Cybercrime War GamesGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-04-01T04:00:00Z, Megan Gates<p>​In the chaos of World War II, the U.S. Information Agency began a German radio broadcast to counter Nazi propaganda. The Voice of America (VOA) was designed to promote American values abroad, and after the end of the war, the United States enacted the Smith–Mundt Act to continue its broadcasts during peace time.</p><p>During the Cold War, VOA took on a new target—Soviet propaganda—and concentrated its message on communist nations in eastern and central Europe. By 1953, VOA was broadcasting 3,200 programs in 40 languages every week.</p><p>And America was not alone. The Soviet Union soon began adopting similar technology, attempting to influence elections through radio broadcasts, campaign funding, and recruitment efforts. In the 1970s, for example, during a U.S. presidential race, the Soviet KGB recruited a U.S. Democratic party activist to report on Democrat Jimmy Carter’s campaign and foreign policy plans.</p><p>Fast-forward to the present, when influence is no longer restricted to radio broadcasts or recruiting covert agents; it’s now being conducted on social media by nation-states. In an unprecedented unclassified report, the U.S. intelligence community detailed Russia’s most recent efforts to influence the 2016 U.S. presidential election in favor of candidate and eventual president Donald Trump. </p><p>The report, crafted by the U.S. National Security Agency (NSA), the CIA, and the FBI, and released by the U.S. Office of the Director of National Intelligence, found that Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the U.S. presidential election. </p><p>Putin’s goals, according to the report, were to undermine public faith in the U.S. democratic process, denigrate Democratic candidate former U.S. Secretary of State Hillary Clinton, and harm her electability and potential presidency.</p><p>“In trying to influence the U.S. election, we assess the Kremlin sought to advance its longstanding desire to undermine the U.S.-led liberal democratic order, the promotion of which Putin and other senior Russian leaders view as a threat to Russia and Putin’s regime,” the report explained.</p><p>To carry out this influence campaign, Russia used a messaging strategy that blended covert intelligence operations with overt efforts by Russian government agencies, state-funded media, third-party intermediaries, and paid social media users—known as trolls.</p><p>“The Kremlin’s campaign aimed at the U.S. election featured disclosures of data obtained through Russian cyber operations; intrusions into U.S. state and local electoral boards; and overt propaganda,” the report added. “Russian intelligence collection both informed and enabled the influence campaign.”</p><p>For instance, in July 2015 Russian intelligence organizations gained access to the U.S. Democratic National Committee’s (DNC’s) networks and maintained access to them until June 2016. Using this access, Russia’s General Staff Main Intelligence Directorate (GRU) compromised the personal email accounts of Democratic Party officials and political figures, including Clinton’s campaign chair, John Podesta. </p><p>Then, under the alias Guccifer 2.0, the GRU leaked those emails to and WikiLeaks, which shared information with RT—the Kremlin’s principal international propaganda outlet, which has more than 4 million Likes on Facebook and 2 million followers on Twitter. </p><p>“Russia’s state-run propaganda machine…contributed to the influence campaign by serving as a platform for Kremlin messaging to Russian and international audiences,” according to the report. “State-owned Russian media made increasingly favorable comments about President-elect Trump as the 2016 U.S. general and primary election campaigns progressed, while consistently offering negative coverage of Secretary Clinton.”</p><p>For instance, Russian media began to call Trump’s impending victory a “vindication of Putin’s advocacy of global populist movements” and the “latest example of Western liberalism’s collapse.”</p><p>Millions of people viewed these articles and shared them on social media, spreading them among U.S. voters. The U.S. intelligence community did not conduct opinion polls to see how Russian propaganda influenced voting behavior, said former Director of National Intelligence James Clapper in a Senate hearing. But he did reinforce the report’s assessment that Russia will apply lessons it learned from the campaign to future efforts to influence the United States and its allies.</p><p>And, because Americans elected Trump in the 2016 election, Russia is likely to view its influence campaign as a success and continue using similar methods to influence future elections.</p><p>“Putin’s public views of the disclosures suggest the Kremlin and the intelligence services will continue to consider using cyber-enabled disclosure operations because of their belief that these can accomplish Russian goals relatively easily without significant damage to Russian interests,” the report said.