Help Your Clients Keep Secure Networks
It’s not the call you want to get: your client got hacked and their funds were misdirected. Damage done, and you've got to fix it. What do you do?
Well, it turns out a third party document issued by the Vermont Attorney General’s office (Security Breach Notice Act, 9 V.S.A. § 2430 and § 2435) is very helpful should you ever have to use it.
Much of the information they outline talks about what to do if personal consumer information (social security number, bank account information, etc.) is violated. If that should happen to you, the most important thing to do (after taking appropriate measures to secure the data) is to notify the appropriate law enforcement agency in your area, and inform them of your obligation to notify consumers of the breach within 10 business days. From there you (or your client) should follow the steps in how, when and where to notify consumers, including mailings or emails, and posting a notice on your company website.
The Notice is quite a lengthy document, but after sorting through things, here in a nutshell are the steps you can take to get your client in good standing:
1. Immediately isolate the affected system to prevent further intrusion, release of data, damage, etc.
2. Use the telephone to communicate. Attackers may be capable of monitoring E-mail traffic.
3. Immediately notify an appropriate law enforcement agency.
4. Activate all auditing software, if not already activated.
5. Preserve all pertinent system logs, e.g., firewall, router, and intrusion detection system.
6. Make backup copies of damaged or altered files, and keep these backups in a secure location.
7. Identify where the affected system resides within the network topology.
8. Identify all systems and agencies that connect to the affected system.
9. Identify the programs and processes that operate on the affected system(s), the impact of the disruption, and the maximum allowable outage time.
10. In the event the affected system is collected as evidence, make arrangements to provide for the continuity of services, i.e., prepare redundant system and obtain data back-ups. To assist with your operational recovery of the affected system(s), pre-identify the associated IP address, MAC address, Switch Port location, ports and services required, physical location of system(s), the OS, OS version, patch history, safe shut down process, and system administrator or backup.
Also, here is a list from from the FBI National Computer Crime Squad www.emergency.com/fbi-nccs.htm - it includes some very helpful best practices on what to do both before and after you have become a computer crime victim:
• Place a login banner to ensure that unauthorized users are warned that they may be subject to monitoring.
• Turn audit trails on.
• Consider keystroke level monitoring if adequate banner is displayed.
• Request trap and tracing from your local telephone company.
• Consider installing caller identification.
• Make backups of damaged or altered files.
• Maintain old backups to show the status of the original.
• Designate one person to secure potential evidence.
• Evidence can consist of tape backups and printouts. These should be initialed by the person obtaining the evidence and should be retained in a locked cabinet with access limited to one person.
• Keep a record of resources used to reestablish the system and locate the perpetrator.
