Compliance != Security
In the face of compromises or any other potential/verified breach, a quick response is essential. You don't know if you have sensitive data (PCI, PHI, PII, etc.) leaving your network, and your first, most immediate and natural reaction (i.e., disconnecting systems) will likely expose you to more risk than the incident itself. Wait...what? Well, here's the deal, kids...if a system has sensitive data on it, and was subject to a compromise (intrusion, malware infection, etc.), and you cannot explicitly prove that the sensitive data was not compromised, you may (depending upon the legal or regulatory requirements for the data) be required to notify, regardless.
So...better to know than to not know...right?
What you need to do is quickly collect the following items:
- Pertinent network (i.e., firewall, etc.) logs
- Network packet capture(s)
- Full or partial contents of physical memory
- An image acquired from the affected system
Remember to DOCUMENT everything you do! The rule of thumb is, if you didn't document it, you didn't do it.
What other tools are available? In the case of Best Western, as well as any other organization with remote systems (located in distant data centers or storefronts), something like F-Response may prove to be extremely valuable! If you're not sure about F-Response and don't believe the testimonials, give the Beta Program a try. With the Enterprise Edition of F-Response already deployed (or simply pushed out remotely as needed), getting the data you need is amazingly straightforward!
So why do all this? Why go through all this trouble? Because you will likely have to answer the question, was sensitive data leaving my network? The fact of the matter is that you're not going to be able to answer that question with nothing more than a hard drive image, and the single biggest impediment to doing the right thing (as opposed to something) in a case like this is time...when you don't have the tools, training or support from executive management, the only reaction left is to unplug systems and hope for the best.
Unfortunately, where will that leave you? It'll leave you having to answer the question, why weren't you prepared? Would rather have to face that question, or actually be prepared?
If you want to learn what it takes to be prepared, come on by the SANS Forensic Summit and learn about this subject from the guys and gals who do it for a living!
Resources
CSO Online - Data Breach Notification Laws, State by State
SC Magazine - Data Breach Blog
Keydet89: Best Western now says only a handful of records were compromised, not millions. Data security investigations are complex, and they require patience. As we learned from the TJX experience, it is easy for the press and for authorities to over-react. --Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html
ReplyDeleteBen,
ReplyDeleteThanks for the comment.
Data security investigations are complex...and as someone who does them, and is a on a team certified by Visa PCI to do them, I have seen how they can go very wrong when performed by an organization with little to no training.
Also, your comment about the media rings true, as well, for folks who derive their information from the media. The really interesting thing is that what really happened from the "guy at the keyboard" perspective is never disclosed.
does a free copy of your book ship with each copy of F-Response sold? ;)
ReplyDeleteSippy
That's a question for Matt...but I had a copy w/ me at DFRWS. Had I known you were there, I wouldn't have wanted to carry it all the way back home...
ReplyDeleteaw maaannnnnnnnn... i already own ur book actually :-)
ReplyDeletemaybe i'll write a super cool RegRipper plugin to get my copy SIGNED! :)
Sippy
it's really goood
ReplyDeleteI'd sign your copy regardless, Sippy...wish I'd known you were at DFRWS. When we were at the WharfRat, I was sitting w/ The Cory and Jason, and a couple of others...we made it up to 5 beers each before we were cut off due to Brian's credit card being overdrawn...or some other lame excuse...
ReplyDelete