How to handle a security incident

Or: Coping with the Human Bug

If you work in IT, just like me, every now and then you stumble into something, you shouldn’t have. Most of the times this happens because someone has given you temporary access with too many privileges. 9 out of 10 times this is for convenience. And it is wrong.

I work with Internet infrastructure. I design, install, configure and test components, which provide access to personal or privileged data to clients through a browser. The ‘simplest’ example is Internet banking. I work with the complex technology which makes this possible.

Creating changes in these kinds of infrastructures needs to be done in a secure, controlled manner. And sometimes I will find a leak or error. This is something to report. Most companies have a security office(r) and a procedure to handle this. I have reported my share of security incidents in my career.

I cannot deny that most real findings give you some feelings of triumph. It is – after all – a sign of understanding the technology and the knowledge that you can detect such problems as a professional. But most of these incidents also create a negative feeling and create a sense of distrust or even paranoia. And you will probably tell on a colleague.

Precisely that it why you should gather the information meticulously and thoroughly. If you point-and-tell, you’d better be right. It is just like finding a bug, but this time you have found a human bug.

The first thing is to convince yourself why this is wrong. And write it down. The next thing is to write a report to the security officer explaining what you have found and what you exactly did to stumble upon this. It should be repeatable. Most likely you should mention again in simple terms why you consider this to be a problem, without drawing conclusions. It is – after all – an incident. No matter how big you feel it is.

You should be able to ‘close the loop’ as well: You can do step one, which leads to step two, which … etc. So if you gain access to classified information, be sure you can repeat ALL steps of the process and do not leave a bit out.

Be sure that you did not cross a line. Hacking and breaking into computer systems other than your own, are illegal actions. You should have been granted access for a specific task and you were able to ‘hop on’ or access something you shouldn’t.

The important part is to make neutral statements in your report. It starts by writing down what you were doing and why you were doing that. Then describe your finding and why this should not happen.

And if you find something, you’d better start shaking the biggest trees first. No one cares if you had access to a shared drive if there are only printer drivers on it. They will care if you got access to a financial system, clients data or HR related information. You just get some more attention and it is more likely that they will deal with the problem.

Mistakes are made and that is not a problem. The trick is to fix them and learn from them. And not make them again.

So if you are confronted with a security incident you need to repair. Don’t be angry or negative. It happens to anyone that they oversee something. IT is hard. Fix it and learn from it. Try to learn why it happened in the first place. The most obvious answer to the “how and why” is often convenience.

A final tip from me: before reporting the incident in writing, talk to the security officer about the incident and ask for instructions. They are willing to help out.

Leave a Reply