</p><p>Putin may hold this view because the United States responded to the influence campaign through targeted sanctions. One week before the U.S. intelligence community’s report was released, former U.S. President Barack Obama sanctioned two Russian intelligence services, four individual intelligence service officers, and three companies that provided material support to the Russian intelligence service’s cyber operations.</p><p>The U.S. Department of the Treasury also sanctioned two Russian individuals for using cyber-enabled means to misappropriate funds and steal personal identifying information. The U.S. Department of State also shut down two Russian compounds in Maryland and New York that were used by Russia for intelligence purposes, and declared 35 Russian intelligence operatives “persona non-grata.”</p><p>“These actions are not the sum total of our response to Russia’s aggressive activities,” Obama said in a statement. “We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized.”</p><p>While some experts are not surprised by Russia’s actions, one expert has said he was surprised at Russia’s willingness to engage in a disruptive cyberattack against U.S. institutions. </p><p>Adam Segal, Ira A. Lipman chair in emerging technologies and national security and director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, published The Hacked World Order at the beginning of 2016, saying that he thought states on the periphery—Estonia, Georgia, and Ukraine—would conduct disruptive attacks on each other, but that major nation-states would not.</p><p>“Clearly, I underestimated the willingness of Russia to use disruptive attacks on the United States,” Segal said at an event hosted by the American Bar Association in January. “I never considered disruptive attacks on the United States focused on institutions, even though I thought those might be the most vulnerable to attacks in the future.”</p><p>Disruptive attacks, like the Russian influence campaign, will be a difficult area for the Trump administration moving forward, especially based on the U.S. response to the activity. </p><p>Segal, who had just returned from China before speaking at the event, said that the Chinese “seem to see no deterrent value” in the U.S. response to Russia and that the response needed to be stronger to send a clear message not just to Russia, but to other adversaries who might try something similar.</p><p>That message was further muddled when just weeks into Trump’s presidency, the U.S. Department of the Treasury eased sanctions to end a ban on selling information technology products to Russia. The ban was originally put in place by Obama in 2015 in response to alleged “malicious cyber-enabled activities” by Russia’s security service in the U.S. electoral process.</p><p>Despite the deficient response to the disruptive attack, however, Segal said he still thinks that Russia and China are unlikely to use destructive cyberattacks against the United States—such as targeting critical infrastructure and causing damage—unless their national interests are threatened.</p><p>“The Chinese definition of core interests is unfortunately expanding,” Segal said. “But the Chinese know that the United States is going to attribute an attack to them, so they have to be ready for escalation.”</p><p> An escalation of destructive cyberattacks is something Leo Taddeo, former special agent in charge of the FBI’s New York Cybercrime Office and current CSO of Cryptzone, a network security and compliance software provider, says he sees happening in 2017. In an interview with <em>Security Management</em>, Taddeo says he sees nation-states—including the United States—taking a more aggressive position on international cybersecurity, leading to a cyber escalation between nation-states.</p><p>The U.S. public has an “appetite for more aggressive cyberactivity” and for “striking back” against those who conduct cyberattacks against American interests, according to Taddeo.</p><p>However, Taddeo says he is concerned that the U.S. private sector will be caught in the crossfire of this escalation involving the United States, Russia, China, and possibly Iran, when banks, power companies, and other critical infrastructure—largely controlled by the private sector in the United States—are targeted. </p><p>“The Russians don’t have that problem as much as the United States does because Russia is more autocratic,” Taddeo adds. “The private sector there doesn’t complain without permission from the regime and can tolerate more in a crisis.”</p><p>Those attack methods are also likely to trickle down to regional conflicts between nation-states with less cyber prowess, such as India and Pakistan. For instance, Taddeo says to look at the attack on the Bank of Bangladesh in 2016 when hackers stole $81 million. </p><p>“That type of attack may have been committed by a nation-state to obtain much needed cash resources or to embarrass a smaller state,” Taddeo says. “I think we’ll see more types of cyber conflict…some adopted by nation-states, some by super powers, but with all of these different tools becoming part of the arsenal.”</p><p>Taddeo adds that, with today’s technological advances and hacking services for hire, it doesn’t take a great deal of expertise to steal information and share it with organizations like WikiLeaks.</p><p>Either way, Taddeo says the “genie is out of the bottle” and actors and nation-states are now using cyber methods to conduct influence campaigns for strategic goals. </p><p>For the Kremlin, this includes gathering information and attempting to influence public—and government—opinion via social media in favor of Russia.</p><p>“Immediately after Election Day, we assess Russian intelligence began a spearphishing campaign targeting U.S. government employees and individuals associated with U.S. think tanks and NGOs in national security, defense, and foreign policy fields,” the U.S. intelligence report said. “This campaign could provide material for future influence efforts, as well as foreign intelligence collection on the incoming administration’s goals and plans.”   ​</p>

