In the urgency and confusion of a cyber breach calling the police may seem like one of the last things CISOs would have on their minds.
Among other reasons, few Canadian police departments advertise their cyber forensic capabilities and international reach the way the FBI does in the U.S. And many infosec pros assume it’s hard to find an attacker, who more than likely is running the operation thousands of kilometres away.
But while the first call when a breach has been detected may not be 911, the founder of Toronto Police’s computer crime section says calling police can be worthwhile.
“My feeling is there’s always value in calling police,” Insp. Shawna Coxon, now a member of the Toronto Police strategy management office, said during a panel the annual International Cyber Security Risk Management conference in Toronto last week. “Just because someone is in another country doesn’t mean we can’t go after them,”
Canadian police have contacts around the world, and we have mutual legal assistance treaties with a number of countries that allow the extension of criminal investigations.
While an organization might not be sure whether to involve local police, provincial or the RCMP, start locally, she advised. A good police force should be able to hand the case over to another when it recognizes the need.
Also, she said, recently a number of forces, including the RCMP and the Ontario Provincial Police (OPP) have been beefing up their cyber teams.
But, she added, management has to think carefully – and ideally long before an incident – about when to call. That’s because police may want to seize hard drives and computers for court evidence, while the enterprise wants to scrub systems for possible infection as part of business continuity. “So a lot of what what you do for mitigation may destroy evidence we need to figure out who did this to you,” she said.
In theory, she noted, police have the right to take over the company and stop operations because it is a crime scene. In practice police understand an organization has to make a tough choice.
“What inevitably weighs out is the risk mitigation supersedes the evidence gathering strategies … unless you have a plan that accounts for both.”
What police may not appreciate, she suggested, is being called just so management can tell the public a law enforcement agency has been notified.
In an interview Coxon said reporting to police is important for several reasons. “One, to do with the company itself. Do they want to include a police response as part of a more robust response, do they want to go after who’s done this to them?
“I also don’t think people realize when an actor goes after one company it’s not the only attack. They’re looking after other targets as well, so the opportunity (for police) to look at how does this relate to what’s going happening out there in terms of the larger cyber threat picture and what does that mean more broadly for Canada” is important. “From a crime prevention perspective its important to know. The investigation becomes intelligence-gathering even when it’s not successful.”
And, she added, Canadian police have had success getting other countries to convict perpetrators.
In an interview Kevvie Fowler, a partner in KPMG’s forensic advisory services, said reporting will depend on the incident. For example, under Canadian law an organization has to report if a prohibited image is involved, such as defacing a Web site with child porn. An enterprise hit by extortion, fraud, a physical threat is also more likely to report.
Depending on the incident police may want to walk out with servers, which means the IT department may have to image a system first for business continuity.
“What we tell customers is as part of an incident response plan you should consider who will report and when,” he said.
Coxon was part of a panel discussing how an enterprise should respond to a cyber incident.
She also told the conference the importance not only of having an incident response plan, but regularly testing and updating it. “The key part we’ve seen frequently is that even when there is a plan people never run it. People outside IT don’t know what their role is .. don’t know who to call and what to do.”
In one case Toronto police were involved in the incident response commander who everyone was to turn to was on vacation, with no one designated to take over in his absence.
Organizations also have to remember that soon the federal government’s mandatory breach notification regulations will come into force.
“Be honest about your vulnerabilities” in planning she added. “Lots of organizations don’t want to do that and when the cracks appear it becomes bigger than they need to be.”
Michael Kygier, a principal consultant at Mandiant Canada’s consulting practice, said an incident response plan includes a list of phone numbers of important contacts (including the company lawyer), a media and customer communications plan. And, he added, staff knows how to scope the extent of the incident. Understanding the scope will drive the company’s media, regulatory and other responses.
Peter Tran, head of RSA’s world wide advanced cyber defence practice, noted that in an era of cloud and mobile computing early detection of an incident is vital – and reduces risk of data loss.
