Cybercrime Protocols and Practices Put the IoT Revolution at RiskGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-03-24T04:00:00Z<p>​Linking physical objects in the real world to the virtual world, enabling “anytime, anyplace, and anything” communication was once the stuff of science fiction. However, it is made real today with the Internet of Things (IoT), which is widely considered to be the next phase of the Internet revolution.​</p><p>Knowing this, it could be expected that the protocols and infrastructure supporting the IoT would be just as advanced—but this is not the case. Instead, the technology underpinning the IoT is straight out of the 1990s or early 2000s—more Sega Dreamcast than PlayStation 4.</p><p>It’s no surprise that the tech industry and the public are falling head-over-heels for the possibility to connect everything, from our toothbrushes to our city infrastructure, to the Internet. However, the more devices we connect, the more opportunities there are for cyber criminals. </p><p>By getting carried away by the opportunity technology brings, we are charging ahead without considering the risks and without securing the technology. Before organizations continue to connect devices to the network, there needs to be a secure foundation to build up from. </p><p>The fundamental standards, which IoT devices have to comply to, must be secure so no one device can be breached and used as an entry point for the whole system. In 2015, the U.S. Federal Trade Commission recommended that security be baked into devices from the beginning—not as an afterthought. </p><p>Yet research from HP in its Internet of Things Research Study showed that 70 percent of the commonly used IoT devices had severe security issues. And there are critical vulnerabilities at the very core of many IoT networks. </p><p><strong>Smart Homes and Buildings</strong><br>The trend of automated buildings and making homes smarter by leveraging the IoT to save energy, increase comfort, or add capabilities for remote monitoring and control is on the rise. However, there are issues with the development of smart buildings and homes.​</p><p>A smart home using home automation is likely to have IoT devices that cover the following areas:</p><p><strong>HVAC Control. </strong>Smart HVAC units control room temperature, as well as automated ventilation systems, which can be switched on to replenish clean air based on temperature, moisture, smoke, heat, dust, or carbon dioxide levels in the unit.</p><p><strong>Light Control.</strong> In conjunction with smart bulbs, these units can adjust lighting behavior according to the presence of people in a designated space. Smart lights can be automatically switched off when the unit is empty and dimmed when there is natural light.</p><p><strong>Smart Surveillance. </strong>Intelligent surveillance systems record activity in the smart home, allowing authorities to remotely monitor where individuals are inside.</p><p><strong>Smart Door Locks. </strong>Smart door locks can be opened or locked remotely by a user. They can also track people entering or leaving the premises, and can act upon this by notifying the inhabitants or authorities. Researchers have found fundamental flaws in this automation system that leave people at risk, such as hackers using simple attacks to open and unlock the doors.</p><p>These systems often utilize wireless IoT protocols, such as ZigBee and Zwave, which have become their greatest asset and their greatest weakness. Wireless networks are prone to jamming (attackers try to prevent sensors from contacting the central hub by blocking the signal), the communication can be eavesdropped on to gather secret keying material, and is vulnerable to replay attacks (attackers inject recorded packets, e.g. a “door open” command to a door lock, or a “no-motion” command to a motion sensor, into the communication destined for the connected device or sensor).</p><p><strong>The ZigBee Wireless Communication Standard</strong><br>ZigBee is a standard for personal area networks developed by the ZigBee Alliance, which includes companies like Samsung, Philips, Motorola, Texas Instruments, and many others. ​</p><p>ZigBee’s aim is to provide a low cost, low power consumption, two-way, reliable, wireless communication standard for short-range applications. ZigBee is used for: remote controls, input devices, home automation, healthcare, and smart energy.</p><p>Devices on a ZigBee network communicate using application profiles. Those profiles are agreements for messages, like a common alphabet and language, that enable developers to create an interoperable, distributed application employing application entities that reside on separate devices. If a manufacturer wants a device to be compatible with certified devices from other manufacturers, the device must implement the standard interfaces and practices of certain profiles, such as the Home Automation profile.</p><p>The Home Automation profile relies on secrecy of key material and secure initialization and transport of its encryption keys. Recent research by Cognosec shows that keys can be compromised by attackers by passively sniffing and using weaknesses in the standard. </p><p>Sniffing in this context is best described as passively eavesdropping on wireless communication. An attacker could compromise the key by either listening to the initial setup of the devices or by imitating a legitimate device trying to "rejoin" a network.</p><p>During this rejoin the attacker would pretend to have lost key material needed to communicate with the management hub and send an unencrypted rejoin request there. This causes the hub to send out new keys, a process that should be protected by another key. But, crucially, that key is publicly known. Ultimately using the approach an attacker could request the active encryption key on network level.</p><p>As the Home Automation profile covers devices from lights to HVAC systems and door locks, this compromise might lead to serious security issues. This security issue was shown by Cognosec during the DeepSec Conference in Vienna in 2015 by opening a Yale Door lock using ZigBee without having the proper key. Security vulnerabilities from this kind of compromise are made worse because the fallback mechanism is the standard has to be implemented by every vendor that wants to market certified devices.</p><p>To remain compatible with devices that have not been pre-configured or are unknown to a ZigBee network, a default fallback mechanism was implemented that is considered a critical risk.</p><p>This fallback is used if devices from different vendors are connected to each other initially, or new devices are joined to an existing ZigBee network and they have not been pre-configured in the same way.</p><p>A single smart home or building with vulnerabilities may not seem like a problem at first, but a network of smart buildings—or a smart city—being breached could prove to be disastrous.</p><p><strong>ZWave Wireless Communication Standard</strong><br>ZWave also stands on the forefront of the IoT revolution. It was designed in 2001 by Zen-Sys, which was later acquired by Sigma Systems. ​</p><p>The Zwave standard does not require encryption support, so one can safely assume that vendors will only implement the bare minimum needed to get their products to market. This makes ZWave networks vulnerable to replay and eavesdropping attacks.</p><p>Two security researchers—Joseph Hall and Ben Ramsey—showed that few IoT devices are using encryption, and for those that are used for critical applications—like door locks—security is an opt-in feature that has to be enabled by the user.</p><p>In a demonstration at the ShmooCon 2016 Security Conference, ZWave-controlled light bulbs were physically destroyed in less than 24 hours by an attacker who gained access to the ZWave network using openly available information and some technical know-how.</p><p>It should be noted, though, that starting on April 2, 2017, the ZWave Security Framework S2 will be mandated on all devices. However, this will not fix issues on the devices that are already on the market and in stock. Future security research on the S2 framework should be conducted.</p><p>Besides this threat, implementation errors have been found in the firmware controlling door locks that allow an attacker to control the lock and prevent it from reporting its state to a central controller unit.</p><p><strong>Connecting to the World</strong><br>The adoption of IoT technology and increased outside connectivity in critical infrastructure could pose more critical risks to the energy and water supply, as well as to industrial control systems. </p><p>Recent research from Germany conducted in 2016 by shows that the water supply infrastructure is vulnerable and could be controlled by hackers because it’s not properly secured against outside attacks. In this particular case, it was not the lack of a security feature or faulty implementations of a wireless protocol that made the system vulnerable. Instead, it was a software vendor used to manage Germany’s water supply plants that did not implement security, instead leaving security configurations up to the plants themselves.​​<br></p><p>This an example of a new threat to critical infrastructure as it evolves from closed to open systems. Historically, industrial control systems (ICS) were designed to operate on an isolated network to protect them from security threats. Well-established physical security measures and the need to be physically present to harm the system provided a decent level of security to the systems, even if their IT systems were not sufficiently secure.</p><p>Now, as more devices are connected to the Internet they are communicating to each other and forming huge networks with machine-to-machine communication. The result is a massive growth of the attack surface and an increase in the potential effect an attack could have. By making systems interoperable, as is the current trend with the IoT, hacking one device could open up a Pandora’s box of security breaches.</p><p>Another fact making this problem worse is that some software vendors used by critical infrastructure—like in Germany—delegate security to the customer; a customer that normally has neither the necessary awareness nor know-how to property implement the now open infrastructure as IT is not its core business.</p><p><strong>Conclusion</strong><br>Security issues affecting buildings, power, and water supply plants—or even door locks—have been around for years. Still, every few months new threats arise and the situation is worsened by adding network connectivity to devices that broaden the attack surface. ​</p><p>Security must be built-in to devices and configured to be the default, not the exception or the responsibility of the end-user. The U.S. National Institute of Standards and Technology released a publication on this issue in 2016, which called for assigning a level of trustworthiness to a device and applying security considerations to it from the very beginning. </p><p>By integrating security from the design phase to the product development and life-cycle management phase, instead of adding security features or monitoring hardware after the device has been purchased, devices will be more resilient against attacks than they are now. <br><br>Until we can resolve these issues, and create new, secure protocols, IoT hacks will increase exponentially in volume and severity.</p><p><em>Florian Eichelberger is an information systems auditor at Cognosec. </em><br></p>

Cybercrime Review: Hacked Again of the IoT Botnets Top Five Hacks From Mr. Robot—And How You Can Prevent Them the CEO’-Data-in-2014.aspx2016-09-22T04:00:00ZYahoo Confirms Hackers Stole at Least 500 Million Users' Data in 2014 Review: Cyber-Physical Attacks Trends Going Dark: A Conversation with the FBI Zero Review: Beyond Cybersecurity Invalidates users' Passwords in Response to 2012 Data Breach Review: @war: The Rise of the Military-Internet Complex Blind Stakes Cyber Chinese New Year’-System.aspx2016-01-11T05:00:00ZFormer Cardinals Official Pleads Guilty to Hacking Into Astros’ System Criminals Made $18 Million By Holding Our Data Hostage Digital Evidence Investigating St. Louis Cardinals for Hacking Astros Review: Investigating Internet Crimes

 You May Also Like... Trends<p>​<span style="line-height:1.5em;">The security industry changes daily. And it’s fair to say that cybersecurity is changing even more rapidly as new threats, new attack methods, and new technologies continuously emerge. This means that cybersecurity professionals need to stay up to date as the threat landscape rapidly evolves to ensure that they are ready to meet the challenges of modern- day data security. Here, we look at some of the major issues that these professionals will be tasked with over the course of the remaining year and heading into 2017.</span></p><p>Brexit. In a historic decision in June, the United Kingdom voted to leave the European Union (EU)—a decision commonly known as Brexit. Approximately 52 percent of the population voted to leave the EU, while 48 percent voted to remain—including all of Scotland and a large portion of the population in Northern Ireland.</p><p>While immediate concerns were focused on the economic upheaval, Brexit will also have an impact on data sharing and data privacy agreements that the United Kingdom was previously part of as a member of the EU and its digital single market.</p><p>One major area of regulation that will need to be ironed out is around the EU General Data Protection Regulation (GDPR), which is scheduled to go into effect in 2018. It creates new privacy rights for EU citizens and requirements for businesses that handle EU citizens’ data (for more on this, read “Cybersecurity” from our August issue).</p><p>When the United Kingdom exits the EU, Britain may no longer be subject to the GDPR and may have to adopt its own framework. </p><p>Furthermore, the EU and the United States had negotiated for months to create the Privacy Shield program, which was designed to replace the Safe Harbor agreement that was previously ruled invalid by the EU. The United Kingdom’s exit from the EU, however, means that it may not be covered by Privacy Shield—which went into effect earlier this year.</p><p>Brexit could also be the catalyst to create a different framework altogether, says Yorgen Edholm, CEO of Accellion, a private cloud solutions company based in the United States.</p><p>“The one EU effort we have looked at very carefully is the new Safe Harbor agreement—Privacy Shield,” Edholm says. “I think the United Kingdom can say, ‘We have two options; we’re going to piggyback off of what the EU is doing, or we’re going to do something else with the United States.’”</p><p><strong>Talent shortage</strong>. Another major concern related to Brexit is whether the United Kingdom will be able to recruit talented cybersecurity workers. A recent study highlighted the lack of “digital skills” among people in Britain, which has looked to the EU to recruit employees to fill the void, according to a report by the Science and Technology Committee that was presented to the House of Commons earlier this year.</p><p>“Removing a flow of talent and expertise from Europe could deprive U.K. tech companies of an essential ingredient for sustained growth,” the International Business Times reported before the Brexit referendum. “Additionally, given that Britain’s tech scene—especially in London—is quite multicultural, start-up founders worry that leaving the European Union will make it much harder to hire the best employees.”