Information Security News mailing list archives
In-House Cyber Security
From: InfoSec News <isn () C4I ORG>
Date: Wed, 21 Feb 2001 04:13:53 -0600
http://www.law.com/cgi-bin/gx.cgi/AppLogic+FTContentServer?pagename=law/View&c=Article&cid=ZZZG8HDWFJC&live=true&cst=1&pc=5&pa=0&s=News&ExpIgnore=true&showsummary=0 Corporate Counsel Must Plan Ahead to Minimize Risks of Data Security Breaches Marc J. Zwillinger Legal Times February 21, 2001 Intrusion detection systems, penetration testing, network firewall configuration -- as in-house counsel, it is a relief that you do not have to understand, much less address, these issues. After all, while you focus on minimizing your corporation's legal responsibilities, you have a chief information officer (CIO) or a chief information security officer (CISO), and a technology-savvy information Technology (IT) department to handle this area, right? Wrong. As your organization becomes increasingly reliant on technology, the risks of cyber-incidents -- including computer penetrations, denial of service attacks, and Web page defacements -- become more significant. Simply put, as in-house counsel, you must become familiar with the network security architecture and technology policies of your organization. Without that knowledge, you may fail to recognize how the organization may be exposed to serious security breaches, criminal and civil litigation, and the spread of embarrassing and damaging news to shareholders and the public. As just one example, the configuration of your corporate network can be an important factor in determining what foreign jurisdictions' laws may apply to your information. In light of the widespread deployment of efficient storage technologies, corporate information may now be stored on the parts of your network with the most available storage technology, regardless of physical jurisdiction. Left to their own devices, the IT staff is not likely to configure the corporate network in a way that takes into account the relevant information security and data protection regimes in all the jurisdictions traversed by the network. If your corporation has proxy servers or backup storage located in Europe, information stored on these systems may be subject to a variety of different European data directives and may be accessible by foreign law enforcement under unfamiliar rules. Even more pressing than jurisdictional issues, however, is the need for organizations with any Internet presence to adopt appropriate computer incident response policies. Why? If you haven't already, you will suffer an anomalous computer incident, if not a full-blown computer penetration. If the Microsoft Corp., a fairly security-conscious organization, can be penetrated by hackers, it can happen to any organization with networked computers. In light of the virtual certainty of such an occurrence, the failure to adopt an appropriate incident response policy may result in liability for the corporation and its board of directors. Furthermore, because of the sophistication of computer networks and technology, determining the correct way to respond to a specific cyber-incident will not be intuitive. The first lesson learned by those who have worked on these cases is that the initial detection of an incident rarely provides enough clues to distinguish between the actions of a curious teen-age hacker and a more nefarious cyber-intruder acting on behalf of a corporate espionage agent or nation-state. In either scenario, the consequences of responding without thoughtful consideration, or not responding at all, can be significant. INHERENT DANGER Consider the following fact pattern: Your IT department recognizes some anomalous computer network traffic. Secure in the belief that no one in the general counsel's office understands computer technology, the IT staff investigates without consulting counsel. As part of the investigation, they determine that a former employee, now working for a competitor, has hacked into the corporate network. With computer logs in hand, an IT staff member comes to your office and persuades you that it is important to notify law enforcement immediately to protect corporate trade secrets. With the comforting presence of the IT department manager in the office, you make the call. As soon as the law enforcement agent starts asking questions, however, you discover that rather than reporting a crime, you have just confessed to one because the IT staff discovered the identity of the hacker by illegally intercepting electronic communications or by hacking back into the perpetrator's computer. Even where an internal investigation is done properly, the public perception of your company in the wake of an incident can be even more damaging than the computer penetration. Accordingly, any incident may garner significant press attention, as did the February 2000 denial of service attacks against major e-commerce providers including Yahoo, eBay, and cnn.com. In such circumstances, press relations officers or other senior personnel should have sufficient technical competence to brief the increasingly technically savvy press -- and thus, indirectly, your shareholders and the financial analysts following your company -- in a manner that preserves, rather than erodes, shareholder value and investor confidence. What does an incident response policy look like? Although such policies will vary considerably across organizations, creating a basic policy will require the following considerations: Identifying the components of the incident response team. Because incident response is a multidisciplinary process, the team should consist of representatives from the counsel's