Thursday, February 24, 2011

Is the NTSB a model for incident response?

by Sean McLinden

Recently, the events surrounding the defacement of the HBGary Web site and publication of sensitive data were being bantered about on a number of forensic, security and incident response sites. As is typical for these kind of high profile events, some of those voicing opinions were not in the know while those who actually knew something were being silent.

In my experience this is commonly the case. High profile events can damage the reputation of individuals and companies and in many cases the truth, coming from those in the know, is more damaging than speculation from those in the bleachers. Counsel for the proximate "victims" often advise their clients to say nothing, reasoning that any official comment could be construed as an admission, whereas the speculation of others can be labeled as just that.

The following, alleged, accounting of the HBGary incident, while tinged with mildly satirical comments is, nonetheless, one of the most thought-provoking, if not accurate, descriptions of the surrounding events. It can be found here:

and it got me thinking.

Many years ago, I had a horrific experience at Chicago O'Hare International Airport when, while looking out the window of the concourse, I witnessed American Airlines DC-10 Flight 191 take off, roll to the left, and plunge to the ground along with 258 passengers and 13 crew. There is something unnerving about air crashes though they kill far far less than automobile accidents and, I suspect, part of the reason why is that they often lack a reasonable explanation when they happen.

But one difference between airplane accidents and digital incident investigations is that the former is a public process and a process by which we learn what failed, and why. And American Airlines Flight 191, like the account described in the link above, is a perfect example of what is to be learned through a public process...


No comments: