Security incident handling and dealing with law enforcement agencies

A security incident may draw the attention of law enforcement agencies. Here's how you can be prepared with appropriate security incident handling plans.

An incident is a security event that involves a violation. You can define an incident as a single attack or a group of attacks that can be distinguished from other attacks by traits such as attack method, attackers' identity, victims, sites, objectives and timing. Information security personnel must balance issues related to privacy and security when addressing security incident handling. It is imperative that you have to deal with the concerns of stakeholders and law enforcement agencies (LEAs) as part of due diligence and legal obligations.

Generally, information security professionals choose their career because of an interest in the technology or because of high levels of inquisitiveness to know things beyond technology. Yet, there are very few professionals who understand the magnitude of interactions required with LEAs in connection with security incident handling.

Privacy is the first level when it comes to security incident handling, which forms a consistent and strong philosophy for information security. It is difficult to achieve privacy without security, but security without any privacy concerns result in ignoring the human angle of the intellectual legacy that the current world represents.

Security incident handling is sometimes done well, and in such cases the incident fades in memory over a period of time. But some privacy breaches are lethal, they are one too many, meaning that once there is a breach the information which is captured can be used n number of times, and anytime and anywhere.

Certain questions arise in this context when it comes to security incident handling. In the corporate world, what if an employee compromises an important database of customers? What if an employee sends an obscene communication using the organization's servers or systems? What if there is an illegal server configured which distributes free music, videos, obscene material, copyrighted material and the like?

Human behaviour is the biggest risk in security (and as a result in security incident handling). What, how and when things will be misused depends on the individual who is involved, but because the onus of protecting the organization's infrastructure lies with the organization, the organization is indirectly liable for the act, and has to face the repercussions.

Handy security incident handling checklist
  • Build an internal team that includes the CISO, systems administrator, and legal or compliance officer.
  • The legal or compliance officer should be accessible 24x7, and should be the point of contact.
  • Ideally, the CISO or legal or compliance officer, should be the spokesman if need be.
  • Have a specified data and information retention policy which complies with the law of the land.
  • Understand the organization's obligations with regard to non-disclosures, and confidentiality versus legality.
  • Cooperate with, and assist the investigation officer to find what he is looking for; understand how it will help him.
  • Internal controls and updated procedures should be in place.
  • Get a Gap Analysis done by a third party or LEA to better understand your environment.

Understanding the magnitude and complexity of the problem will help you to develop a solid working relationship with the LEAs, while establishing a set of agreements, policies, procedures and security incident handling mechanisms will help you to:

i) Meet due diligence and legal obligations in your institutional or individual capacity when it comes to security incident handling.

ii) Ensure minimum interaction with and requests to and from LEAs.

iii) Protect the privacy of the individual or institution in case of a security incident.

Organization's responsibility
Let's assume your organization has the responsibility to meet a valid legal request made by an LEA. In a typical scenario, this means you have to find all the relevant information as it exists on an as-is basis within the parameters of your organization's environment and compliance policy. You do not have to reinvent or recreate the security incident scenario.

For example, assume there is a warrant issued for searching your premises. If your servers are not in a position to provide the details demanded, or if the data has not been collected or maintained by you, you are not responsible for modifying the environment to meet the request. Neither are you responsible for creating or building new systems to collect data that you would otherwise not gather at that particular instance. However, if you ignore the facility of getting relevant information about the security incident, you are not excused for the same.

Security incident handling team
As a security professional, you may get drawn into an LEA investigation beyond one's formal expertise or relevance. In these situations, your role is, and should be restricted to providing information required to comply with a court order or search warrant for legal documents.

To handle such requests, it is always advisable to have a team consisting of a security professional, legal representative and in-house compliance officer. A letter of authority should be obtained from the head of the organization to get involved in and work on the given incident.

A security professional can help with technical understanding and details. In the meanwhile, a legal representative can guide you regarding procedural requirements, interpretation of the warrant or documentation, as well as provide advice on deadlines, confidentiality and integrity. The security representative handles the collection of actual information to be furnished, and advises on the existing technological abilities and limitations.

Environment: Be aware
When it comes to security incident handling, you should be aware of things such as:
• How long are the logs retained?

• How long are the backups of your services kept? (Concentrate on email and file storage.)

• Who is responsible for IT within a department or building?

• How would you create a snapshot of a specific user's network file shares on an ongoing basis?

LEA investigations could be taxing and disruptive if proper mechanisms are not in place. So to sum up, the three basic steps in security incident handling are:

1) Planning and preparation.

2) Responding to incidents.

3) After-effects.

About the author: In his professional capacity, Vicky Shah provides consulting and advisory services for information security practices, information security awareness, research, corporate fraud investigations, incident handling and response, computer forensics services, cyber crime prevention methodology as well as training. He can be contacted on [email protected]

Next Steps

The CISO's role in a cybersecurity program 

Read more on Data breach incident management and recovery