Security by Obscurity
Security by Obscurity According to Caston, DPI probably benefited from "security by obscurity" until now. After the attack, its likely to have a bulls-eye on its network not long after the feds clear out."Having a plan in these situations makes all the difference," says Infidels Bace. "It helps to think these things out before youre in a crisis." The intrusion plan should include: creating an emergency response team either in-house or contracted out, clarifying decision-making and weighing options for various attack scenarios. Bace also tells clients to take a "footprint" of your system with software from a vendor like Tripwire. Taken during normal operation, this footprint of the network and its applications can serve as a baseline for when things go awry. Ultimately, this snapshot helps project managers see what an attacker changed. With the planning in place, analysts say responding to an intrusion is much like putting out a fire or working in an emergency room. Analyze the problem, contain it with a short-term fix, eliminate the issue and then ultimately fix it. The main goal after an attack is to fix the problem and keep the business running, says Brady. That means cutting over to your disaster recovery plan or "cold" backupsoffline mirror systemsto keep operations going. But beware some short-term fixes. One big mistake is to patch the hole and move onyou could be sealing in malicious code. "Simply patching a system after its hacked is analogous to letting a burglar in your house and then locking the doorif hes in, hes in," says Caston. Consultants say the response depends on the situation. Typical first responses include disconnecting a compromised system from the network and changing passwords. Even those steps, however, can be complicated without forensic analysis done either in-house or through security consultants. "Unless you have absolute knowledge of how a hacker got in, you have to analyze everything on the network," says Caston. More complications can depend on whether the law is involved. Conflicts in the DPI case could emerge because the law enforcement goals to preserve evidence can hold back the companys efforts to resume business. "Law enforcement has specific procedures and rules of custody and they are picky about sharing information," says Bace. "But they are getting better at collecting data in a way that doesnt affect operations." After the immediate crisis passes, business leaders may choose to rejigger network architecture to prevent future attacks. Rubin suggests installing "honey pots"repositories of fake datato throw hackers off the trail, reconfiguring firewalls and separating databases that hold key information. Once a company is confident its network is ready for business, executives have to go out and mend some fences. The attack on DPI resulted in added expense for other companies in the credit-card food chain. PNC Bank, based in Pittsburgh, decided to replace 10,000 active cards to allay customer worries, says PNC spokesman Brian Goerke. Goerke wouldnt reveal how much the new cards cost PNC, but Gartner estimates replacement cards run $35 each. "If youre smart and you make it, you come back up in a different environment," says Bace. "Then you need to talk about what steps you took to make damn sure this doesnt happen again."
The plansor lack of themthat DPI had in place ahead of the attack will go a long way to determining how quickly itll recover. Executives need to prepare for a hack and map out plans and procedures before it even happens.