're not going to be able to answer that question with nothing more than a hard drive image, and the single biggest impediment to doing the right thing (as opposed to something) in a case like this is time...when you don't have the tools, training or support from executive management, the only reaction left is to unplug systems and hope for the best.

Unfortunately, where will that leave you? It'll leave you having to answer the question, why weren't you prepared? Would rather have to face that question, or actually be prepared?

If you want to learn what it takes to be prepared, come on by the SANS Forensic Summit and learn about this subject from the guys and gals who do it for a living!

CSO Online - Data Breach Notification Laws, State by State
SC Magazine - Data Breach Blog


Benjamin Wright said...

Keydet89: Best Western now says only a handful of records were compromised, not millions. Data security investigations are complex, and they require patience. As we learned from the TJX experience, it is easy for the press and for authorities to over-react. --Ben

H. Carvey said...


Thanks for the comment.

Data security investigations are complex...and as someone who does them, and is a on a team certified by Visa PCI to do them, I have seen how they can go very wrong when performed by an organization with little to no training.

Also, your comment about the media rings true, as well, for folks who derive their information from the media. The really interesting thing is that what really happened from the "guy at the keyboard" perspective is never disclosed.

Unknown said...

does a free copy of your book ship with each copy of F-Response sold? ;)


H. Carvey said...

That's a question for Matt...but I had a copy w/ me at DFRWS. Had I known you were there, I wouldn't have wanted to carry it all the way back home...

Unknown said...

aw maaannnnnnnnn... i already own ur book actually :-)

maybe i'll write a super cool RegRipper plugin to get my copy SIGNED! :)


Anonymous said...

it's really goood

H. Carvey said...

I'd sign your copy regardless, Sippy...wish I'd known you were at DFRWS. When we were at the WharfRat, I was sitting w/ The Cory and Jason, and a couple of others...we made it up to 5 beers each before we were cut off due to Brian's credit card being overdrawn...or some other lame excuse...