Why An Incident Response Program Is Critical

Do you have a written incident response program?

Do the people who are part of it – the outside legal team, crisis communications team, forensics team, for example – know they are part of it?

Are contracts signed with outside service providers – or at least providers periodically reviewed and selected vendor already approved?

Has the team – both internal and external – conducted a mock disaster drill within the last 12 months?

Are the people answering the phones, email, chat and social media – from reception to help desk – trained in what to do when there is an inbound communication regarding a potential breach (you may remember the FBI called the Democratic National Committee several times last year to warn them but the person who answered the phone thought it was a prank)?

All of this needs to be in place and ready to go so that when (not if) an event occurs you are ready to spring into action.

Case in point.

One of our favorite white hat security researchers, Chris Vickery of Upguard, discovered a cache of voter information of Chicago residents unprotected on Amazon (does this ring a familiar bell – come on folks, lets get it together).  1.8 million voters.  Names, addresses, birth dates, partial socials, drivers license, etc.

He was able to associate it to a service provider to the City of Chicago, ES&S and Chris notified them.

Without regard to the fact that for some reason, someone at ES&S changed the default Amazon permissions from private to public – and I would certainly like to understand that, other than that, they handled the incident well.

Unlike the DNC who blew off the FBI, the email got to the right person.  As a side note, if someone wanted to notify your company, how would they know who to contact?  Is there information on your web site about what to do about security issues, for example?

While the details are still private, based on the results, they had a security incident response program.  They quickly – even though they were notified after business hours – investigated the report and within a few hours, the data was gone from Amazon.

Their crisis communications team released information that the data that was breached was limited and that no vote data was compromised.  They explained that it was a backup of a database that was unprotected, so the vote process integrity was intact.

They notified their customer, the Chicago Election Board.

Bottom line, they responded to a crisis quickly and worked to limit the damage.

I am sure that the City of Chicago will have more questions, but at least from the public side, they did what needed to be done and they did it quickly.

Can you say the same for your company?

Information for this post came from The Register.

Leave a Reply

Your email address will not be published.