Data Breach Investigation and Response – Dealing with the Emotions

Part of why I have been away from writing my blog as of late is I have just been swamped with computer crime investigations.  I have had the experience of investigating data breaches large and small, as a criminal investigator, and as a private computer examiner.  I think this has given me a unique perspective worth sharing.

It seems that every data breach produces a ton of emotion for a variety of reasons.  I am going to outline some of these emotions.  I think this is important for an investigator to understand because it has such an impact on these investigations.

Emotion 1)

The IT staff is going to feel very guilty about what happened, rightly or wrongly.  The finger is almost immediately pointed in their direction by management.  This comes in two forms.  One believing they must be involved because of course security couldn’t have been penetrated!  Secondly, they are responsible for the computers; so, it follows it is there fault.

Is it IT’s fault?  Maybe it is, maybe it isn’t.  I think the organization managers must stop and assess their responsibility first.  Was IT adequately staffed and trained?  Did management stress that security was important?  Was management willing to fund positions and hardware focused on security?  Did management demand ease of access over security?  Did you allow any middle manager in the organization to override IT and become local/ domain admins?  Did management provide for physical security of computer assets?

That is a lot of questions for management to ask, but I think that is where to start the assessment of whether to blame IT for the breach.

2) Emotion 2-

This is really going to hurt our business.  Maybe we can cover it up?

Not many business’ or involved decision makers are going to openly admit to this, but I think it goes on in almost all cases.  Even with individuals that are very morally motivated to always do the right thing.  There are two major reasons for these feelings.

a) It is going to hurt the business so badly financially and in public image, can the business even survive.

b) It is so damaging to the business, any manager involved has to wonder if they are going to lose their jobs (along with the IT staff).  So, you have the feeling of need to protect your job and indirectly those you support with that job.

3) Emotion 3-

A sense of helpless confusion and anger.  This comes in from a few sources.

a) Not understanding how it happened and where the organization went wrong.

b) Not having the training and experience in responding to a high tech crime incident.

c) Anger that you didn’t take the time to or didn’t know how to take steps that could have prevented the breach.

d) Anger at the person who lost the laptop, left it where it could be stolen, or at the IT admins who didn’t secure the system.

4) Emotion 4- Hopelessness and Fear

For the IT admin and managers they are used to being the decision makers and people who know the answers.  Now suddenly they are having to be the ones to ask for help and seek to understand what do now.  Not being used to this kind of situation, it is difficult to adjust to the new role/ situation.

I point this out not to be negative in any way to anyone.  I point these emotions out because if your company is the one involved in the data breach these emotions will be present in various shapes and intensities.  This is when one of my core rules of dealing with humans comes into effect.  It is one that I have seen over and over again in a 15 year law enforcement career.  You can’t accurately predict how any person is going to respond to a specific high stress situation.  So, be prepared for individuals to react in unexpected ways.

I further point the emotions out because as the investigator you will be dealing with them!  I think you will get a lot more honest and open responses to your investigative questions if you take the time to express an empathetic understanding of what the IT staff and managers are going through.  Just like a cop arriving on the scene of traumatic incident, the involved persons are looking for you to normalize there feelings and demonstrate that you understand and have empathy for their situation.

I know everyone is saying right now, “I thought this was a tech blog, not a psychology blog!”  It is, but I just have really found that understanding the above is the first skill in being a good responder to a data breach.  After all, there are PLENTY of blogs with a dry technical report on what happened!  Or maybe the 1-2-3 of which log files to grab.

I am going to follow this post up with some of the lessons learned and priorities of investigation.  For now, if you are reading my blog think about how you would express empathy and what you would say to the involved persons.  In any kind of investigation one of the first things to remember is: “Everyone is a person first with unique experiences, emotions, and perspectives on events.”

Good luck to you all, and do some good investigating!!

X-Ways Forensics RAID Recovery and Quick

I had a case recently where I had basically three hours  from hands on the computer to finding the evidence. If not the bad guy was going to get out of jail. To make things even more interesting the drives were in a RAID 0 configuration.

Well, I removed the drives, hooked them both to a forensic machine with Tableau write blockers. I fired up X-Ways forensics. I went into the feature to reassemble the RAID. After about 10 to 15 minutes of guessing raid striping size and header location settings, I was into the RAID. Thankfully the data was not hidden, deleted, encrypted or anything interesting like that.

