Security experts say it all the time: If a company thinks it has suffered a data security breach, the key to getting at the truth unscathed is to have a response plan in place for what needs to be done and who needs to be in charge of certain tasks. And, as SANS Institute instructor Lenny Zeltser advised in CSOonline's recent How to Respond to an Unexpected IT Security Incident article, "ask lots and lots of questions" before making rash decisions.
Unfortunately, many companies still fail to heed that advice and end up in a lot more trouble than was necessary.
Robert Fitzgerald, a Boston-based digital forensics investigator and president of The Lorenzi Group LLC, finds that at many of the companies he investigates, the words of Franklin D. Roosevelt ring true: The only thing [companies] have to fear is fear itself.
"People get nervous when we come in and it's a shame, because our job isn't to tear through and tell you how bad you are," Fitzgerald said. "We're not law enforcement."
But people get nervous anyway. So they do stupid things on purpose or by accident that lands the company in a heap of trouble. People who fear lawsuits or have something to hide tamper with evidence [Fitzgerald calls it "spoliation"] in ways that may seem clever -- overwriting files, reinstalling the operating system, loading a bunch of other data on discs and drives and them deleting them -- but are easily uncovered during an investigation.
To help companies avoid such madness, Fitzgerald recently sat down with CSOonline to outline five steps that can be taken to ensure a smooth investigation that ends with the company's reputation intact.
1. Have a response that's built for speed
When a company brings in Fitzgerald's crew, the goal is to move with all deliberate speed so the truth can be uncovered and corrective measures can be made. Nothing gets in the way of that like a company that has nothing ready when the investigators arrive. To that end, it's important straightaway to have such items on hand as the employee manual, rules for who can do what on work machines, office and personal e-mails and computer software and hardware.
"Data is fluid, it moves quickly, so we move quickly," he said. "If you call us this morning, we want to be there this morning. The longer you wait, the more likely evidence will get spoiled. When we make suggestions, in the presence of legal counsel, we'll make suggestions we think is best for you."