</p><p>And this is not just a U.K. problem. Globally, 94 percent of executives reported that they are having trouble finding skilled candidates for cybersecurity jobs, according to a recent survey by the Information Systems Audit and Control Association (ISACA). </p><p>This problem, which is not a new one, is unlikely to go away anytime soon. The 2015 (ISC)² Global Information Security Workforce Study projected that by 2020, there will be 1.5 million unfilled information security positions. </p><p>“Signs of strain within security operations due to workforce shortage are materializing,” the report explained. “Configuration mistakes and oversights, for example, were identified by the survey respondents as a material concern. Also, remediation time following system or data compromises is steadily getting longer.”</p><p>This, in turn, results in IT security professionals increasingly cornered into a reactionary role of identifying compromises and addressing security concerns as they arise, instead of proactively mitigating the contributing factors, according to the report.</p><p>To combat this, many information security departments are increasing expenditures on security tools and technologies, and for managed and professional security service providers to augment existing staff.</p><p>However, more needs to be done to attract qualified workers to the cybersecurity industry. One new effort to do this was announced by Cisco earlier this year. The company will invest $10 million in a Global Security Scholarship and make enhancements to its security certification portfolio to help close the industry skills gap. </p><p>“Many CEOs across the globe tell us their ability to innovate is hampered by their security concerns in the digital world,” said Jeanne Beliveau-Dunn, vice president and general manager of Cisco Services in a statement. “This creates a big future demand for skill sets that don’t exist at scale today. We developed this scholarship program to help jump-start the development of new talent.”</p><p>The scholarship is a two-year program that is designed in partnership with Cisco Authorized Learning Partners to address the critical skills deficit and provide on-the-job readiness needed to meet current and future challenges of network security, according to a press release. As part of the scholarship program, Cisco also plans to offer training, mentoring, and certifications that align with the job of an analyst in a security operations center.</p><p>Scholarship awards became available on August 1 and are available to applicants who meet certain qualifications until the end of July 2017. To be considered for a scholarship, applicants must be at least 18, proficient in English, and have basic competency in one area, such as three years of combined experience in approved U.S. military job roles or Windows expertise.</p><p>Part of Cisco’s efforts will also concentrate on diversifying the IT security workforce so it includes veterans, women, and those just at the start of their careers. Reaching this audience is critically important, says David Shearer, CEO of (ISC)².</p><p>“New young people are not coming into the workforce,” Shearer explains. “That’s not a one- or two-year fix. Only 6 percent of the industry is below the age of 30. That’s a train wreck.”</p><p>Instead, the median age for information security professionals is 42, and workers are 90 percent male. These individuals are working longer hours, which can create problems with burnout and may cause many to move into a different career path “because the grind of the pace of the work is too much.”</p><p><strong>Accountability. </strong>The talent shortage, paired with the rise of cyber incidents, is also placing additional pressure on IT and security executives to communicate actionable data to their boards of directors—or risk termination, a new report says.</p><p>Research of U.S. corporations by Bay Dynamics, a cyber risk analytics company, found that “59 percent of board members say that one or more IT security executives will lose their job as a result of failing to provide useful, actionable information.”</p><p>This may be because boards are placing an ever-higher value on cybersecurity, with 89 percent of board members reporting that they are very involved in making cyber risk decisions for their organizations. </p><p>Twenty-six percent of board members also reported that cyber risks were their highest priority, while other risks, like financial, legal, regulatory, and competitive risks were termed “highest priority” by only 16 to 22 percent of surveyed members.</p><p>Coupled with that, the report found that 34 percent of board members indicated that they would provide warnings that improvements in reporting would need to be made before firing <span style="line-height:1.5em;">a</span><span style="line-height:1.5em;">n executive.</span></p><p>But the report also highlighted “significant contradictions, such as while the majority (70 percent) of board members say they understand everything they’re being told by IT and security executives in their presentations, more than half believe the data presented is too technical.”</p><p>Overall, however, the report shows that boards are engaged and holding IT and security executives accountable for reducing risk, said Ryan Stolte, chief technology officer at Bay Dynamics, in a statement.