Latest news
Preparing for your first security breach
by Conrad Constantine - Research Team Engineer, AlienVault - Friday, 31 August 2012.
You will perceive everything you've spent your time on amount to nothing, you will rant and rave to yourself (and all listeners) that this is just the proof you should quit and find another job. Take solace in the realization that things may have been much worse without the work you rendered. It is not that a breach occurred; it is the scale of the breach that matters.
Remember that business endures, for better or worse. Realize that the truth of what you saw will never see the light of day - it will be spun into an acceptable story and you will be bound by law to keep the secrets of someone else's failure. The real trick is to survive the process with your sanity intact.
Your first responsibility will be to create a complete and detailed timeline. Your job now is to discover and document how this happened - but not your interpretation of why this happened - as much as you want to invoke all your "I told you so!" instincts, this is not the time. A complete blow-by-blow timeline of how everything happened within your network is the primary information your command chain needs of you.
This information is what is required for legal, PR, and the board members - it should be the primary deliverable that all other workflow is derived around. Most importantly, this is what will most effectively keep management off your back. Expect to receive constant requests for updated status, but don't let updating too often get in the way of work. Do not be afraid to push back and give yourself time to report more accurate findings. Make it clear that you can either deliver inaccurate information now, or accurate information in another hour. Your job is to enable informed executive decisions at this point, so set expectations that this is your goal clearly.
Things are going to get a little crazy, requests become orders and niceties fall to the wayside. In times of crisis, sanity becomes more important than pleasantries. Studies have shown that people would rather work with unfriendly, competent people, than unfriendly, incompetent people. This effect becomes more pronounced during times of crisis; do not worry about offending people by not being nice to them, worry about not adding to the insanity.
Inevitably, you are going to end up making some judgment calls that may be above your station and tasking people that you normally would have no authority over, on the understanding you'll answer for it later on; so long as you make this clear at the time, any reasonable person should support you on this.
As the long hours and sleepless nights count up, remember that there is an end and life will return to normal once more. If public disclosure of your breach is required, know that it is a double-edged sword. You may well experience great catharsis in knowing that the truth is finally out there, but you must come to terms beforehand that the PR spin engine will be operating at full pace and you will be under a mountain of non-disclosure.
Remember that business endures, for better or worse. Realize that the truth of what you saw will never see the light of day - it will be spun into an acceptable story and you will be bound by law to keep the secrets of someone else's failure. The real trick is to survive the process with your sanity intact.
Your first responsibility will be to create a complete and detailed timeline. Your job now is to discover and document how this happened - but not your interpretation of why this happened - as much as you want to invoke all your "I told you so!" instincts, this is not the time. A complete blow-by-blow timeline of how everything happened within your network is the primary information your command chain needs of you.
This information is what is required for legal, PR, and the board members - it should be the primary deliverable that all other workflow is derived around. Most importantly, this is what will most effectively keep management off your back. Expect to receive constant requests for updated status, but don't let updating too often get in the way of work. Do not be afraid to push back and give yourself time to report more accurate findings. Make it clear that you can either deliver inaccurate information now, or accurate information in another hour. Your job is to enable informed executive decisions at this point, so set expectations that this is your goal clearly.
Things are going to get a little crazy, requests become orders and niceties fall to the wayside. In times of crisis, sanity becomes more important than pleasantries. Studies have shown that people would rather work with unfriendly, competent people, than unfriendly, incompetent people. This effect becomes more pronounced during times of crisis; do not worry about offending people by not being nice to them, worry about not adding to the insanity.
Inevitably, you are going to end up making some judgment calls that may be above your station and tasking people that you normally would have no authority over, on the understanding you'll answer for it later on; so long as you make this clear at the time, any reasonable person should support you on this.
As the long hours and sleepless nights count up, remember that there is an end and life will return to normal once more. If public disclosure of your breach is required, know that it is a double-edged sword. You may well experience great catharsis in knowing that the truth is finally out there, but you must come to terms beforehand that the PR spin engine will be operating at full pace and you will be under a mountain of non-disclosure.
Spotlight
The security of WordPress plugins
Posted on 18 June 2013. | Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection.
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
