Assessing Incident Severity
Assessing the severity of a breach is impossible if the IRT does not understand the systems or the data the systems contain. Most administrators understand a situation is really bad when personal or credit card information is lost. The challenging part is understanding value associated with business-related data that is not as obvious as credit card or Social Security numbers. Usually, the value of business data comes from speaking to the data owners directly. Another place to get the value of data is in the business continuity plan, which addresses different types of data and associated sensitivity. Qualifying risk and value to different parts of the organization should occur proactivity rather than reactively when the IRT is engaged. Mature organizations spend the time to properly develop a business continuity plan that sits within their risk management strategy.
How do you assess the severity of a breach? There a few quantifiable methods that investigators can use:
Number of records stolen
Number of customers affected
Number of geographical regions affected
Difficulty of acquiring stolen data
Difficulty of breach containment
Difficulty of system security
These high-level methods help put a dollar amount on things, which is part of the process to determine how large a breach may have been. However, you must look beyond just the number of records or other basic numbers to determine the extent of the breach. The Sony Pictures attack in 2014 affected a relatively small number of records but at the time had extremely wide implications. It forced Sony to forgo mass release of the movie The Interview, in part because of the attack, which possibly led to millions of dollars’ worth of losses.
As a cyber forensics investigator, you will likely need to understand what type of information may have been accessed during an incident and the potential value of that information accessed. Then you will need to determine whether exfiltration of the data occurred. To do this, you will need to notify one or more different parties of your findings.