</p><p>“Companies are headed in the right direction when it comes to managing their cyber risk,” Stolte explained. “However, more work needs to be done. Part of the problem is that board members are being educated about cyber risk by the same people (IT and security executives) who are tasked to measure and reduce it. Companies need an objective, industry standard model for measuring cyber risk so that everyone is following the same playbooks and making decisions based on the same set of requirements.”</p><p><strong>Encryption. </strong>By the end of this year, 65 to 70 percent of Internet traffic will be encrypted in most markets, according to a report by Sandvine, an intelligent broadband networks company. This year, 2016, was a major milestone in the life of encryption as companies from Apple to Facebook to Twitter to cloud service providers to WhatsApp embraced encryption across the board.</p><p>However, this move has ramifications for corporate security, which can’t always see what’s happening in its network due to encrypted traffic, and for law enforcement as it loses its ability to gather certain kinds of digital evidence—an issue the FBI terms “Going Dark.”</p><p>“The issue for us is the inability to get access to digital evidence,” says Sasha Cohen O’Connell, the FBI chief policy advisor for science and technology. “This is not a situation where the U.S. Department of Justice is looking for new authorities; it is about exercising the authority we already have…and our inability to access content data, even with due process.”</p><p>To combat this, the FBI has gone to court against private companies to demand access to encrypted data, such as when it filed suit against Apple to gain access to an iPhone 5c used by one of the San Bernardino, California, shooters.</p><p>It has also been encouraging companies to use a form of encryption it terms provider access—where, for example, the data is encrypted on a smartphone but the smartphone’s manufacturer has the key to decrypt that data if it’s served with a court order to do so.</p><p>This approach, however, has been met with criticism by technical experts who say that introducing that access point into encrypted data is making it vulnerable. </p><p>“Academically, they are correct,” O’Connell says. “Any entry point, no matter how managed, does introduce vulnerability. Of course it does. But over in the real world, where we use real products every day that for convenience, for advertising, for spam tracking, for a thousand reasons that make sense to us, we’re still within a reasonable risk or what the market has accepted as a risk.”</p><p>For more on the FBI’s stance on encryption and Going Dark, visit Security Management’s website for an exclusive interview with O’Connell.  </p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Review: Cyber Security<p>​Routledge Group; 264 pages; $89.95.</p><p>An impressive compilation of methods that cybercriminals use to seize priceless information and finances from corporations and individuals appears in <em>Cyber Security: An Introduction for Non-Technical Managers</em>. Author Jeremy Swinfen Green provides practical and sound advice on how to minimize the risk and damage of these malicious attacks.  </p><p>Aimed squarely at nontechnical managers from any profession, the book contains an excellent list of topics that should be addressed with IT departments. The author suggests dozens of different ways to protect against detrimental attacks that can occur through any device that is either stolen or has Internet capability. Twenty chapters grouped into three major sections span subjects such as protecting classified and private information on all devices, techniques to use while traveling, how to respond to a breach incident, and a great deal more.</p><p>The material is presented in an easy-to-read manner. Case studies appear every few pages and bring all the information into perspective in a way that is both useful and enjoyable. This book would be a desirable addition to the libraries of managers both in and outside of the security industry.</p><p>--<br></p><p><em><strong>Reviewer: Julie Sanford i</strong>s a member of the ASIS Women in Security Council. She is account manager at Lions’ Gate Security Solutions in Omaha, Nebraska, and a veteran of the Sarpy County Sheriff’s Office in Papillion, Nebraska.</em></p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Cyber Incident Survival Guide<p>​<span style="line-height:1.5em;">The worst has happened. Someone hacked your company's network, stealing thousands of documents and compromising customer and employee data in the process. And you're not sure what else the hackers had access to, if they are still in your network, or who is responsible.</span></p><p>If your company hasn't prepared for a major cyber incident of this scope, this scenario can quickly become overwhelming as you attempt to work with law enforcement, deal with the media, and restore business operations.</p><p>With more than 2,100 confirmed data breaches in 2015 and almost 80,000 incidents, according to Verizon's 2015 Data Breach Investigations Report, developing an incident response plan for a cyber incident should be a top priority.