Hacked? Who You Gonna Call?

Posted: April 23rd, 2013
Filed under: Web and Application Security

If there’s somethin’ strange in your neighborhood, Who ya gonna call? If it’s somethin’ weird and it don’t look good, Who ya gonna call? Ghostbusters?

You could ask the same question when it comes to the web today: Who are you going to call when you get hacked? The local police? Well that’s not as easy as placing a call for a crime in the physical world. A recent piece by Eileen Sullivan of the Associated Press details how local police struggle with responding to cybercrimes.

There are numerous reasons local authorities cannot deal with hackers: For one, police have to act within their jurisdictions. Even if police had the technical capabilities to track down and stop a perpetrator, if they were acting from from thousands of miles away there would be little they could do because of jurisdiction.

To create a visual, imagine if an emergency scenario arises, such as one where an online retailer’s site comes under attack during the peak of holiday season, when it does nearly 80% of its business.  The options for resolving this issue – this crime – through the authorities is limited and abstract, while in the real world, the police response at the scene of a crime at a retailer would be very present and very real.

Eileen Sullivan points out one of the more complex challenges to cyber-policing:

When someone’s home is burglarized, the homeowner doesn’t usually repair the broken window, clean up the crime scene and then call the police. But in cases such as network intrusions, the victim’s first goal typically is intended to get the network restored and working again. In doing this, initial crime scene evidence may be sacrificed, complicating an investigation down the road.

Even if there is evidence in logs files to tie an attacker to the crime after the fact, who is there to analyze it and go after the bad guys? As mentioned by Mike Sena, president of the National Fusion Center Association, the FBI takes on a certain number of cyber-crime cases, but they are typically resulting in major losses (millions of dollars in theft) or state-sponsored attacks. So smaller businesses who lose less, but with a significant impact to their business, are out of luck and could potentially suffer irreparable damage – unless they have hacking insurance, which likely isn’t the case. What’s worse is that there are many hacks whose damage is hard to quantify, for example: sales lost to downtime, impact of company image, or data lost or altered.

Victims of cyber crimes can file a claim with the Internet Crime Complaint Center (IC3), a partnership program with the FBI. However, they don’t really have any teeth (they “refer” crimes to the appropriate law enforcement and regulatory agencies) and the process isn’t for an immediate response.

So what options might one be left with when hacked? As far as public law enforcement agency response goes, there is little.  For some organizations, contacting a qualified information systems security professional or incident response team may be an appropriate way to quickly respond, however there may be expensive costs associated with this.

The lack of a law enforcement agency for cybercrime response is a problem that will leave many faced with the responsibility to fend for themselves. There are some basic immediate steps that can be taken to respond to an incident, and while it is good to know and be familiar with these steps, one would never be expected – or need – to be familiar with police response protocol to a real-world crime.

For those who are capable, hacking back may be a strategy of interest, but as we will discuss in a forthcoming article, that tactic is filled with complexities of its own.

No Comments »

Leave a Reply