Forensics and Investigations Work on IT Security Breaches
February 16th, 2008 Drazen Drazic Posted in Bad Stuff, Disclosure Laws, Dumb Security, Forensics, Risk Management, Vulnerability Management, Web Application Security, cyber crime |
This is somewhat of a follow-on from BG’s last post, that came about from a conversation we were having about how much forensics and investigations work Securus Global actually did. To be honest, the answer was not much and I did not know of too many other organisations that did much either. The odd job here or there but nothing to sustain a dedicated business unit.
I’m not sure what it is like in other regions of the world, but the BG Ostrich RM 101 pretty much covers it and that is scary! (Obviously the banking sector is different but even then, some do it better than others in that sector).
This is nothing new. I’ve been ranting about this for a long time but things haven’t really changed much.
The facts are, that most organisations don’t worry, care or want to know that something has more than likely, (to a good probability) happened. Accountability scares people. Goto BG’s previous post.
We’ve thrown figures around before about the number of web applications that we test for the first time that are insecure, and most more than likely already compromised, and the percentage of organisations who are interested to know as to whether they have been compromised, and to what extent rates at about 1-5%. I don’t think these figures will surprise anyone in our industry but it’s a wonder that mainstream press doesn’t pick up on this stuff and ask questions….maybe not…..our industry to outsiders is still in the too-hard basket.
For most organisations, it’s a matter of only investigating when the trouble becomes known outside of the secret circle so to speak (when/if they find out) and by then, well we know, it’s too late…..The board starts to ask questions and all the guys that should have been on top of this in the first place, (hell, it’s their job FFS), all of the sudden start to position themselves as future heros and saviours of the organisation to ensure that this will never happen again. Sad isn’t it….
So anyway, is anyone out there themselves doing a good deal of this type of work?
February 17th, 2008 at 7:46 pm
I have only worked alongside IBM Incident Response on a major scandal in a major mobile telco
I was very impressed with them and their results. Their Sec Intel and contacts/liaisons were impressive.
On the flipside the client practised BG’s ORM, are still rooted and probably more rooted than they ever knew! Funny thing was the ‘incident’ opened up a prime vector in to the incumbent outsourcer’s footprint also i.e. our org. And our ORM practising middle management still didn’t get the reputational risk regarding their “new” services business. Sheesh!
How I’d wished I had some visilibility/surveillance, numbers and graphs I could have thrown at them to cement our teams status and build an IR component.
I would request of all BrB readers to feed back here regarding what to measure and how? Maybe start with this from Metricon2 / Usenix:
http://geer.tinho.net/usenix/measuringsecurity.tutorialv2.pdf
I particularly enjoyed slide 15:
•How secure am I?
•Am I better off than this time last year?
•Am I spending the right amount of $$?
•How do I compare to my peers?
•What risk transfer options do I have?
February 18th, 2008 at 7:05 pm
D2, I know this one as you linked me to it a while ago. It is worth the read!
Oh the stories that could be told but given my/our(SG) position, going beyond a “generic” story, just not possible. I just hope readers don’t assume I exaggerate. The truth is scarier. If I was able to tell some of the stories, some would assume they are that far fetched that I was bullshitting. Seriously, you could not make up some of the stuff we have seem!
February 19th, 2008 at 12:02 am
Not much Draz. Pretty much the right call on this.