I was able to quickly find the evidence in the case with supporting evidence to show personal possession/ knowledge. I still had enough time left to write arrest paperwork and drive to the jail.

Thanks to X-Ways and some quick work…. one more bad guy waiting for his day in court! 🙂

PicLens Photo Browser Software

I happened upon a FireFox add-on called PicLens. I have to say, “WOW!” It is an add on for Mozilla Firefox. It works with Google’s Picasa and image search, Flickr, Yahoo, and Facebook. I would assume they will be adding functionality for other sites also.

What it does, is create a nice photo slide show for images in these sites. For instance, my son is really into birds. I can do a Google image search for a specific bird. I then point at any of the image search results. I translucent play arrow appears in the corner of the photo. Click that arrow. A new window will appear. PicLens reaches out to all the various sites from the search result and grabs the full size photo. The really amazing thing happens though when you click the play arrow in the slide show view. It downloads all the search image results from various websites and plays them in a smooth slide show. Very, very cool for image browsing.

This free add-on is well worth the install!!

http://www.piclens.com/site/firefox/

Online Counseling and Mental Health Education (The Education is FREE too!)

I occasionally have someone find my site; looking for my wife for online counseling.  Here is a synopsis of what she and her site are about.

Dr-Is-In was created to provide online counseling to people in the convenience of their own homes. E-therapy or online counseling is not appropriate for everyone. Due to the fact that your e-therapist is unable to see you and do an adequate mental status exam, it is only ethical to do online counseling with people who are experiencing mild or moderate depression, anxiety, grief or addictions. Many people claim to be online therapists, but I encourage you to check their credentials to make sure they are licensed in their state or certified by the National Board for Certified Counselors or a similar counseling organization. Online counseling comes in many different forms as well: email, individual chat and group chat and asynchronous forums. Many people feel more comfortable talking openly in e-therapy than they do in traditional counseling. It is also cheaper–No travel expenses, no babysitter and your online counselor can offer services for less per hour because their overhead is significantly less. Online counseling with an licensed/certified professional is a medical expense and is therefore tax-deductible.

I have been providing online counseling and education online, face-to-face and via telephone for over a decade. During which time I have found that, although every patient is a bit different, there are certain basic principles that remain the same. . .
People are not going to be compliant with treatment (and won’t get better) if you use an approach that does not match their personality.

A small change in your way of thinking, way of feeling, social interactions, environment, physical activities and/or eating and sleeping habits will have big effects to help you get on your way. Rome wasn’t built in a day. Neither were your problems. Change will be gradual, but Hope goes a long way.

You can do one or two things really well or do a lot of things half-way. What we are after is quality change, not quantity. Work with your e-therapist to identify one or two interventions at a time. You will probably see that a lot of things change anyway. For example, when people start making a conscious effort not to hold on to anger and resentment, they usually find that they physically feel better, have more energy and start sleeping better which helps them have more patience, improved relationships (and support) and reduced anxiety and depression.

People choose the best/most rewarding course of action they can based on the tools they have at any point in time. This is the hardest part for most people to wrap their minds around, but it is the most basic principle of behavior modification. Even if, on the surface, the behavior seems counterproductive and hurtful, there are benefits. Until you identify those benefits and find other ways of reaping the same rewards, you will not change.

Most people find during their online counseling sessions that depression, anxiety, anger etc. revolves around six basic fears: loss of control, the unknown, rejection, isolation, failure (or success) and death. We do whatever we can to avoid these feelings and when we cannot avoid them, sometimes they consume us. Although you may not like to talk about feelings, we will talk about “triggers” for your problem and tools to deal with or eliminate them.

People see all the reasons why they “should” change, but often fail to take into account all the reasons they do not want to change. It goes back to that reward. What is the benefit of this behavior or feeling? What is it protecting me from or getting for me? If you try to take away that behavior and replace it with something that does not meet the same need with the same intensity, you will FAIL! It is kind of like replacing chocolate with celery when you go on a diet. It just doesn’t quite getcha there.

Please let me know about topics you would like to see added. I will respond to questions about e-therapy, mental health, parenting and wellness as quickly as possible. You are free to ask questions, but remember, the forums are not therapy and they are public. Be smart about protecting your identity etc. Additionally, I offer free online counseling whenever I am online. Visit our services page for more information.

All that being said, I look forward to a very productive relationship.
~Dr. Snipes

Hello world!

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!

Phone: (615) 208-6565 1633 W. Main St, Suite 902, Lebanon, TN