Part III: Incident Victims

The victim of the attack is not just the system or individual being stalked; there are some additional or peripheral victims who also are affected by incidents of cybercrime . In incident response, it is important not only to discover the threat and the technical means of penetration, but to understand what the reactions will be to this incident ‚ from other employees , the executives, the stockholders , the competitors , the public, advertisers, new recruits, current clients , and potential customers. Like the fallout of a conventional crime that affects more than just the victim, an information security breach does not end when all the systems are rebooted, scanned, fixed, and secured. Understanding and assessing all of the victims of an attack is critical to all stages of the investigation and incident response process (see Chapter 3 for details regarding the six-stage methodology).

Anyone who has ever been a victim of a violent crime knows that the victim who was attacked or assaulted is not the only victim.A woman who is raped in her neighborhood while jogging is clearly the victim. However, others are also affected by this horrendous crime, including the victim's family, her friends , and her neighbors who always thought the neighborhood was safe. As this case breaks on the news, more people will be affected: the community and perhaps even her colleagues at work. This incident might even impact sex-crime investigators , sexual assault laws, and women's rights groups. The impact of a cybercrime incident could have the same domino effect.

Typically, when an incident occurs, the fundamental and sometimes only focus is on the box, system, network, or server compromised. There are far more issues and implications, however, than the damaged or compromised system. Putting the technical issues aside, here is a list of potential human victims:

1. The individual(s) targeted or the actual victim(s)

2. The family, friends, and guardians of the target

3. Members of the organization

4. The "C-levels" (that is, the CEO, CIO, CFO)

5. The corporate board

6. The stockholders

7. The employees

8. The customers

9. The public

10. Members of the industry as a whole

Take, for example, any of the publicized distributed denial-of-service attacks in the news lately. The flood of packets that took down the servers did not make the servers themselves the only victims. The organizations had to deal with the media and the public nature of the attacks; the C-levels had to adjust their schedules, business plans, and goals to focus on recovery; the stocks were affected; the customers were affected; and ultimately the public's perception of online business was affected. The success or failure to bring the perpetrators to justice will likewise have an impact on the victims. Questions and concerns will arise:What if the perpetrators did more damage than we thought? What if the attackers disclose information to the public that we do not want out there? The ability of an incident response team to understand the big picture ‚ including the political, public, financial, business, and future ramifications of an incident ‚ distinguishes the inexperienced incident response team from the premiere incident response team.

In addition to DDOS attacks, viruses, and server compromises, many cases of cybercrime target an individual or a group of people within an organization. Even though the weapon is technical, the real affect of the crime resembles a conventional crime. Whether the technical attack is classified as cyberstalking , cyberharassment, or a threat, the victim is clearly a human being. Incident response teams must have a qualified individual as part of the team to understand the variables that enter the picture when a person is the target of computer crime. Having an incident response team member who is just good with people is not enough. Cases of cyberstalking do go to court. The team member who deals with the human side of incident response should have the credentials to stand up in court as an expert witness , have the capability to provide depositions, and be well versed in victim counseling . In some instances, an incident response team might have to deal with the manager, spouse, family, or parents of a victim and interview and counsel them, too. The one thing an incident response team cannot do is make victims feel worse or neglected or fail to provide them with the best possible consultation, particularly when it would affect their psychological and mental well-being or their physical safety. In the cases in which children have been the victims of terrible cyberharassment cases or cyberpornography cases, law enforcement should be called in immediately.

Here are some of the decisions or options for a victim of cybercrime:

1. Contracting or enlisting the assistance of a physical security detail.

2. Asking for additional police checks on residences and places of employment. Usually, local law enforcement is able to work in some extra security checks during regular neighborhood patrols.

3. Attaining the services of an employee-assistance program, which typically has counselors on staff for both psychological counseling and financial counseling.

4. Seeking therapy or psychiatric counseling in a private setting.

These options can be implemented on a short-term or long- term basis, as dictated by both the victim and the progression of the case. The following paragraphs discuss an example of how a victim was mishandled in a cyberstalking case.