</p><p>"Protecting your organization from a data breach could save your business tens of millions of dollars, and help maintain customer loyalty and shareholder confidence," the report explains. "Data security isn't something that should be left to the IT department. It's so important that it should matter to leaders, and indeed employees, from all functions."</p><p>To help security leaders plan for the worst and know what to expect in the aftermath, Security Management spoke with experts about their best practices for cyber incident response.</p><p> </p><p><strong>Before the Breach</strong></p><p>Just as a company has an incident response plan in case the building catches on fire and burns to the ground, it needs to have an incident response plan to handle a cyber incident before one actually occurs. </p><p><strong>Craft a plan.</strong> Gary Bahadur, senior director of FTI Consulting's Risk Management Practice, helps companies craft these plans on a regular basis. He suggests that organizations first think about how they are most likely to be attacked and who is most likely to be behind the attack. </p><p>For instance, banks that allow customers to conduct transactions online—say through an online banking portal—may be vulnerable to a breach through their Web applications. Or high-tech firms may be most concerned about an insider threat compromising their intellectual property. </p><p>"The first step is determining how we're going to be attacked and then figuring out what are the best controls and roadblocks to block the most likely scenarios," Bahadur explains.</p><p>From that point, companies can use the U.S. Department of Justice's (DOJ) Cybersecurity Unit's Best Practices for Victim Response and Reporting of Cyber Incidents guidance to craft an actionable incident response plan.</p><p>It suggests, at a minimum, identifying who has the lead responsibility for different elements of the company's cyber incident response, from decisions on public communications to information technology to implementation of security measures to resolving legal questions.</p><p>Companies should also determine how to contact critical personnel at any time, how to proceed if critical personnel are unreachable, and what mission-critical data, networks, or services should be prioritized for the greatest protection. </p><p>"All personnel who have computer security responsibilities should have access to and familiarity with the plan, particularly anyone who will play a role in making technical, operational, or managerial decisions during an incident," the guidance says.</p><p>Completing this process is becoming especially important because a new legal standard is emerging as organizations develop a track record of reasonableness for assessment, planning, incident response, and recovery, says Ed McAndrew, partner in Ballard Spahr LLP's Privacy and Data Security Group and a former federal prosecutor.</p><p>"There's a new legal standard that is emerging where organizations need to employ reasonable data security standards to mitigate foreseeable risk," explains McAndrew, who is also a former DOJ national security cyber specialist. "Companies need to have appreciated the risk, attempted to manage the risk, and then have a plan for attempting to respond to these incidents."</p><p>After companies identify their low-hanging fruit and craft an incident response plan, Bahadur suggests creating a roadmap to analyze the likelihood of that particular attack and how to prevent it. Companies should also consider how they will create a long-term strategy that continues to adapt to new security challenges as new business functions are developed. </p><p>"You have to be able to grow your security organization and its functionality," he adds.</p><p><strong>Consider law enforcement.</strong> While companies are developing their incident response plans, they need to consider their relationship with local and national law enforcement.</p><p>McAndrew says there's a "real appetite in law enforcement" to develop relationships with the private sector when it comes to cybersecurity. This is because law enforcement understands that "effective investigation of cyber requires a level of trust and personal relationships between investigators and their counterparts inside organizations," he explains.</p><p>For this reason, the government has created a variety of outreach programs that target the private sector, including InfraGard, Information Sharing and Analysis Centers and Information Sharing and Analysis Organizations, and the U.S. Department of Homeland Security's new cybersecurity information sharing program.</p><p>"Joining these organizations and attending those outreach programs is a great and easy way to begin to build relationships" with law enforcement, something companies should do before a cyber incident occurs, McAndrew says. </p><p>Companies can also reach out to their local FBI office, because agents there are often willing to help companies conduct cybersecurity risk assessments, incident planning, and data security planning.