Cybercrime Protocols and Practices Put the IoT Revolution at Risk Review: Hacked Again of the IoT Botnets Top Five Hacks From Mr. Robot—And How You Can Prevent Them the CEO’-Data-in-2014.aspx2016-09-22T04:00:00ZYahoo Confirms Hackers Stole at Least 500 Million Users' Data in 2014 Review: Cyber-Physical Attacks Trends Going Dark: A Conversation with the FBI Zero Review: Beyond Cybersecurity Invalidates users' Passwords in Response to 2012 Data Breach Review: @war: The Rise of the Military-Internet Complex Blind Stakes Cyber Chinese New Year’-System.aspx2016-01-11T05:00:00ZFormer Cardinals Official Pleads Guilty to Hacking Into Astros’ System Criminals Made $18 Million By Holding Our Data Hostage Digital Evidence Investigating St. Louis Cardinals for Hacking Astros

 You May Also Like... Review: Hacked Again<p>​ Publishing;, 202 pages; $34.95</p><p>If you are seeking useful security advice on how to mitigate or prevent cybersecurity breaches, <em>Hacked Again</em> is a good resource to have in your library. </p><p>Author Scott Schober, a business owner and wireless technology expert, discusses pitfalls that all businesses face and the strategies used to mitigate cyberattacks. He discusses malware, email scams, identity theft, social engineering, passwords, and the Dark Web. </p><p> Another important concept is having systems in place to enable information access both as the data breach is occurring and afterwards. Most companies’ IT departments will have an incident response team; however, the individual user needs to know what to do when breached. Schober offers advice for that. </p><p> The abundance of personal information on social media is another concern of the author’s. He states that we are twice as likely to be victims of identity theft from these sites. He also reminds us that no matter how we try to eliminate risk, we’re never completely protected from a cyberattack. </p><p> Many cybersecurity books are more advanced, but Schober’s style is easy to follow, and he explains concepts and theories without confusing the reader. When concepts become overly technical, he incorporates scenarios to explain what these technical terms mean. Students, IT professionals, and novices would benefit from this book. They will learn that everyone must be aware of cybersecurity and stay on top of evolving trends.</p><p>--</p><p><em><strong>Reviewer: Kevin Cassidy</strong> is a professor in the security, fire, and emergency management department at John Jay College of Criminal Justice. He is a member of ASIS.</em><br></p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Trends<p>​<span style="line-height:1.5em;">The security industry changes daily. And it’s fair to say that cybersecurity is changing even more rapidly as new threats, new attack methods, and new technologies continuously emerge. This means that cybersecurity professionals need to stay up to date as the threat landscape rapidly evolves to ensure that they are ready to meet the challenges of modern- day data security. Here, we look at some of the major issues that these professionals will be tasked with over the course of the remaining year and heading into 2017.</span></p><p>Brexit. In a historic decision in June, the United Kingdom voted to leave the European Union (EU)—a decision commonly known as Brexit. Approximately 52 percent of the population voted to leave the EU, while 48 percent voted to remain—including all of Scotland and a large portion of the population in Northern Ireland.</p><p>While immediate concerns were focused on the economic upheaval, Brexit will also have an impact on data sharing and data privacy agreements that the United Kingdom was previously part of as a member of the EU and its digital single market.</p><p>One major area of regulation that will need to be ironed out is around the EU General Data Protection Regulation (GDPR), which is scheduled to go into effect in 2018. It creates new privacy rights for EU citizens and requirements for businesses that handle EU citizens’ data (for more on this, read “Cybersecurity” from our August issue).</p><p>When the United Kingdom exits the EU, Britain may no longer be subject to the GDPR and may have to adopt its own framework. </p><p>Furthermore, the EU and the United States had negotiated for months to create the Privacy Shield program, which was designed to replace the Safe Harbor agreement that was previously ruled invalid by the EU. The United Kingdom’s exit from the EU, however, means that it may not be covered by Privacy Shield—which went into effect earlier this year.