How To
5 Ways To Survive a Data Breach Investigation
When the digital forensics crew comes in to investigate a possible data breach, company execs often make matters worse by not being prepared. Here are five ways to keep it from happening to you.
By Bill Brenner, Senior Editor
Don't hem and haw, Fitzgerald said. He and his team know what they're doing. "Many times we have cases where people waited and stuff goes missing. We'll ask for all computers and drives that were used and affected, and why you think those things were affected. It's important to have an idea of why a machine was infected," he said. "We'll want to see the employee manual. That will help us define the rules people work in. We'll need names and e-mails, work and personal, of any employees you suspect might be involved. Personal e-mail addresses you should have simply for emergency contacts. There are resumes and applications where this information can be found. We need this because personal e-mails can be used to move sensitive data out of the company gates."
2. Don't touch anything
In that moment of panic where the company suspects foul play, the urge to tamper with data can be irresistible. Sometimes data is spoiled by a malicious insider with something to hide. But many times the culprit is an honest person who accidentally destroys data in a panic or does the wrong thing before they realize what they're doing, because the fear has taken over.
Whatever the motive, Fitzgerald said the investigators will easily uncover what you've done.
"It's not worth it. You risk jail time if we discover you tried to destroy data," he said. "Regardless of whether you did anything wrong or not, if you tamper with data you're going to be in trouble."
He has had cases where someone took a 40-gigabyte hard drive and downloaded 10 movies onto it, then deleted them without destroying the hard drive. "People will purchase DVDs, download movies, as many as they can, then delete the movies and continue to step over the data. We can see the download data and dates, we can compare what's done online to what's done offline," he said.
People have tried to reload operating systems, but investigators can still see fragments of data such as dates that a download occured. "We can see that you knew a lawsuit was happening and you attempted spoliation," he said. "All we need it one fragment of data to see you tried to reload an OS. Judges and DAs have become more aware of these things happening, and they're starting to request evidence of these activities." (See How to Stay Out of the Penalty Box for an in-depth look at one person's attempt to cover his tracks, and the consequences.)
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
