Re: Security and Contingency Planning

["Bob Radvanovsky" <rsradvan () unixworks net>]

See comments within your message.

-rad

----- Original Message ----- 
From: "Richard Piedrahita" <piedrahr () wchsys org>
To: <security-basics () securityfocus com>
Sent: Wednesday, December 21, 2005 3:15 PM
Subject: Security and Contingency Planning


> Hi Everyone:
>
> I have a hypothetical situation and two questions:
>
> Hypothetical Situation:
> I have taken all the precautions and spent many, many dollars to
> protect my little business but yesterday, a very bad person breached
> my network defenses and stole some very confidential product,
> customer, and financial information from my little business.  But,
> they didn't get it all.  I spotted the activity and crashed the entire
> data center before they got some of the key pieces of information.
> Fortunately I had a hot site ready to go so my little business is
> running again and I am taking extra steps to make things even more
> difficult for some one to break into my systems but I know "they" are
> going to come after the rest of the information again (the stuff is
> worth oogles of dollars, O.K. ;-)
>
> Question 1:
> Besides calling the local constabulary, are there any established
> and/or reputable private businesses out there that can send a sort of
> network tactical investigative team to investigate the incident (do
> the network investigation legwork (audit all the logs, traffic
> analysis, etc.), develop the evidence, deliver the reports, and tell
> me who (maybe not by name) did what, when they did it, how they did
> it, and from where they did it, etc.

Since it involved a critical infrastructure, and deals with a governance
that is federal mandated (or soon will be for the Security Provision of it),
there is the Cybercrime Division of the Federal Bureau of Investigation.
Quite frankly, let them handle it, and chances are, for an Internet and/or
HIPAA violation, your intruder could come from anywhere, so the FBI is
probably your best bet.

You being a healthcare provider, are under federal obligation of
safeguarding your data as best as possible.  This is where HIPAA governance
would be vague insofar as to the ramnifications of posing 'what if'
scenarios should a healthcare provider actually loose data to data theft,
what are the possible consequences that they could face in federal court,
aside from the onslaught your organization would now face from several other
angles (current customers, former customers, medical staff, union
organization representing medical staff, etc.).

The problem is that (in reality) noone really knows.  I would challenge
anyone who would come back with a clearcut answer stipulating that Result A
would come from Situation A.  It doesn't quite work that way, esp. for a
large enough of a healthcare provider.  Political implications, human
factors, financial considerations -- all of these play aspects in the
(overall) outcome once the news is announced that your organization has been
'0wn3d' (owned).

> What I need is a cross between the U.S. Marines, Dick Tracy, and Lt.
> Cmdr. Data (Star Trek) that can look at all this and tell me something
> useful in a reasonable amount of time.  I don't think the local
> constabulary can handle something like that in a short amount of time
> so I will need serious help for this.

For something like this, your local police are not going to know what to do.
In fact, most police departments may refer you to the FBI for this exact
sort of thing.  ;))

The FBI has become quite good over the past several years at conducting
post-IT forensics analysis cases.  The movie industry has portrayed them as
a group of bumbling fools -- and after having associated with a few here
locally -- is hardly the situation.  I found many of of the FBI agents to be
highly intelligent, very capable of solving problems, resourceful, and very
considerate of their (ahem) 'customer'.  Not having worked with the FBI for
any cybercrime-related case, I cannot stipulate how something like this
would or would not work for you and/or your organization.  I suspect that
the FBI should -- at least -- be considered as a potential candidate for
your post-IT forensics analysis.

> Question 2:
> Along the same line, does anyone know of any good Public Relations
> firms that could help my little company manage to ensuing maelstrom
> once the public finds out (especially my shareholders, ouch!) that my
> little company lost it's customer's personal information, valuable
> trade secrets, etc.?

I can only imagine what would happen.  Once news such as that leaks out, it
would be very difficult to contain at that point.  And after the media has
feasted on your organization, your company will need to spend lots -- 
TONS -- of money on getting customers to come back to you.  Probably would
want to look at a local company specifically dealing with advertising and
marketing to spindoctor your organization as being creditible.

> Oh yeah, don't worry about the attorneys; I already have a dozen of
> them paid for in advance for the next decade.

Good to know; new motto for your firm: "Have attorney -- will sue." (spinoff
from the Old Western "Have gun -- will travel." slogan)  8))

BTW, is this inclusive within your organization's IT DRP enterprise plan?
Has it been reviewed by your HIPAA security committee?  Is your CSO aware of
such scenarios (provided, of course, that *you* aren't the CSO -- at least,
I hope that you wouldn't be, because a CSO asking the general public about a
'what if' scenario doesn't leave me with a warm 'n fuzzy, esp. coming from
an executive level position) that exist without your organization?  I found
that many healthcare providers are doing the least amount of work possible
to be 'compliant', and cannot, for the life of me, figure out why an
industry is sooooo reluctant in taking efforts of providing a safeguarded
and/or secured environments for their customers???  It makes absolutely no
sense!  Having a group of hungry sharks and jackals ready to sick onto the
first customer that even *thinks* of suing your organization isn't going to
solve the problem.

These scenarios *should* have been answered A LONG TIME AGO -- say 2 or 3
years ago.  Then again, many individuals who (reluctantly) identified
themselves as having worked for, with, or associated with the healthcare
and/or health insurance industries -- that I came across at a local security
conference last year -- out of the group (12 in this case) -- only 2 were
considering any active course of action, and actually *had* any plan for
security breaches, hardening, firewalls, IDS, proactive pentesting, etc.  My
question is this: why has the healthcare industry dilly-dallied for so
long -- I mean, why at the 11th hour?

I hope that I don't come across as being too smug, but many of your
questions should've been answered some time ago.  Insofar as to post-IT
forensics analysis, consider the FBI.  ;))

> Any information would be most appreciated.
>
> Thanks, Rick.
>
>
> ***** CONFIDENTIALITY NOTICE *****
> This message contains confidential information and is intended only for
> the individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system.
>
>
> --------------------------------------------------------------------------
-
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity
Planning,
> Computer Emergency Response Teams, and Digital Investigations.
>
> http://www.msia.norwich.edu/secfocus
> --------------------------------------------------------------------------
--
>



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------