</p><p>Brexit could also be the catalyst to create a different framework altogether, says Yorgen Edholm, CEO of Accellion, a private cloud solutions company based in the United States.</p><p>“The one EU effort we have looked at very carefully is the new Safe Harbor agreement—Privacy Shield,” Edholm says. “I think the United Kingdom can say, ‘We have two options; we’re going to piggyback off of what the EU is doing, or we’re going to do something else with the United States.’”</p><p><strong>Talent shortage</strong>. Another major concern related to Brexit is whether the United Kingdom will be able to recruit talented cybersecurity workers. A recent study highlighted the lack of “digital skills” among people in Britain, which has looked to the EU to recruit employees to fill the void, according to a report by the Science and Technology Committee that was presented to the House of Commons earlier this year.</p><p>“Removing a flow of talent and expertise from Europe could deprive U.K. tech companies of an essential ingredient for sustained growth,” the International Business Times reported before the Brexit referendum. “Additionally, given that Britain’s tech scene—especially in London—is quite multicultural, start-up founders worry that leaving the European Union will make it much harder to hire the best employees.”</p><p>And this is not just a U.K. problem. Globally, 94 percent of executives reported that they are having trouble finding skilled candidates for cybersecurity jobs, according to a recent survey by the Information Systems Audit and Control Association (ISACA). </p><p>This problem, which is not a new one, is unlikely to go away anytime soon. The 2015 (ISC)² Global Information Security Workforce Study projected that by 2020, there will be 1.5 million unfilled information security positions. </p><p>“Signs of strain within security operations due to workforce shortage are materializing,” the report explained. “Configuration mistakes and oversights, for example, were identified by the survey respondents as a material concern. Also, remediation time following system or data compromises is steadily getting longer.”</p><p>This, in turn, results in IT security professionals increasingly cornered into a reactionary role of identifying compromises and addressing security concerns as they arise, instead of proactively mitigating the contributing factors, according to the report.</p><p>To combat this, many information security departments are increasing expenditures on security tools and technologies, and for managed and professional security service providers to augment existing staff.</p><p>However, more needs to be done to attract qualified workers to the cybersecurity industry. One new effort to do this was announced by Cisco earlier this year. The company will invest $10 million in a Global Security Scholarship and make enhancements to its security certification portfolio to help close the industry skills gap. </p><p>“Many CEOs across the globe tell us their ability to innovate is hampered by their security concerns in the digital world,” said Jeanne Beliveau-Dunn, vice president and general manager of Cisco Services in a statement. “This creates a big future demand for skill sets that don’t exist at scale today. We developed this scholarship program to help jump-start the development of new talent.”</p><p>The scholarship is a two-year program that is designed in partnership with Cisco Authorized Learning Partners to address the critical skills deficit and provide on-the-job readiness needed to meet current and future challenges of network security, according to a press release. As part of the scholarship program, Cisco also plans to offer training, mentoring, and certifications that align with the job of an analyst in a security operations center.</p><p>Scholarship awards became available on August 1 and are available to applicants who meet certain qualifications until the end of July 2017. To be considered for a scholarship, applicants must be at least 18, proficient in English, and have basic competency in one area, such as three years of combined experience in approved U.S. military job roles or Windows expertise.</p><p>Part of Cisco’s efforts will also concentrate on diversifying the IT security workforce so it includes veterans, women, and those just at the start of their careers. Reaching this audience is critically important, says David Shearer, CEO of (ISC)².</p><p>“New young people are not coming into the workforce,” Shearer explains. “That’s not a one- or two-year fix. Only 6 percent of the industry is below the age of 30. That’s a train wreck.”</p><p>Instead, the median age for information security professionals is 42, and workers are 90 percent male. These individuals are working longer hours, which can create problems with burnout and may cause many to move into a different career path “because the grind of the pace of the work is too much.”</p><p><strong>Accountability. </strong>The talent shortage, paired with the rise of cyber incidents, is also placing additional pressure on IT and security executives to communicate actionable data to their boards of directors—or risk termination, a new report says.