An incident response team was called in to investigate a case of cyberstalking. A female employee had been receiving increasingly frightening emails for almost three months. She finally told her boss, and the incident response team was called into investigate. The inexperienced incident response team went to work contacting the sender's ISP, tracking the email account, looking at firewall logs, and employing all the other appropriate technical investigation tactics. The team scoured the Internet, looking for other places this stalker might have used his address or a similar name in a screen name . The team was bound and determined to identify her stalker. However, no one ever made appropriate contact with the human resources department, no one made appropriate contact with the legal department (remember, stalking is a crime), no one asked whether the victim felt threatened, and no one was able to make that assessment because all the focus was on the technical trail. As a result, no one called the physical security department or employee assistance to help the victim.

The incident response team was eventually able to identify the cyberstalker, and it was another employee of the company. The investigation took almost three weeks, and in the meantime, she was left to her own devices. She had trouble sleeping, trouble concentrating , could barely do her work, and did not feel safe anywhere . The company and the incident response team failed to provide her with appropriate support during this incident. Even after the cyberstalker was identified and terminated , the victim's fears and stress continued . The incident response team was long gone by this point and did not even realize that just because the perpetrator was caught, it did not mean the entirety of the case was over. This unfortunate result could have been avoided.

It is important to understand the dynamics of what a victim might experience in order to provide better assistance and consultation during all stages of incident response. Most people can probably imagine what it must be like to be stalked in the conventional sense, an individual physically being stalked by another individual. Imagine the stalker lurking outside your home or your office, following you to the store, and perhaps leaving notes on your car and letters in your mailbox. The dynamics of the cyberstalker are similar but in many ways are also very different. The victim's emotional and psychological reaction to cyberstalking differs , generally speaking, from a victim's reaction to conventional stalking. Victims of cyberstalking tend to experience higher levels of paranoia , the perception that there is no safe haven, a higher level of suspicion (the perpetrator is perceived to be anywhere, everywhere, anyone, and everyone), and a fear of other intrusions.

All of these victim reactions make sense. Most of the time, in a conventional stalking case, the victim knows who his or her stalker is or at least knows what the stalker looks like because stalkers typically show themselves or are seen lurking around. The victim of cyberstalking typically does not know who the stalker is or what he or she looks like. The cyberstalker is cloaked behind the anonymity of the Internet and might only stalk or communicate via email. Thus, the reactions of paranoia and seeing everyone as a suspect make sense. If the victim cannot see the stalker, everyone is suspect.

Because the threats are coming in via email, sometimes the victims perceive that they have no safe haven.Victims of conventional stalking, although in a state of constant fear, do report that they have places where they feel safer. These safe havens might be a friend's home, the office, or traveling on business or for pleasure ‚ somewhere where the stalker does not surface or does not appear to surface. The cyberstalking victim feels that, because the Internet is everywhere and you can carry a laptop home, on business trips, to the office, and really wherever you go, there is no real safe place away. If the victim is to continue to function in an electronic world, conduct business, and communicate with friends and family, most believe they cannot sacrifice or give up email. Even victims who have changed addresses are still found by their stalkers.

Due to the perception of no safe haven, many victims of cyberstalking experience increased anxiety and a type of depression. They have reported sleep problems, eating difficulties, and other physical manifestations of stress. The victims of conventional stalking are fearful of being physically harmed or killed by their stalker, and this, of course, is enormously straining. The victims of cyberstalking likewise fear physical harm, but they also assume that their cybersavvy stalker will also infiltrate other areas of their life, like cracking into their bank accounts or somehow cracking into their computers and having access to all their emails and personal documents.

Victims of cyberstalking tend to report the cases later than victims of conventional stalking. This lapse in time is understandable but also can present problems for an incident response team. People are consistently more likely to report a strange person skulking around and looking out of place than to report the receipt of one odd email. People get strange and odd email all the time; between advertisements, solicitations, and just plain nuisance mail, a lot of junk gets delivered. Sometimes an email arrives that is clearly not intended for the recipient. No big deal. However, after a few more seemingly wrong emails arrive , the victims still do not typically report the harassment . Not until the stalker either accelerates or escalates to a level that would make the hair on anyone's neck stand up do the cyber victims generally report this type of crime. In many cases, the victim has actually corresponded with the stalker, not realizing what would eventually come to be.