</p><p>These relationships can also help companies know what to expect from their law enforcement partners, should a breach occur, says Mick Stawasz, deputy chief for computer crime and head of the DOJ Cybersecurity Unit. </p><p>"Before there's an event, we, the FBI, and other investigative agencies are trying to lay the groundwork so that there are relationships in place and an understanding of what may happen when we arrive," Stawasz explains. "We're out there doing events to try and tell people, when we show up, this is the type of information to have before an event."</p><p>For instance, he says that companies should think about what data they can share with law enforcement and what kind of access they will be willing to provide should an incident occur. This can help streamline the process of an incident investigation because companies won't be doing original legal research "while the clock is ticking," Stawasz says. "We really encourage people to think ahead of time because there are certain things we're going to want."</p><p>However, McAndrew says that while it's great to engage with law enforcement, companies should do so carefully. "You need to understand the levels of engagement, and the logistics where law enforcement can be helpful, but also where engaging them may result in an investigation," he adds. </p><p>To help companies navigate this area, McAndrew recommends relying on outside counsel with experience in cybersecurity</p><p><strong>Practice makes perfect.</strong> After companies outline their cyber incident response plans, they need to practice them to identify problem areas and ensure that they are effective.</p><p>Bahadur recommends conducting a tabletop exercise with all the key stakeholders in the room, including representatives from the C-suite, IT, public relations, legal, marketing, and even sales staff.</p><p>"People say that a cyber breach is an IT problem," he explains. "It's not...when a breach occurs we need our PR people. We need legal to discuss what the repercussions are for the industry we are in. And we need executive support, marketing, and sales because this could impact relationships with clients."</p><p>Leonard Bailey, special counsel for national security in the DOJ Computer Crime and Intellectual Property Section, agrees that practicing the incident response plan is important because it reinforces what people's roles are when an incident occurs, and allows companies to designate an alternate to fill those roles should the designated person not be available.</p><p> </p><p><strong>During the Breach</strong></p><p>Despite careful preparation and cyberattack prevention tactics, even "the best laid plans of mice and men often go awry," as Robert Burns wrote. But by remembering the following tips, companies can prevent a cyber incident from becoming a cyber crisis.</p><p><strong>Make an assessment.</strong> When companies identify a cyber incident, they should immediately make an assessment about the nature and scope of the incident, according to the DOJ guidance. </p><p>"In particular, it is important at the outset to determine whether the incident is a malicious act or a technological glitch," the guidance explains. "The nature of the incident will determine the type of assistance an organization will need to address the incident and the damage and remedial efforts that may be required."</p><p>To identify the nature of an incident, companies can have systems administrators attempt to identify the affected computer systems, the origin of the incident, any malware used in connection with the incident, remote servers to which data was sent, and the identity of any other victim organizations.</p><p>The initial assessment should also document what users are currently logged on, what the current connections to the computer system are, what processes are running, and all open ports and their associated services and applications.</p><p>"Any communications (in particular, threats or extortionate demands) received by the organ­ization that might be related to the incident should also be preserved," the guidance explains. "Suspicious calls, e-mails, or other requests for information should be treated as part of the incident."</p><p><strong>Maintain evidence.</strong> Often, the first reaction when a company learns about a cyberattack is to do whatever it takes to stop the bleeding.</p><p>"The first thing companies do is unplug the device that's been hacked to stop the bleeding, potentially," Bahadur says. "But if you want to do forensic analysis—track the attack or report it—if you change the environment and erase a server that's been hacked, you're losing really valuable evidence."</p><p>To prevent evidence from being compromised, Bahadur says companies should follow good forensic practices—something most organizations struggle with. "Most companies don't handle chain of custody well," he adds. "They will literally screw up the whole process and tamper the evidence so badly."</p><p>Instead, companies should create a chain of custody for evidence and should have IT staff work with the legal department to ensure that technology is in place to maintain and preserve that evidence, says Patrick Dennis, CEO of Guidance Software.</p><p>"If you want to have an infrastructure in place that includes people, technology, and policies that can work with law enforcement and produce evidence, there has to be a program put in place beforehand to do that," he explains. "Otherwise, generally they will end up compromising some or all of that evidence."