</p><p>Research of U.S. corporations by Bay Dynamics, a cyber risk analytics company, found that “59 percent of board members say that one or more IT security executives will lose their job as a result of failing to provide useful, actionable information.”</p><p>This may be because boards are placing an ever-higher value on cybersecurity, with 89 percent of board members reporting that they are very involved in making cyber risk decisions for their organizations. </p><p>Twenty-six percent of board members also reported that cyber risks were their highest priority, while other risks, like financial, legal, regulatory, and competitive risks were termed “highest priority” by only 16 to 22 percent of surveyed members.</p><p>Coupled with that, the report found that 34 percent of board members indicated that they would provide warnings that improvements in reporting would need to be made before firing <span style="line-height:1.5em;">a</span><span style="line-height:1.5em;">n executive.</span></p><p>But the report also highlighted “significant contradictions, such as while the majority (70 percent) of board members say they understand everything they’re being told by IT and security executives in their presentations, more than half believe the data presented is too technical.”</p><p>Overall, however, the report shows that boards are engaged and holding IT and security executives accountable for reducing risk, said Ryan Stolte, chief technology officer at Bay Dynamics, in a statement.</p><p>“Companies are headed in the right direction when it comes to managing their cyber risk,” Stolte explained. “However, more work needs to be done. Part of the problem is that board members are being educated about cyber risk by the same people (IT and security executives) who are tasked to measure and reduce it. Companies need an objective, industry standard model for measuring cyber risk so that everyone is following the same playbooks and making decisions based on the same set of requirements.”</p><p><strong>Encryption. </strong>By the end of this year, 65 to 70 percent of Internet traffic will be encrypted in most markets, according to a report by Sandvine, an intelligent broadband networks company. This year, 2016, was a major milestone in the life of encryption as companies from Apple to Facebook to Twitter to cloud service providers to WhatsApp embraced encryption across the board.</p><p>However, this move has ramifications for corporate security, which can’t always see what’s happening in its network due to encrypted traffic, and for law enforcement as it loses its ability to gather certain kinds of digital evidence—an issue the FBI terms “Going Dark.”</p><p>“The issue for us is the inability to get access to digital evidence,” says Sasha Cohen O’Connell, the FBI chief policy advisor for science and technology. “This is not a situation where the U.S. Department of Justice is looking for new authorities; it is about exercising the authority we already have…and our inability to access content data, even with due process.”</p><p>To combat this, the FBI has gone to court against private companies to demand access to encrypted data, such as when it filed suit against Apple to gain access to an iPhone 5c used by one of the San Bernardino, California, shooters.</p><p>It has also been encouraging companies to use a form of encryption it terms provider access—where, for example, the data is encrypted on a smartphone but the smartphone’s manufacturer has the key to decrypt that data if it’s served with a court order to do so.</p><p>This approach, however, has been met with criticism by technical experts who say that introducing that access point into encrypted data is making it vulnerable. </p><p>“Academically, they are correct,” O’Connell says. “Any entry point, no matter how managed, does introduce vulnerability. Of course it does. But over in the real world, where we use real products every day that for convenience, for advertising, for spam tracking, for a thousand reasons that make sense to us, we’re still within a reasonable risk or what the market has accepted as a risk.”</p><p>For more on the FBI’s stance on encryption and Going Dark, visit Security Management’s website for an exclusive interview with O’Connell.  </p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Cyber Incident Survival Guide<p>​<span style="line-height:1.5em;">The worst has happened. Someone hacked your company's network, stealing thousands of documents and compromising customer and employee data in the process. And you're not sure what else the hackers had access to, if they are still in your network, or who is responsible.</span></p><p>If your company hasn't prepared for a major cyber incident of this scope, this scenario can quickly become overwhelming as you attempt to work with law enforcement, deal with the media, and restore business operations.</p><p>With more than 2,100 confirmed data breaches in 2015 and almost 80,000 incidents, according to Verizon's 2015 Data Breach Investigations Report, developing an incident response plan for a cyber incident should be a top priority.