April 20, 2009, 9:58 AM — Security experts say it all the time: If a company thinks it has suffered a data security breach, the key to getting at the truth unscathed is to have a response plan in place for what needs to be done and who needs to be in charge of certain tasks. And, as SANS Institute instructor Lenny Zeltser advised in CSOonline's recent How to Respond to an Unexpected IT Security Incident article, "ask lots and lots of questions" before making rash decisions.
Robert Fitzgerald, a Boston-based digital forensics investigator and president of The Lorenzi Group LLC, finds that at many of the companies he investigates, the words of Franklin D. Roosevelt ring true: The only thing [companies] have to fear is fear itself.
"People get nervous when we come in and it's a shame, because our job isn't to tear through and tell you how bad you are," Fitzgerald said. "We're not law enforcement."
But people get nervous anyway. So they do stupid things on purpose or by accident that lands the company in a heap of trouble. People who fear lawsuits or have something to hide tamper with evidence [Fitzgerald calls it "spoliation"] in ways that may seem clever -- overwriting files, reinstalling the operating system, loading a bunch of other data on discs and drives and them deleting them -- but are easily uncovered during an investigation.
To help companies avoid such madness, Fitzgerald recently sat down with CSOonline to outline five steps that can be taken to ensure a smooth investigation that ends with the company's reputation intact.
1. Have a response that's built for speed
When a company brings in Fitzgerald's crew, the goal is to move with all deliberate speed so the truth can be uncovered and corrective measures can be made. Nothing gets in the way of that like a company that has nothing ready when the investigators arrive. To that end, it's important straightaway to have such items on hand as the employee manual, rules for who can do what on work machines, office and personal e-mails and computer software and hardware.
"Data is fluid, it moves quickly, so we move quickly," he said. "If you call us this morning, we want to be there this morning. The longer you wait, the more likely evidence will get spoiled. When we make suggestions, in the presence of legal counsel, we'll make suggestions we think is best for you."
Don't hem and haw, Fitzgerald said. He and his team know what they're doing. "Many times we have cases where people waited and stuff goes missing. We'll ask for all computers and drives that were used and affected, and why you think those things were affected. It's important to have an idea of why a machine was infected," he said. "We'll want to see the employee manual. That will help us define the rules people work in. We'll need names and e-mails, work and personal, of any employees you suspect might be involved. Personal e-mail addresses you should have simply for emergency contacts. There are resumes and applications where this information can be found. We need this because personal e-mails can be used to move sensitive data out of the company gates."
2. Don't touch anything
In that moment of panic where the company suspects foul play, the urge to tamper with data can be irresistible. Sometimes data is spoiled by a malicious insider with something to hide. But many times the culprit is an honest person who accidentally destroys data in a panic or does the wrong thing before they realize what they're doing, because the fear has taken over.
Whatever the motive, Fitzgerald said the investigators will easily uncover what you've done.
"It's not worth it. You risk jail time if we discover you tried to destroy data," he said. "Regardless of whether you did anything wrong or not, if you tamper with data you're going to be in trouble."
He has had cases where someone took a 40-gigabyte hard drive and downloaded 10 movies onto it, then deleted them without destroying the hard drive. "People will purchase DVDs, download movies, as many as they can, then delete the movies and continue to step over the data. We can see the download data and dates, we can compare what's done online to what's done offline," he said.
People have tried to reload operating systems, but investigators can still see fragments of data such as dates that a download occured. "We can see that you knew a lawsuit was happening and you attempted spoliation," he said. "All we need it one fragment of data to see you tried to reload an OS. Judges and DAs have become more aware of these things happening, and they're starting to request evidence of these activities." (See How to Stay Out of the Penalty Box for an in-depth look at one person's attempt to cover his tracks, and the consequences.)
3. Bring in the lawyers
Company executives are often slow to bring in legal counsel. That's unfortunate, Fitzgerald said, because the lawyers are on your side and can help you construct a sound game plan to keep the company out of trouble.
"When you bring in lawyers, psychologically it makes the problem real," he said. "It's scary for executives who don't want to make it look like they're circling the wagons."
The best approach is to collect every bit of information that may be helpful, give it to legal counsel and let them piece together the story.
4. Decide if you want a "loud" or "silent" probe
Companies should decide at the beginning if they want investigators to come in with a bang or a whisper. The right approach depends on what a company thinks it's up against.
"When we come in companies have us either do it with guns drawn and blazing, equipment in bags and boxes wheeled in, looking like we're hunting for aliens, or they have us come in quietly in a way where no one knows we're even there," he said. If the company smells a rat, the loud approach could be used to rattle employees who might know something into coming clean.
"They want to make an example of the incident," Fitzgerald said. "They have a pretty good idea that it may have been an employee or team of employees leaving to work for a competitor. They want to show that they have control and power and that whoever tries to steal is going to get caught."
More often than not, the quiet approach is called for. Employees typically want to do the right thing, Fitzgerald said, and if his team is polite and friendly and set up shop in a conference room off to the side, the work is done in three hours and data is taken back to the lab.
"If someone is still with the organization, you want to go in quietly, at night and on weekends. They don't want to make a big thing of it until they know what they are dealing with and what the potential liability is."
5. Educate the employees
Fitzgerald said education is the best way to ensure people like him aren't needed in the first place.
"Educating employees is so important," he said. "If they know what they can and can't do and all the tech policies are in place, the potential for an incident drops dramatically."