</p><p><strong>Notify law enforcement.</strong> Once an initial assessment has been made and evidence has been gathered, managers and other personnel within the organization should be notified following the protocols outlined in the cyber incident response plan. </p><p>Then, if the company suspects that criminal activity has taken place, it can consider notifying law enforcement. The FBI and the U.S. Secret Service conduct cyber investigations, and contacting law enforcement may prove beneficial for victim organizations, because law enforcement can use tools and methods typically not available to private companies.</p><p>"These tools and relationships can greatly increase the odds of successfully apprehending an intruder or attacker and securing lost data," the DOJ guidance explains. "In addition, a cyber criminal who is successfully prosecuted will be prevented from causing further damage to the company or to others, and other would-be cyber criminals may be deterred by such a conviction."</p><p>When it comes to reaching out to the FBI, McAndrew recommends that companies use their knowledge about the bureau because some agents are "true superstars" when it comes to cybersecurity. "Not all agents are created equal, just like not all lawyers are created equal," he jokes. </p><p>And in some cases, it may be better to have someone on the corporate legal team reach out to a U.S. Attorney's Office to use a lawyer-to-lawyer relationship. </p><p>"Speaking lawyer to lawyer can sometimes be more helpful," McAndrew says. "I know that if I get them interested in the matter, I won't have to cold call an FBI office I've never dealt with." </p><p>And everyone should be on the same page about what's happening to prevent information from falling through the cracks, or being inadvertently shared. </p><p>"Is the IT department the one that has the relationship with the FBI and is legal out of the picture?" McAndrew asks. "Is IT sharing information with­out legal's knowledge? Is senior management briefed and knowledgeable about what happens next when you begin interacting with law enforcement, and are they willing to do those things?"</p><p>Asking these questions—often ahead of time—will help companies simplify decision making if an incident occurs, he adds.</p><p><strong>Avoid pitfalls.</strong> While there are many actions companies should take following a cyber incident, the DOJ guidance explicitly urges companies not to use compromised systems to communicate. </p><p>"If the victim organization must use the compromised system to communicate, it should encrypt its communications," the guidance says. "To avoid becoming the victim of a social engineering attack, employees of the victim organization should not disclose incident-specific information to unknown communities inquiring about an incident without first verifying their identity."</p><p>The DOJ guidance also says com­panies should not hack into or damage another network following </p><p>a cyber incident. </p><p>"Regardless of motive, doing so is likely illegal, under U.S. and some foreign laws, and could result in civil and/or criminal liability," it explains. "Furthermore, many intrusions and attacks are launched from compromised systems. Consequently, 'hacking back' can damage or impair another innocent victim's system rather than the intruder's."</p><p> </p><p><strong>After the Breach</strong></p><p>Once companies have managed to stop the bleeding of a cyberattack, they may find themselves in court if the perpetrators of a breach are prosecuted. Because of this, Bailey and Stawasz explain that companies need to keep a potential court appearance in mind.</p><p><strong>Victim status.</strong> When a cyber incident happens, it's important for companies to remember that they are a victim of a crime, and that prosecutors should treat them as such, Stawasz says. </p><p>"We really are trying to help. We will work with them in the process of an investigation, and with luck a prosecution—of somebody—for what was done," he explains.</p><p>Stawasz also says that the DOJ is trying to do a better job of keeping companies informed of how the investigation and prosecution are proceeding. Companies have a right to be informed at various stages, such as before a case is resolved, when charges are brought, if a plea deal is made, and to appear to make a sentencing statement if an individual is convicted.</p><p>"We encourage them to make a statement to highlight for the public and the court the impact a cybercrime has on a victim," Stawasz explains.</p><p><strong>Remain vigilant.</strong> After a cyber incident has been resolved and appears to be under control, it's important for companies to remain vigilant in case of future attempts to breach their systems. </p><p>"It is possible that, despite best efforts, a company that has addressed known security vulnerabilities and taken all reasonable steps to eject an intruder has nevertheless not eliminated all of the means by which an intruder illicitly accessed the network," the DOJ guidance explains. "Continue to monitor your system for anomalous activity."​​​</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465