Preserving scene of cyber crime and reporting attacks helps beat hackers

Planning for IT security is one of the most important things you can do for your business. Roisin Kiberd looks at what's coming down the line for firms in the InfoSec sector

Roisin Kiberd

Linkedin suffered a serious data breach when 117 million passwords were stolen
Linkedin suffered a serious data breach when 117 million passwords were stolen
Brian Honan, owner and chief executive of BH Consulting

In internet years, 2012 is a long time ago, but it's not long enough to have your misdeeds forgotten.

On October 20, the US indicted a Russian hacker while he was travelling through the Czech Republic. Yevgeniy Aleksandrovich Nikulin was arrested in connection with the 2012 theft of 117 million Linkedin passwords and login credentials, as well as attacks on Dropbox and then-active Q&A site Formspring.

With a four-year gap between the 29-year-old's arrest and the original data breach, who would blame him for thinking he'd got away with it?

As it turns out, cyber investigation can be a bit of a slow burn. Successful operations can take years to complete, drawing on analysis of multiple attacks and information gathered from multiple victims. They might also cross borders - in this case, authorities in Europe and the US had been searching for Nikulin, waiting for him to set foot in a country where state agencies could cooperate and arrest him.

Brian Honan, owner and chief executive of BH Consulting
Brian Honan, owner and chief executive of BH Consulting

"That's what companies need to appreciate," said Brian Honan, owner and chief executive of BH Consulting.

"They may not get an immediate solution by engaging with law enforcement after a hack, but eventually the information they provide will be circulated and shared with the likes of Europol.

"Your observations might be the final piece of the puzzle which helps them catch a criminal." An internationally-recognised expert in Information Security, or InfoSec, and author of several books on the subject, Honan coaches organisations through the crucial stages of recovery after a hack, including how they report the incident to authorities.

Alerted by customers, law enforcement or even the hacker themselves, they'll often not suspect a breach has occurred until it's too late. Honan also reported companies investing in security software only to fail to implement it properly. "It's like installing an expensive alarm system but not switching it on, then being surprised when you end up getting burgled," he said.

Even if 100pc protection from hacks is impossible, maintaining detailed logs of activity and access to your databases will help in the event of a breach. "One of the problems we often encounter is that companies destroy evidence accidentally, in their haste to recover their systems and find out what has gone wrong," Honan said.

"We're all familiar with crime films where, if you find a dead body, you don't touch anything. You never destroy the crime scene. You back away instead. But unfortunately media depictions of cyber crime will often show people typing away trying to fix the problem."

Instead, "keep calm" is the order of the day. Panicking will aggravate the problem, and trying in vain to fix an attack will complicate the work of investigators, ultimately doing more harm than good.

Honan stressed the importance of planning - not just a single plan in the event of any kind of hack, but multiple crisis management outcomes for different scenarios.

"There's no one protocol, or single 'stock' way to respond," said Honan. "Just make sure you'll have access to coping skills, either internally or from a third party, ranging from cyber investigation experts to PR, legal experts and a communications team.

"You'll all need to agree on which procedures to put in place, as well as which incidents you'll report to law enforcement and which ones you won't."

Faced with evolving malware threats, the only protection is to plan thoroughly in advance. "We're not interested in scaremongering," said Honan, "but most businesses are going to experience a security incident at some stage. It may be a minor breach, where only one machine gets a virus infection, or it may be a bigger issue; say one where your client database gets hacked.

"You need to be prepared for all these eventualities, and to respond in an appropriate manner."

Increasingly, this will have to include reporting the incident to authorities - most often the Data Protection Commissioner - in compliance with the GDPR (General Data Protection Regulation) scheduled to come into force next year. "The GDPR includes mandatory breach disclosure," said Honan. "If a breach impacts on the personal data of your customers or staff, you need to report it to authorities, and it will be up to them to decide whether to follow up with a criminal investigation.

"There's also the EU Network Information Security (NIS) directive, which is bringing in mandatory breach disclosure laws. Organisations deemed part of what's called the critical national infrastructure - utilities like gas, water, communications, air traffic, transport, finance and telecom providers-will have to report security breaches too."

Measures like the GDPR outline a code of conduct for the internet's citizens.

Along with a speedy technical recovery, which consultants like Honan will help with, you have a duty to your peer, your customers, and your business associates (bigger companies are frequently accessed through attacks on smaller SMEs they deal with) to report any incidents to law enforcement.

The market is booming for malware-as-a-service, which is evolving and becoming more accessible, forever one step ahead of the law.

"If companies don't report these crimes it makes life easier for the criminals, who are emboldened to go on and hack even bigger targets," Honan said.

"But if we report and respond, involving law enforcement as soon as possible, that sends a message to criminals that their heyday is coming to an end."