Tuesday, February 23, 2016

Effectively implementing the NYTT in IR

In an earlier post I mentioned the New York Times Test (NYTT). Put broadly, this means that when making decisions, during an incident response, you should always consider how the particular action would look if the entire thing came to light and were reported on by the New York Times.  Organizations that consider how their actions would look often make better decisions about incident response (IR).  Too often, during an IR we are tempted to make decisions that assume that "nobody will know" if we cut a corner somewhere.  Even that feeling in our gut tells us that's probably a bad idea. Yet many still  go ahead with cutting corners, burying evidence that makes us look bad, and other DFIR high crimes and misdemeanors.

Step 1: Assume it will be public
So the first step of effectively implementing the NYTT is to assume that everything you do is going to end up in the press.  Your decisions about what you protect and what you don't will be there.  Your decisions about implementing some controls over others will also be there.  And to be fair, if you are in the middle of an IR, you probably didn't make the best decisions about implementing effective controls.  Or you did make the right decisions, but your limited resources didn't allow you to implement. Or... Well, something happened.  You're here now, and it could easily be made public.

Step 2: Don't give your audience too much credit
At Rendition Infosec, I work with a number of different clients who actually try to apply the NYTT.  But they give the audience too much credit.  They say something like:
Sure, one the surface that sounds bad. But when you consider ... our decisions make perfect sense.
First, you have to understand that most news articles have a max word count.  Second, they are written to the lowest common denominator.  If your ... the audience should consider requires specialized knowledge or even a college degree, it's not going to make the article. Sure, you can publish your own information via press releases or a blog, but again if it's complicated few will read it and even fewer will understand it.

When applying the NYTT, you have to figure that your audience will not fundamentally understand all the mitigating factors the way you do.  After all, you're a security professional - most are not.  I find that trying to explain it to my mom helps.  For obvious NDA reasons, mom doesn't actually get to hear about my work, but I visualize how I would explain it.  This removes infosec lingo and acronym paralysis.

Step 3: Involve PR early, involve PR often
In infosec, we generally don't interface well with PR.  I find that this is usually because infosec professionals think that PR tries to oversimplify issues.  But in these cases, PR is usually right.  Also, understand that PR is likely to be the voice of the organization during an incident.  They will influence how your story will be told.  Talk to PR and get their take on some sample situations.  How would they present these to the press? This understanding is invaluable in your decision making process.  Bottom line, PR is critical to getting your message out there, and I'll cover more about working with PR in a future post.  But for the scope of this article, I suggest you talk to PR to use their expertise on how your situations will most likely be framed in the press.  Verdicts in the court of public opinion matter - a lot.

There are certainly more things that you can and should consider when dealing with the NYTT.  But these three simple steps will address the vast majority of your issues.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.