By Tara McGraw Swaminatha
Your company is in crisis mode in the throes of a security incident response (IR). But you are calmly executing your well-honed IR plan − a plan you developed and tested during mock exercises over the past year. You are confident in your team’s ability to triage the incident and your technical security experts’ ability to stop the attack. You know you will return your company to its fully operational state as soon as possible.
One of the first steps in your IR plan is to convene an IR team meeting. You have an IR team email distribution list at the ready, which saves valuable time. You send a calendar invite to your IR Team for 2:00 – 3:00 PM ET with the conference dial-in number, code, and – because you are prepared – a single-use password just for this call.
Your executive team, IT and Information Security leads and other IR team members convene in your board room and dial in to your conference line from other locations. As you get ready for the meeting, here are some questions to ponder.
Do you mind if the attackers dial in to the conference call too?
If attackers have infiltrated your network, they may have access to company email and other communications methods, including your IR Team crisis response meeting calendar invite and your single-use password.
Do you mind if the attackers launch secondary attacks during the meeting?
If attackers know your best IT/IS staff are in a meeting, they may seize the opportunity to launch a second wave of attacks while your systems are not being monitored closely.
Do you mind if the attackers follow along with your IR Plan playbook?
If attackers have obtained a copy of your IR plan playbook, they will know where you are looking and – perhaps more importantly – where you aren’t looking.
PREVENT ATTACKERS FROM TRACKING YOUR INCIDENT RESPONSE ACTIVITIES
Attackers may seek to read or listen to IR team and executive team communications to learn about your company’s tailored tactical responses, your investigation and your efforts to stop their attack. Reduce the risk that this may happen. A robust IR plan should include communications techniques that operate outside regular company communication methods (so-called “off-band” communications methods). But do not include off-band communication methods information in your IR plan, in case attackers get hold of the plan. Prepare an ancillary document for a very limited team; do not widely publicize it in your organization or to an entire IR team.
HAVE OFF-BAND COMMUNICATIONS METHODS ON STANDBY
Companies should have off-band communication methods on standby for possible use during an actual or suspected security incident. Again: do not list the off-band email addresses in your IR plan in case attackers get hold of the plan. Prepare an ancillary document for a small subset of people; do not widely publicize it in your organization or to an entire IR team.
SELECT THE RIGHT OFF-BAND COMMUNICATION METHODS IN ADVANCE
Technical security experts who understand your company’s regular communication methods should advise you in determining the right off-band communication methods for your company. The examples listed below serve as a guide, but may not necessarily be right for each company. Off-band communication method choices should be both safe and usable. An extremely secure communications method is not an effective option if it is difficult to activate.
NOT ALL YOUR OFF-BAND COMMUNICATION METHODS ARE NECESSARY IN EVERY INCIDENT
During an actual or suspected security incident, technical security experts should determine which off-band communication methods to use based on the characteristics of the specific security incident at hand. Not all off-band communication methods will be required every time.
CONTINUE USING YOUR REGULAR COMMUNICATION METHODS
Keep using regular communication methods, such as your conventional email and instant messages. This will help you avoid tipping off attackers to the fact that your executives or IR team are using off-band communication methods.
OFF-BAND COMMUNICATION METHODS ARE SUBJECT TO LITIGATION HOLD REQUIREMENTS
As in any situation where litigation is possible, counsel will advise company on litigation hold requirements (i.e., not to destroy potential evidence) according to established protocols. Off-band communications would be subject to the same litigation hold requirements as regular company communication methods.
TYPES OF OFF-BAND COMMUNICATIONS: EMAIL, INTERNET, COMPUTERS, PHONES AND MESSAGING
Attackers may have access to email from a number of vectors, including direct access to email accounts on a company email server, or by having control over computers or other devices on which employees access company email accounts.
Attackers may intercept network traffic via wireless or wired networks.
Attackers may have compromised your laptops, desktops or other devices in addition to your systems and network. Even if an employee uses off-band email via an off-band Internet connection, if the employee’s laptop is compromised an attacker could still potentially monitor the employee’s communications on that compromised laptop.
Attackers may have compromised a company’s phone systems and mobile devices.
TEXT MESSAGING AND INSTANT MESSAGING
Attackers may have access to messages from a number of vectors, including direct access to a company messaging server, or by having control over mobile phones, computers or other devices on which employees send text messages or instant messages. Consult with technical security experts about these and other communications options.
Find out more about using off-band communication methods to protect your company during security incidents by contacting the author.
Published by DLA Piper LLP (US)Copyright © 2015 DLA Piper LLP (US)All Rights Reserved This bulletin is intended as a general overview and discussion of the subjects dealt with. It is not intended, and should not be used, as a substitute for taking legal advice in any specific situation. DLA Piper will accept no responsibility for any actions taken or not taken on the basis of this publication. Pursuant to applicable Rules of Professional Conduct, it may constitute advertising. Circular 230 Notice: In compliance with US Treasury Regulations, please be advised that any tax advice given herein (or in any attachment) was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding tax penalties or (ii) promoting, marketing or recommending to another person any transaction or matter addressed herein. You are receiving this communication because you are a valued client or friend of DLA Piper. DLA Piper LLP (US) is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. Further details of these entities can be found at www.dlapiper.com. All rights reserved. To unsubscribe from this mailing list, reply to this message with REMOVE in the subject line.
For more information about LexisNexis products and solutions, connect with us through our corporate site.