Click to return to BOL home page
Banker Store Read A Reg Vendor Connect Career Connect Learning Connect Bankers Information Network
Home Compliance Lending Operations Security Marketing Technology/eBanking
Top Stories Bankers' Threads Background Checks BOL Conferences CrimeDex FREE Briefings Banker Tools

   

















    Site Map

    Our Sponsors

    Home



Print Friendly! Email This Article! Discuss NOW!


After the Hack
By Mary Beth Guard, BOL Guru

You discover your computer network has been violated. Once you recover from the shock and disbelief (which you'd better do quickly), it's time to take action and the actions you take should be carefully orchestrated in advance. This isn't something you can make up on the fly.

Determine ahead of time the priority and sequence of actions you will need to take. In other words, what should you do and when should you do it?

You have multiple goals. You need to protect sensitive information against further unauthorized access, dissemination or possible alteration. You need to guard against damage to systems. You need to assess the consequences of the breach and identify what the potential loss areas are.

To figure out where potential losses might arise, you need to know what accounts and what customers are affected. What type of information/data was obtained by the information thief?

Do you need to freeze the accounts?
Close them?
Monitor them?
What options do you have for flagging accounts or securing accounts? If you don't have the capability for monitoring accounts, you may need to close them, depending upon your perception of the risk of misuse.

If you need to monitor the accounts, do you have software that will automate the process? If not, how will you accomplish the task?

Once you have more information about the breach:
  • determine whether this breach is related to any other breaches;
  • figure out whether the breach is going on NOW, or is one that took place in the past and you are merely discovering evidence of it.
One of the first priorities must be to deny access to the information thief. Determine, if possible, the intruder's identity, or at least their origin. That will help clarify for you what direction you need to move to lock them out.

If the intruder is an insider (and in this category, I would include outside service providers who have access to your system), that means revoking file permissions, terminating passwords, retrieving physical files, eliminating their remote access privileges, changing locks, alarm codes, etc. Additionally, with proper legal process, law enforcement may seize files (digital or otherwise) in the possession of the person who, at this point, should be a former employee or former service provider.

You should have records of every system that individual could have access to and should systematically remove the person's access rights. Determine whether the individual could have obtained authentication information from other users and, if so, force a change in the authentication measures for those other users. If your users utilize key tokens, smart cards, or other physical access devices, take the access device away from the culprit.

If the problem is with a service provider, additional controls may need to be put on the service provider arrangement. If the breach is due to the service provider's negligence, you may want legal counsel to see if it would constitute a breach of contract sufficient to allow you to terminate the relationship.

If the intrusion was by an outsider, what you will do depends upon how they got in. If it is via computer, you may need to disconnect the affected system from the network and shut it down. If the intrusion is going on right now, that may not be the right course of action, because it may hurt the investigation and limit your chances of catching and prosecuting the offender. You may need to continue the operation to gather additional information. This is when it is vitally important to involve your regulator and law enforcement authorities.

You may need to shut down systems in order to buy the time you need to address the problem. Obviously, that shut-down may create problems of its own.

You may need to reconfigure your firewalls in the event of a computer intrusion. You must carefully consider the consequences of the reconfiguration.

Remember that if the vulnerability turns out to be unpatched software or an unpatched operating system, you need to follow your patch management program for testing the patch before implementation.

Containing and controlling the situation
The original proposal for response programs gave specific examples of the measures an institution might take in connection with computer intrusions. Those examples remain instructive, even though the final version of the response program guidelines, in some instances, does not mention them.

Consequences
Figure out the consequences (in advance) of taking any of your systems offline. For example, if you take your Internet banking system offline, you need to be able to post a message on your Web site apologizing to customers for the inconvenience and letting them know, if possible, when it will be back up. You will also need to inform your employees and call center staff, so they know how to respond to customer questions about online banking being down. You may wish to prepare a short script or Q&A guide for your employees. This can be done in advance as part of your response program planning. You don't have to wait until you have a critical incident that results in online banking going offline.

If online banking is taken down, what will the consequences be for any transfer the customer had just initiated from one account to another using online banking? Will taking the system down affect any online bill pays?

If the system you are shutting down is an online cash management system for business customers, how will that impact your business customers? How will you inform them and provide alternate means to meet their needs?

Let's say you need to shut down your internal network because you've discovered a worm or Trojan in the system. What processes will you need to be able to perform manually? To what extent will you be able to accurately determine customer balances? Should you set limits on transaction activity in the interim? What about ATM and debit card transactions?

Prioritize
Prioritize the order in which you will put systems back into operation. For example, if you disconnect your entire network from the Internet, you may bring email back online first, and file transfer protocol up after that. Or if you have to shut down certain systems in order to think through how to shut out a terminated employee, which ones are the most critical and need to be brought up most quickly.

You'll be able to utilize some of the planning you did for Y2K in the event you have to perform some normally automated tasks manually.

The steps you actually take to contain an intrusion and limit the actions of an intruder will depend upon what they're getting into and how they got in. For example, if a hacker is utilizing a dial-in modem to get into your system, disconnecting the modem from the telephone line will terminate the connection from your end. If the intruder is getting in over the Internet, disabling your Internet connection will do it. If a crooked janitor is stealing customer files from an unlocked desk drawer in your bank, move the files to a secure location, find the perpetrator, and make sure they can't get back into the bank.

Basically, you can construct a map that starts with a particular type of threat, indicates how it can be detected, spells out the consequences of the threat, and specifies the actions to take.

Who can do what?
You need to establish ahead of time what each team member's authority to act might be. For example, who has authority to call in a forensics expert? Who can make the call on disconnecting online banking? Prepare for the contingency of someone not being present and have backup persons for each task on your incident response list.

Getting Staff Up to Speed
A great training exercise is to dissect information breach situations that are in the news. Imagine that your institution was involved. Talk through the steps you would take and the timing. Just as importantly, examine the procedures and policies you have in place that might guard against a similar incident happening at your institution.

If marketing needs to be crafting a letter to customers, they need to know that. If the Web site expert needs to add a "temporarily down" message to your online banking, that should be figured out in advance. When an information security nightmare arises, you don't have time to start from scratch in handing out assignments and duties.

Train designated staff about your response policies and procedures.

Spell out who is responsible for what. Everyone should know his or her own role and responsibility and who is responsible for other areas they might need to interface with in addressing the information breach.

Law enforcement relationship
To maximize the effectiveness of your dealings with law enforcement, establish a relationship with the FBI and your local law enforcement cybercops in advance. Participate in Infragard, if there is a local chapter. That's an excellent way to really get to know the experts and establish a rapport with them.

Obtain information from the FBI and local law enforcement about preserving the chain of custody for evidence. Ensure that your system and network administrators, intrusion response staff, and their managers are aware of this information. It's just like the aftermath of a robbery - if the right actions aren't taken immediately, important evidence can be destroyed.

Preservation of evidence
The type of evidence to be preserved will depend upon the nature of the breach.

Ask yourself what the evidence is likely to consist of.
  • If someone gained physical access to files and papers with customer information, fingerprints, surveillance tapes, logs showing alarm codes usage and similar evidence might be accessible.
  • If someone gained access through a computer system, the evidence will be very different. If it is someone who is an internal user on your system, then their footprints should be traceable through your application logs and other network administrator tools.
  • Evidence of computer-related crime can reside in various places - hard drives, temp directories, USB devices, keyloggers, firewall logs, Internet history files, even in RAM. A good hacker can leave in place modifications to the operating system that will systematically destroy evidence when common keystroke commands are used.
Because digital evidence is susceptible to alteration, either inadvertently or on purpose, expert help is required to preserve it. It's not a job for amateurs.

The Secret Service has a document on the Web titled "Best Practices for Seizing Electronic Evidence" that you should review: http://www.secretservice.gov/electronic_evidence.shtml

It even covers the basics, such as, if the affected computer is off, don't turn it on. If it is on, photograph the screen, disconnect all power sources, unplug from the wall and the back of the computer, etc.

The same article addresses evidence that may be on fax machines, cell phones, smart cards and pagers. It explains how to trace an Internet E-mail.

You may never suffer a breach, but you cannot afford to fail to be ready for one, should it occur.

First published on BankersOnline.com 7/14/05


Home | Compliance | Lending | Operations | Security | Marketing | Technology | eBanking
BOL Archives    Privacy Policy    Important Disclaimer   Recommend This Site !   Contact Us


BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.