</p><p>"Protecting your organization from a data breach could save your business tens of millions of dollars, and help maintain customer loyalty and shareholder confidence," the report explains. "Data security isn't something that should be left to the IT department. It's so important that it should matter to leaders, and indeed employees, from all functions."</p><p>To help security leaders plan for the worst and know what to expect in the aftermath, Security Management spoke with experts about their best practices for cyber incident response.</p><p> </p><p><strong>Before the Breach</strong></p><p>Just as a company has an incident response plan in case the building catches on fire and burns to the ground, it needs to have an incident response plan to handle a cyber incident before one actually occurs. </p><p><strong>Craft a plan.</strong> Gary Bahadur, senior director of FTI Consulting's Risk Management Practice, helps companies craft these plans on a regular basis. He suggests that organizations first think about how they are most likely to be attacked and who is most likely to be behind the attack. </p><p>For instance, banks that allow customers to conduct transactions online—say through an online banking portal—may be vulnerable to a breach through their Web applications. Or high-tech firms may be most concerned about an insider threat compromising their intellectual property. </p><p>"The first step is determining how we're going to be attacked and then figuring out what are the best controls and roadblocks to block the most likely scenarios," Bahadur explains.</p><p>From that point, companies can use the U.S. Department of Justice's (DOJ) Cybersecurity Unit's Best Practices for Victim Response and Reporting of Cyber Incidents guidance to craft an actionable incident response plan.</p><p>It suggests, at a minimum, identifying who has the lead responsibility for different elements of the company's cyber incident response, from decisions on public communications to information technology to implementation of security measures to resolving legal questions.</p><p>Companies should also determine how to contact critical personnel at any time, how to proceed if critical personnel are unreachable, and what mission-critical data, networks, or services should be prioritized for the greatest protection. </p><p>"All personnel who have computer security responsibilities should have access to and familiarity with the plan, particularly anyone who will play a role in making technical, operational, or managerial decisions during an incident," the guidance says.</p><p>Completing this process is becoming especially important because a new legal standard is emerging as organizations develop a track record of reasonableness for assessment, planning, incident response, and recovery, says Ed McAndrew, partner in Ballard Spahr LLP's Privacy and Data Security Group and a former federal prosecutor.</p><p>"There's a new legal standard that is emerging where organizations need to employ reasonable data security standards to mitigate foreseeable risk," explains McAndrew, who is also a former DOJ national security cyber specialist. "Companies need to have appreciated the risk, attempted to manage the risk, and then have a plan for attempting to respond to these incidents."</p><p>After companies identify their low-hanging fruit and craft an incident response plan, Bahadur suggests creating a roadmap to analyze the likelihood of that particular attack and how to prevent it. Companies should also consider how they will create a long-term strategy that continues to adapt to new security challenges as new business functions are developed. </p><p>"You have to be able to grow your security organization and its functionality," he adds.</p><p><strong>Consider law enforcement.</strong> While companies are developing their incident response plans, they need to consider their relationship with local and national law enforcement.</p><p>McAndrew says there's a "real appetite in law enforcement" to develop relationships with the private sector when it comes to cybersecurity. This is because law enforcement understands that "effective investigation of cyber requires a level of trust and personal relationships between investigators and their counterparts inside organizations," he explains.</p><p>For this reason, the government has created a variety of outreach programs that target the private sector, including InfraGard, Information Sharing and Analysis Centers and Information Sharing and Analysis Organizations, and the U.S. Department of Homeland Security's new cybersecurity information sharing program.</p><p>"Joining these organizations and attending those outreach programs is a great and easy way to begin to build relationships" with law enforcement, something companies should do before a cyber incident occurs, McAndrew says. </p><p>Companies can also reach out to their local FBI office, because agents there are often willing to help companies conduct cybersecurity risk assessments, incident planning, and data security planning.