... If Bruce Springsteen did computer security, he would definitely excel at performing Incident Response.

...Choicepoint, Lexis-Nexis, Bank of America, and then several thousand unnamed victims. I am curious, how many companies in the Fortune 500 are currently hosting a digital cocktail party for foreign intruders? Who are these foreign intruders.

• Every major financial institution has been exploited by attackers.
• All outsourced software is being made with backdoors.
• Every developed nation is creating cyber-warfare capabilities.
• Firewalls, IDS, and anti-virus are not as effective as consumers thought.
• There are hundreds of non-publicly available exploits in use right now.

How do we confirm any of these if our incident response skills are not as advanced as the adversary?

...Trust me, the problem is worse than reporters and computer security guys think. We are seeing firms with hundreds, if not thousands of compromised systems.

...Attribution for online incidents is getting more difficult. We are having more difficulty determining who is perpetrating intrusions into US firms, primarily because of self propagating intrusions. We need international cooperation to solve international problems. Russia, Romania, China...

...recently, I saw a situation where a company had outsourced their customer service application at a web-hosting facility and it was compromised by the W32.Spybot.Worm. Disaster ensued. I am witnessing very costly responses, with the loss of client data being of critical concern.

...I have responded to over 50 computer intrusions in the last 4 years. Anti-virus detected one of these events. I think the technology that tries to protect us from an infinite amount of signatures may have to change its marketing to We do the best we can, and protect you from being low-hanging fruit.

...after review of the system time/date stamps, we noticed anomalous activity potentially accessing 50 credit card files. The indicators of compromise were all originating from foreign domains. Are we storing anything encrypted nowadays? And if so, in how many locations is the encrypted data stored on the same media in an unencrypted manner?

...I think it’s time for companies to continue their proactive stance on security, but couple it with a reactive approach and even be proactively reactive (some strange way, that makes sense to me)

...I’ve witnessed a number of panicked customers when they find out they’ve been compromised. Plan first, to include planning your reaction to incidents.

...wouldn’t it be cool to develop an automated technique for companies to capture necessary data immediately following an incident before the audit trail is unintentionally/intentionally corrupted by poor incident response techniques?