Computerworld - I've recently been working on an IT security incident response plan for a multinational financial services company. A good plan helps you respond calmly, carefully and quickly to a security breach. It covers how a breach is detected and analyzed, how the response work is managed and communicated, and how to learn from the breach and make sure it doesn't happen again.
My main problem with the evolving plan is that the more I think about it, the more people and departments I ask to be involved, which means more input must be included in any response. Even HR is in the picture.
One group that is not yet on the list of parties to call after a security breach -- but perhaps should be -- is the facilities team. That's because in my favorite security breach ever, it was the facilities team's pest-control skills that fingered the culprit.
I'd arrived at work to hear that $8 million in unauthorized trades had been executed on the foreign exchange markets at 3 a.m. The terminals that had been used had no access control, since speed is of the essence in that type of transaction. Any access control that slows down a response to a trade could lose us large amounts of money. The trader had failed to log out when he left. The traders know they should log out, but most resolutely ignore this, and they earn far too much money to be easily forced to comply.
We investigated everything: trading system logs, system logs for surrounding PCs, network traffic to those trading systems, cleaning personnel who had been nearby at the time, closed-circuit TV tapes -- the works. But nothing helped, until one of the facilities staff noticed mouse droppings on an adjacent desk. The only answer we could come up with was that a mouse had run across the trader's keyboard and pressed the button to accept an $8 million trade. In the end, the mouse was duly trapped by the facilities team, christened For-Ex Freddie and kept as a pet.
The worst bit about the investigation was that the $8 million worth of trades were backed out that morning by the dealers for a $4,000 profit, so when we asked the traders to stop this sort of thing from happening again, they just waved the profit figures in our face and laughed. But their terminals did get upgraded soon afterward to a model capable of time-delay log-outs.
Having several departments involved at some level can pay off in
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
