The Anti-Phishing Working Group (APWG) is at the top of their game, where ecrime is concerned. APWG is a consortium that tracks Internet fraud and scams. This organization recently submitted a plan to automate submissions of phishing and other ecrime related incident reports. This plan is pending review by the Internet Engineering Task Force (IETF)
As reported in PC World by Jeremy Kirk , “The challenge facing law enforcement and security organizations is a lack of a coherent reporting system, said Peter Cassidy, secretary general of the APWG. Until now, there was no standard way to file an e-crime report. That makes it hard to coordinate the vast amount of data that is collected on cybercrime, Cassidy said.”
Once the IETF approves this electronic reporting system, it may still be a while for a complete roll out of this ecrime reporting system. In the meantime, the APWG has published an industry advisory, which provides guidelines for developing a company ecrime incident reporting process. This can be immediately implemented.
Having well documented incident-reporting procedures ensures everyone in the company understands the various roles played in the reporting process. This minimizes confusion, delays, and errors in responding to a security breach caused by a phishing or other ecrime incident. Management will worry less over the public embarrassment or a tarnishing effect in company brand. More importantly, having an ecrime incident-reporting process expedites containment, recovery, and resolution.
- Anti-phishing networks
- Anti-virus and anti-malware organizations (In cases where you discover malicious executables or scripts)
- CERT organizations
- Common Vulnerability and exploit (CVE) disclosure list administrators (in cases where you discover a vulnerability or “bug” in commercial software)
- Law enforcement, e.g., through the Internet Crime Complaint Center
- Regulatory compliance agencies
- Software developers (in cases where you discover bugs in custom application software or webware developed exclusively for your organization)
- Any individual or organization directly affected by the phishing attack, even if they do not fit into one of the other categories listed above.
- The general public