Previous month:
May 2012
Next month:
July 2012

June 2012

Incident Response Cheat Sheets

Colleague Lance Spitzner shared an interesting resource for Incident Response (IR) methodologies today and I'm paying it forward.

The CERT Societe Generale, in cooperation with SANS and Lenny Seltzer, offers a set of guidelines and practices that describe how an organization can respond to a variety of security incidents. Each of these operational best practices describes the order and actions to take if your organization falls victim to events that are becoming all too common: social engineering attack, data breach, worm infection, and more. CERT Societe Generale currently offers 15 such guidelines. All the guidelines folllow a common methodology (shown at right).


While these "cheat sheets" are not sufficient to fully prepare to respond to any incident, they will greatly simplify how you go about preparing your organization. Several of the guidelines point to other valuable rsources to use when preparing your response or defining the actions you can take to identify, contain and recover from specific classes of incidents.

Take a few minutes to visit the site. I'm confident that if you browse at least one of these two page worksheets, you'll download the entire package.

Are Your Data at Rest Also at Risk?

In a recent tweet (@securityskeptic), I offered a definition of "data at rest" in social media driven society:

Data at rest are information waiting to be exfiltrated or disclosed without notice or consent.

Is this a spot on assessment or am I overly cynical?

Much of your data at rest are data you disclose or share, so judge my assertion by considering how large a portion of our increasingly mobile- and tech-enabled society shares seemingly every waking thought. Everything's in play: what food we eat, where we dine, our travel plans, the sports we play or watch, whom we like or despise, Our work place matters, projects, or research. Our social engagements, personal health, medical advice, emotional states, and (intimate) relationships. Even information that is arguably not for play is at risk of disclosure, a consequence of mishandling or malicious (criminal) activities (exfiltration, exploits, or targeted extraction).

Many Internet users share spontaneously or frivolously. In some cases, users share because they can’t access content without doing so. In other cases, users share because they think they are only sharing with friends, family or colleagues. In social networking, sharing (disclosing) can be infectious (“he shared so I will”).

The problem with sharing

What you  post to a social network has more permanence – and exposure to unintended use or misuse – than what you share in a face-to-face conversation. How often do you consider who processes or collects data that you share or why, where the data are stored or for how long? Do you think about the possibility that "your" data may be further shared by web sites that collect data? Many users are only now coming to realize that when all these data are coupled with location services or applications, they paint a detailed and elaborate picture of the intimate or sensitive aspects of who we are and how we live and behave.

As a test, look at your history of tweets, Facebook or Google+ postings, public and restricted. Nearly all of us voluntarily reveal a great deal more personal data than we imagine. But while we facilitate, we really aren’t our own or only worst enemies.

Your data are more popular than you are

The extent to which bits and pieces of personal data are collected and shared for commercial purposes is alarming. If you have a virtual presence, virtually everyone wants to know everything about you. Worse, our willingness to share is creating markets for even more data. Moreover, the risk that personal data will be exfiltrated or disclosed as a result of a data breach can no longer be discounted or dismissed.

Every day, the same people who share without hesitation or discrimination express righteous indignation when they discover an app, service provider or vendor is collecting or sharing their life bits without notice or consent. But even a small sampling of evidence tells a different story:

We don't have the will to question why something is free. Example: mobile users are so consumed with the notion that "the Internet is free" that they hesitate to buy a registered version of an app for a paltry $.99 when they are offered a "supported by advertising" version. Few consumers consider what the app is collecting from a mobile device, how the collected data are used, and by whom.

We undervalue our personal data. Example: users concede to sharing or disclosing what they might in other circumstances consider private information because it's a precondition for joining a social network. The prevailing sentiment? Shoulder shrug, it's the cost of participation.

We are more trusting or naive in the virtual world than the physical world. Example: We’ll happily strike up a conversation with a Twitter account we follow or see in a retweet. Would we be as trusting if a fellow subway passenger inserted himself into a conversation we’re having with a colleague or friend? 

How do we correct course?

Don't think in terms of major course corrections. Instead, begin with these small measures:

Accept that “free” is not worth the hidden cost. Paying for a mobile app may “free” you from ads or tracking, and you may unlock more features.

Use social media, but do so with eyes wide open. Assume that no matter what privacy controls say, what you publish may be shared or disclosed (remember, privacy policies can be deceiving or may change, and legislation like CISPA may render such policies moot).

Review what you have already published on social networks. Look at the profiles and posts you've made. Where possible, take advantage of privacy settings. Delete or obfuscate personal data that reveals more about you than you are comfortable revealing.

When subscribing to new social network, submit the barest minimum of information you need to create an account. For example, if you can create an account merely by identifying your country of residence or state, don't include your street address.

Separate personal and social network correspondence. Create a separate email account and use this as your designated point of contact with social media sites (and for correspondence). I know individuals who have separate email accounts for each social network (fredstwitteraccount@<emailservice>, mlbfacebook@<emailservice>...).

Small adjustments to behavior can be beneficial. The harder but sometimes wisest adjustment, however, is:

Walk away if you're not comfortable with terms or conditions of service, privacy policy, or treatment of data you disclose.