Tuesday, January 11, 2011

Who do you trust?

[NOTE: This is a post I originally published on the Security Perspectives blog at Astaro, I am also posting it here to help spread the word.]

I was fortunate enough to attend several Security BSides events last fall, I saw a lot of good talks and engaged in several great conversations. Two talks, one at BSides in Dallas/Ft. Worth and one the following week in Ottawa touched on similar issues that really resonated with me. At the Dallas/Fort Worth event Nick Selby discussed his ideas for “Creating an Abstraction/Translation Layer Between InfoSec and Law Enforcement” (slide deck available here). In Ottawa, Adrien de Beaupré presented a talk on the need for CERTs or CIRTs in Canada (Computer Emergency Response Teams or Computer Incident Response Teams). Both talks spawned great conversations, some of which are still ongoing. While they are two different issues, the talks and discussions had some key similarities, especially around needing to know who to turn to for help, and the need to build relationships and trust before a crisis strikes.

Nick’s focus is on helping organizations communicate effectively with law enforcement when they suffer a breach or have other reasons to turn to law enforcement. Making the leap from traditional police work to investigating and prosecuting computer crime isn’t easy, and both sides of the conversation could often use some help- that is what Nick is trying to facilitate.

Adrien’s objective is more broad, he is trying to drive creation of a Canadian response team or teams to help organizations deal with a variety of computer incidents, and to foster information sharing.

At some level, both of these goals boil down to

“who do you call when things get ugly?”

which in turn really boils down to

“who do you trust?”

The time to ask (and more importantly, answer) these questions is not during a crisis. If you are in a large enterprise, internal security and incident response teams should already have contacts in the corporate legal office as well as in regional and national law enforcement. In smaller organizations, you may not have anyone who knows who to turn to if (when) something bad happens.

Where can you turn to start building your web of trust so you know who to call in a crisis? Every organization and situation may be different, but here are some suggestions.

1) Start with your existing personnel, ask who has resources and recommendations, and share the information. If your organization uses an external incident response company, ask them for advice.

2) Think about the groups and organizations you belong to (or should). Local ISSA, NAISG, InfraGard or other groups are great places to start this discussion. The groups may be Information Security related, or may be specific to your industry. You may also meet people at conferences or other industry events who can help you. Just make sure you solidify contacts before a problem happens, sending an email to a mail list trying to find “that guy I met in Las Vegas- we talked about data breaches” is not the best way to react to a crisis. Keep in mind that your organization’s management and legal counsel should be consulted before you take any action or set policies.

Don’t wait until you have a crisis to think about who you can turn to. And make sure others in your organization have the information, too- because emergencies may happen when you are not available.

Note: if you are interested in either of the projects mentioned above and you would like an introduction to either Nick Selby or Adrien de Beaupre, please send a message to me at jdaniel at astaro.com and I will be happy to connect you.