office, the IT security staff, the CIO or CISO, and people skilled in media and investor relations. A crisis is no time for introductions, so this group should meet periodically to ensure that members are familiar with the organization's computer networks and understand who has access to the network (including affiliates, strategic alliance partners, subcontractors, and clients), where the information systems are physically located, and what the specific provisions of a company's acceptable use policy allow management to do when responding to an e-crisis. Defining events and actions requiring notification or disclosure. It is difficult for professionals with years of experience in responding to cyber-events to determine the appropriate response to an incident. For people who have never done so, arriving at the right answer in a crisis situation is virtually impossible. Accordingly, the incident response policy should first identify noncrisis IT events that require notification to the incident response team. This will enable the team to gain experience in understanding and analyzing computer incidents. In order to understand the magnitude of an event, the team should have a basic familiarity with the amount of normal traffic or "background noise" on the network. Also, because the investigative activities of the IT staff can create corporate liability, counsel should develop a working knowledge of the organization's acceptable use and technology policies (as well as the pertinent terms of employment and collective bargaining agreements) in advance of a crisis to ensure that investigative activities are consistent with the organization's existing policies and procedures. Forming external reporting procedures and criteria. In the event that the company chooses to report an incident to local or federal law enforcement, the manner and method of the reporting should be determined by the incident response policy. Some companies will want decentralized reporting to allow local personnel to develop strong personal relationships with local law enforcement entities, provided that the counsel's office receives notification or approves such contacts on an individual basis. Those organizations wanting tighter control (and expecting fewer incidents) might require counsel to handle all reporting centrally. In either circumstance, the criteria for a reportable incident should be established in advance, and such criteria must be consistent with any obligations contained in industry specific regulations and those required by the corporation's provider of cyber-risk or business interruption insurance. Keep in mind, however, that any such disclosures will likely make it difficult for the organization to interpose attorney-client and work product privileges for information developed in the course of the company's own internal investigation. Similarly, notifying the apparent upstream source of a cyber-attack must be done cautiously. If the upstream provider is the ultimate source of the attack, a premature notification might eradicate any possibility of obtaining evidence necessary to recoup civil damages or criminal restitution. If the upstream site is not the source, a premature notification will result in the loss of executive control of the information surrounding the incident while providing potentially embarrassing information to a third party or competitor. Specifying forensic response, outside counsel, and consultants. Certain types of incidents, such as those involving theft of proprietary information or significant damage to computer systems, are more likely than others to result in civil or criminal litigation. In such cases, a proper forensic response to a cyber-incident is essential to preserve the evidentiary value of the computer evidence. A crisis situation is not the time to select the forensic and legal providers who will be contacted to preserve and analyze evidence and provide legal advice and guidance. Where possible, incident response providers should be selected and retained in advance, enabling the providers of choice to clear any potential conflicts and to respond on short notice. When this is not done, organizations often rely on their existing counsel and security staff, who may not be trained in forensic procedure and do not have experience in responding to computer intrusions. Additionally, in circumstances where current or former members of an organization's IT staff are the targets of an internal investigation (a frequent scenario), using outside consultants is advisable. Obviously, a comprehensive incident response policy cannot provide a response-by-the-numbers approach for each and every electronic crisis. There is no substitute for the analysis and judgment accumulated over time by experienced in-house personnel, consultants, and outside counsel. Nevertheless, a detailed incident response plan is an essential strand of the policy web that serves to shield an organizations' networks and information infrastructure and to provide organizations with tools to efficiently investigate potentially hostile cyber-events. Marc J. Zwillinger is a partner at Kirkland & Ellis in Washington, D.C., and an adjunct professor of cyberlaw at Catholic University's Columbus School of Law. Before joining Kirkland & Ellis, he was a trial attorney with the U.S. Department of Justice Computer Crime and Intellectual Property Section. He is also the legal instructor for Foundstone's (www.foundstone.com) one-day continuing legal education course for in-house counsel, "Understanding Cyber Attacks: Hands-On." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- In-House Cyber Security InfoSec News (Feb 21)