Incident Response: Choose Right Words

Make Sure Message Meets Customer's Needs - Not the Attacker's

By , October 2, 2012.
Incident Response: Choose Right Words
Read Transcript

A denial of service attack may pose less immediate risk than a data breach - but it's trickier to respond to, says attorney Ronald Raether. What tips does he offer to organizations targeted by DDoS attacks?

For many organizations, breach response is cut and dried. Either they have their own internal breach response standards, or their regulators or regional governments impose specific requirements.

But what about for a security incident such as a DDoS attack, where no actual data breach occurs?

"It's much trickier," says Raether, an attorney specializing in technology-related issues, including breach response. "In a data breach, the law defines what a company has to communicate to the public," he says. "With a security incident, the companies are really balancing the need to provide guidance and support to their customers and clients, versus providing the bad guys information they can [use to] do more harm than what the initial attack [might] pose to the company."

The recent DDoS attacks against U.S. banks are prime examples, Raether says. The attacks themselves do nothing but jam traffic to the affected sites - no account data is actually at risk. But often such incidents are used to create a distraction, allowing fraudsters to launch a stealthy second attack aimed at stealing that account data. "The companies are really in a bind in terms of, if they provide too much information about the incident, then they only help the hackers by educating them as to how well their attack is [succeeding] and whether it's time to try that backdoor approach."

As for how well the affected banks responded to these attacks, Raether gives them mixed reviews. He credits those institutions that at least acknowledged the attacks and resulting site outages. But some banks did not do enough, he says, to let customers know their accounts are secure or to inform them about alternate means to access those accounts.

Raether also believes no institution should act surprised by these DDoS attacks.

"Since at least early April of this year, the number of denial of service attacks against financial institutions has been increasing 300 percent," he says. "So, I think they should have been prepared for [the attacks]."

In an interview about incident response, Raether discusses:

  • How institutions could have responded better to DDoS attacks;
  • Essential elements of a security incident response plan;
  • Advice to other organizations that could become targets.

Raether is a partner at Faruki Ireland & Cox in Dayton, Ohio. His experience with technology-related issues spans an array of legal areas, including patent; antitrust; licensing and contracts; employment; trademark; domain name disputes; and federal and state privacy statutes. He has been involved in cases addressing compliance with statutes that regulate the use and disclosure of personal information and laws that concern the adequacy of securing against unauthorized access to personal information. Raether has successfully defended companies in more than 25 class actions.

Follow Tom Field on Twitter: @SecurityEditor

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE PCI Issues Penetration Test Guidance

Experts debate the value of new PCI guidance for how businesses should use penetration testing to...

Latest Tweets and Mentions

ARTICLE PCI Issues Penetration Test Guidance

Experts debate the value of new PCI guidance for how businesses should use penetration testing to...

The ISMG Network