After the Storm

(Originally published for Camelot's Avalon newsletter, July 2001. Reprinted with permission.)

I find myself, from time to time, repeating this familiar network security 'truism': the threat from insiders is greater than the threat from outsiders. Doesn't the yearly survey from the United States FBI and Computer Security Institute always reinforce this? Yet some are skeptical. 'How do they know? Where are the numbers? Where's the proof?' Then a story breaks like the May 3, 2001 Associated Press Lucent story, with the headline 'FBI: Scientists Stole Lucent Trade Secrets for Chinese.'

While we don't know specifically what went wrong in this case, it might be useful to use this situation as a jumping off point, a place to start imagining, 'What if it happened to us?' It is a starting point to discuss how one goes about cleaning up after this particular type of situation. Treating this topic thoroughly would take a book, so we'll just touch on the main steps to take. As we do not have the details about what happened at Lucent, let's say it happened at your company, and you're dealing with the above situation.

Incident Response

First, well before this incident you should have had an incident response procedure. I've discussed this in more detail in a previous column. [ http://www.avolio.com/columns/intruderalert.html.] This procedure should include who in the company should be notified, and when, whether you will call the police, what will you tell the press (and who does the talking). If you've never gone through this exercise, do it as soon as possible. You won't get it 100% correct, but then nothing in security ever is. Having a less than perfect plan now beats having to come up with one after your company's name has been splashed across the Internet and newspapers.

Investigation

While following the incident response procedure is somewhat mechanical (and should be for it to be most useful and effective), the investigation is harder. This is the information-gathering phase, and it takes some expertise. You need to know what information to gather and, most importantly, how to gather it. You need to know the rules of evidence in your jurisdiction covering what is and is not admissible in court. You must know the laws pertaining to the handling of evidence, to allow it to be used in legal proceedings. You must maintain a chain of evidence.

You are not only interested in an investigation that will perhaps lead to criminal prosecution. You'd like to know what was touched, what was taken, and what was modified. Like a family victimized by a burglary, you need to try to determine what was stolen. In the case of home break-in, that involves going through everything to find what isn't there. This is very difficult, and is especially so in the case of electronic information. The data still exists, but it may have been copied or modified. You must rely on auditing log files, and reviewing file and system access times (this is one reason you must not do a routine back-up or even a regular shutdown of a system after an incident).

The Fix

As hard as the investigation phase is, repairing the situation can be even more difficult. Here, I don't mean fixing the consequences of the incident, although that is important. We need to shoot for, 'how can we lessen the likelihood that this ever happens again.'

The investigation probably showed some fixable problems, probably some in the areas of mechanistic controls and education. One area, certainly, will be access control. A large multinational company like Lucent may have hundreds of thousands of employees worldwide. So, looking at every network and every computer (desktops, mobiles, servers, and gateways) you must audit access permissions. Who can get what and when? What can they do with it (read/write/delete)? Do you have an 'all or nothing' policy enforced, or is it more granular? If it is not very granular, perhaps it needs to be.

You need to fine tune user privileges. This means going back, if you've never done it, and categorizing or classifying your data. While we usually think of government classifications-Top Secret, Secret, Confidential, etc.- when we use the term, it more generally means to put information into related groupings. When we've done that we need to assign access to data (and, networks and systems) according to the business requirements, job responsibilities, and the 'need to know.'

The Calm After

Does this sound like a lot of work? It certainly is. Common sense and experience would testify that for a large target such as Lucent, doing it right the first time is much less expensive than cleaning up and doing it right after an incident. But, convincing people to spend the money before something bad happens is difficult. Use what happened at Lucent as an example. In this situation what common sense and experience tells us is right on the money.

--------------------------------------------
By Fred Avolio, for the Camelot Avalon. Fred is the president of Avolio Consulting, Inc.