Do you remember the “Pass The Bomb” game? All kids played this game at least once. The principle is simple and funny. There is bomb which is programmed to explode after a random time. Players must pass the bomb from hand to hand and say a new word which must contain letters from a chosen card. The player who has the bomb when it explodes loses. [Note to the NSA: The term “bomb” refers to a game – I’m not a terrorist!]
Today, I had the feeling to see a new kind of “Pass The Bomb” game at acme.org [The names have been changed to protect the innocents]. A mail reporting a security issue arrived in a generic mailbox (something like abuse) with a Cc: to a physical non-tech person. I’m pretty sure that the mail was too technical to be handled by the abuse team. The non-tech person read the message and forwarded it to a first person with more focus on security. Then the mail was forwarded to another person in the team where resides the security issue. Then this person forwarded the message to someone else in the same department. At all steps, the list of Cc: increased. Then, no news… I hope that the bomb did not explode in the mean time!
This story is a good example of a “Pass The Bomb” game in information security. Email is not a proper way to handle such issues. I don’t say that the communication channel is bad (depending on the type of incident) but all communications and actions should be logged into a stronger system (like a ticketing system, a Wiki, a notepad, …) with proper follow-up. Most people have a “FF” reflex (“Forward and Forget“, not “Follow Friday” for the Twitter addicts). I don’t blame them, that’s the human behavior. They have their regular business to be done. But, some people in the chain maybe already started their summer break. What if the mail was forwarded to an out-of-business contact? At the moment, I’m pretty sure that nobody took the lead on this security incident… Tip: have a proper incident handling procedure in place.