</p><p>These relationships can also help companies know what to expect from their law enforcement partners, should a breach occur, says Mick Stawasz, deputy chief for computer crime and head of the DOJ Cybersecurity Unit. </p><p>"Before there's an event, we, the FBI, and other investigative agencies are trying to lay the groundwork so that there are relationships in place and an understanding of what may happen when we arrive," Stawasz explains. "We're out there doing events to try and tell people, when we show up, this is the type of information to have before an event."</p><p>For instance, he says that companies should think about what data they can share with law enforcement and what kind of access they will be willing to provide should an incident occur. This can help streamline the process of an incident investigation because companies won't be doing original legal research "while the clock is ticking," Stawasz says. "We really encourage people to think ahead of time because there are certain things we're going to want."</p><p>However, McAndrew says that while it's great to engage with law enforcement, companies should do so carefully. "You need to understand the levels of engagement, and the logistics where law enforcement can be helpful, but also where engaging them may result in an investigation," he adds. </p><p>To help companies navigate this area, McAndrew recommends relying on outside counsel with experience in cybersecurity</p><p><strong>Practice makes perfect.</strong> After companies outline their cyber incident response plans, they need to practice them to identify problem areas and ensure that they are effective.</p><p>Bahadur recommends conducting a tabletop exercise with all the key stakeholders in the room, including representatives from the C-suite, IT, public relations, legal, marketing, and even sales staff.</p><p>"People say that a cyber breach is an IT problem," he explains. "It's not...when a breach occurs we need our PR people. We need legal to discuss what the repercussions are for the industry we are in. And we need executive support, marketing, and sales because this could impact relationships with clients."</p><p>Leonard Bailey, special counsel for national security in the DOJ Computer Crime and Intellectual Property Section, agrees that practicing the incident response plan is important because it reinforces what people's roles are when an incident occurs, and allows companies to designate an alternate to fill those roles should the designated person not be available.</p><p> </p><p><strong>During the Breach</strong></p><p>Despite careful preparation and cyberattack prevention tactics, even "the best laid plans of mice and men often go awry," as Robert Burns wrote. But by remembering the following tips, companies can prevent a cyber incident from becoming a cyber crisis.</p><p><strong>Make an assessment.</strong> When companies identify a cyber incident, they should immediately make an assessment about the nature and scope of the incident, according to the DOJ guidance. </p><p>"In particular, it is important at the outset to determine whether the incident is a malicious act or a technological glitch," the guidance explains. "The nature of the incident will determine the type of assistance an organization will need to address the incident and the damage and remedial efforts that may be required."</p><p>To identify the nature of an incident, companies can have systems administrators attempt to identify the affected computer systems, the origin of the incident, any malware used in connection with the incident, remote servers to which data was sent, and the identity of any other victim organizations.</p><p>The initial assessment should also document what users are currently logged on, what the current connections to the computer system are, what processes are running, and all open ports and their associated services and applications.</p><p>"Any communications (in particular, threats or extortionate demands) received by the organ­ization that might be related to the incident should also be preserved," the guidance explains. "Suspicious calls, e-mails, or other requests for information should be treated as part of the incident."</p><p><strong>Maintain evidence.</strong> Often, the first reaction when a company learns about a cyberattack is to do whatever it takes to stop the bleeding.</p><p>"The first thing companies do is unplug the device that's been hacked to stop the bleeding, potentially," Bahadur says. "But if you want to do forensic analysis—track the attack or report it—if you change the environment and erase a server that's been hacked, you're losing really valuable evidence."</p><p>To prevent evidence from being compromised, Bahadur says companies should follow good forensic practices—something most organizations struggle with. "Most companies don't handle chain of custody well," he adds. "They will literally screw up the whole process and tamper the evidence so badly."</p><p>Instead, companies should create a chain of custody for evidence and should have IT staff work with the legal department to ensure that technology is in place to maintain and preserve that evidence, says Patrick Dennis, CEO of Guidance Software.</p><p>"If you want to have an infrastructure in place that includes people, technology, and policies that can work with law enforcement and produce evidence, there has to be a program put in place beforehand to do that," he explains. "Otherwise, generally they will end up compromising some or all of that evidence."</p><p><strong>Notify law enforcement.</strong> Once an initial assessment has been made and evidence has been gathered, managers and other personnel within the organization should be notified following the protocols outlined in the cyber incident response plan. </p><p>Then, if the company suspects that criminal activity has taken place, it can consider notifying law enforcement. The FBI and the U.S. Secret Service conduct cyber investigations, and contacting law enforcement may prove beneficial for victim organizations, because law enforcement can use tools and methods typically not available to private companies.</p><p>"These tools and relationships can greatly increase the odds of successfully apprehending an intruder or attacker and securing lost data," the DOJ guidance explains. "In addition, a cyber criminal who is successfully prosecuted will be prevented from causing further damage to the company or to others, and other would-be cyber criminals may be deterred by such a conviction."</p><p>When it comes to reaching out to the FBI, McAndrew recommends that companies use their knowledge about the bureau because some agents are "true superstars" when it comes to cybersecurity. "Not all agents are created equal, just like not all lawyers are created equal," he jokes. </p><p>And in some cases, it may be better to have someone on the corporate legal team reach out to a U.S. Attorney's Office to use a lawyer-to-lawyer relationship. </p><p>"Speaking lawyer to lawyer can sometimes be more helpful," McAndrew says. "I know that if I get them interested in the matter, I won't have to cold call an FBI office I've never dealt with." </p><p>And everyone should be on the same page about what's happening to prevent information from falling through the cracks, or being inadvertently shared. </p><p>"Is the IT department the one that has the relationship with the FBI and is legal out of the picture?" McAndrew asks. "Is IT sharing information with­out legal's knowledge? Is senior management briefed and knowledgeable about what happens next when you begin interacting with law enforcement, and are they willing to do those things?"</p><p>Asking these questions—often ahead of time—will help companies simplify decision making if an incident occurs, he adds.</p><p><strong>Avoid pitfalls.</strong> While there are many actions companies should take following a cyber incident, the DOJ guidance explicitly urges companies not to use compromised systems to communicate. </p><p>"If the victim organization must use the compromised system to communicate, it should encrypt its communications," the guidance says. "To avoid becoming the victim of a social engineering attack, employees of the victim organization should not disclose incident-specific information to unknown communities inquiring about an incident without first verifying their identity."</p><p>The DOJ guidance also says com­panies should not hack into or damage another network following </p><p>a cyber incident. </p><p>"Regardless of motive, doing so is likely illegal, under U.S. and some foreign laws, and could result in civil and/or criminal liability," it explains. "Furthermore, many intrusions and attacks are launched from compromised systems. Consequently, 'hacking back' can damage or impair another innocent victim's system rather than the intruder's."</p><p> </p><p><strong>After the Breach</strong></p><p>Once companies have managed to stop the bleeding of a cyberattack, they may find themselves in court if the perpetrators of a breach are prosecuted. Because of this, Bailey and Stawasz explain that companies need to keep a potential court appearance in mind.</p><p><strong>Victim status.</strong> When a cyber incident happens, it's important for companies to remember that they are a victim of a crime, and that prosecutors should treat them as such, Stawasz says. </p><p>"We really are trying to help. We will work with them in the process of an investigation, and with luck a prosecution—of somebody—for what was done," he explains.</p><p>Stawasz also says that the DOJ is trying to do a better job of keeping companies informed of how the investigation and prosecution are proceeding. Companies have a right to be informed at various stages, such as before a case is resolved, when charges are brought, if a plea deal is made, and to appear to make a sentencing statement if an individual is convicted.</p><p>"We encourage them to make a statement to highlight for the public and the court the impact a cybercrime has on a victim," Stawasz explains.</p><p><strong>Remain vigilant.</strong> After a cyber incident has been resolved and appears to be under control, it's important for companies to remain vigilant in case of future attempts to breach their systems. </p><p>"It is possible that, despite best efforts, a company that has addressed known security vulnerabilities and taken all reasonable steps to eject an intruder has nevertheless not eliminated all of the means by which an intruder illicitly accessed the network," the DOJ guidance explains. "Continue to monitor your system for anomalous activity."​​​</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465