Forensic help: how to deal with IT security incidents
There are many different forms of IT security incidents that affect businesses. Some are caused by deliberate wrongdoing. A few examples include organisations being defrauded by third parties; employees running businesses on eBay and by so doing effectively ‘stealing time’ from employers, the deliberate leaking of financials prior to official release to the city, or members of staff visiting pornographic, gambling or even terrorism-related websites.
More often, however, they are simply the result of negligence.
Traps for the unwary
Yet while at least some of these incidents are common occurrences, many companies are unsure what to do when they happen. In-house IT departments often “leap in”, in a misguided – albeit well intentioned – attempt to solve the problem themselves rather than calling a qualified forensic investigator to work with them.
To rely on internal IT staff that lack the necessary qualification or experience to deal with a problem is at best short-sighted and at worst can be extremely damaging to the company concerned. Typically, such staff will immediately switch on the suspect machine, access the files concerned, print off the relevant data and possibly save it to a CD. This approach is far from ideal. The data may have been captured but it is likely that vital evidence will have been lost, or corrupted so that it cannot be used in the investigation.
It is a certainty that internal staff will not have maintained any evidential continuity or evidential integrity nor have documented the techniques or the collection process used. It is also unlikely that they will have captured a forensically sound image of the data using the correct forensic tools.
Most importantly, simply by turning the computer on, they will have changed the device’s cache, temporary files and slack file space data. Doing this may also have altered the computer’s metadata and have damaged or even destroyed electronic evidence. Expert computer forensics teams can often salvage at least some of this evidence.
Another mistake businesses make is to put off dealing with an incident. Consequently, valuable time is lost and important material can be overwritten. The longer that evidence has been left to degrade, the greater the chance that it will be unrecoverable and the more expensive the attempted recovery process will be.
Seek professional advice
So, if there is any suspicion that something untoward is going on, it is always advisable to seek professional advice immediately. If the skills are available in-house, then it is best to perform a forensics operation as soon as possible.
Even if organisations are reluctant to conduct the whole investigation straight away, then they should at least ensure that they collect evidence from the system at the outset. This is a relatively inexpensive procedure but critically, it does ensure that a snapshot of the system can be preserved for later examination if required.
Businesses often cause themselves further problems by limiting an investigation to too narrow a scope both in terms of the system and the type of evidence sought. This approach is typically driven by a desire to keep costs down, although it sometimes results from a lack of genuine understanding either of the systems or the forensics.
There is a tendency to concentrate only on the machine that is the immediate source of the problem. However, vital evidence may also be found at other points across the corporate network. Therefore, even if there is just a remote chance that evidence from a particular system will be needed, it may make sense to investigate or take a forensically sound image of that system from the outset.
Another problem businesses face is that they often do not have the right processes in place to ensure that electronic evidence is preserved. Legislation is becoming ever tighter in this area. In the United States, stiff penalties are often given to companies that break the law by failing to maintain evidence properly.
As outlined earlier, many of the above problems can be avoided if the business concerned takes the critical first step of engaging with a forensic provider. However, even this process is fraught with potential pitfalls. It is important to bear in mind that selecting the wrong partner can be as costly as failing to engage with a partner at all.
Choosing a partner
Many businesses rely on internet research to find a partner. However, industry associations can also be an excellent information source and are invariably able to recommend key players in the sector.
Businesses should also confer with their peers. IT managers, for example, should speak to their counterparts within other organisations to obtain feedback and recommendations.
A good computer forensic partner should have a range of case studies that you can contact for independent verification of their claims.
At the outset, it will be difficult to find out much about individual skill-sets. Instead, companies need to research organisations that have expertise in computer forensics and, in particular, look at the levels of training that their staff have received as well as the qualifications achieved.
The chosen business should certainly have broad computer security skills. It is not sufficient that its employees are trained on, and certified in, the use of a single program. In fact, they will need expertise across a range of different platforms and technologies. For example, there are a wide variety of computer forensic tools available and using just one is not really acceptable. An example of this is that whilst EnCase is a well known forensic product, it is designed for the Windows environment. Typically, organisations should also be familiar with a broad range of other operating systems including, but not limited to, Unix, OSx and AS400, and will need the tools that are specific to them.
The chosen forensic provider will also need to have staff who are competent in writing technical reports and who have computer programming skills and expertise in managing firewalls and databases. Crucially, they should also be familiar with current legislation in the sector, such as The Protection of Children Act and The Computer Misuse Act.
Of course, the organisation concerned should also have extensive experience of computer forensics and the latest developments affecting this fast-moving marketplace. As a result, businesses need to assess the number and type of forensic cases staff have worked on. They should also examine the links an organisation has with education as this can provide a helpful indication of its level of sector expertise.
At Sapphire, for example, we have been involved in co-authoring a post-graduate certificate in digital forensics with the University of Northumbria and are currently working on a foundation degree in digital forensics with Gateshead College.
Another indication of how serious a player an organisation is is whether they run training courses or give presentations on forensics, thus helping to raise overall awareness levels. Businesses should also look for reference sites. Third-party endorsements of an organisation’s achievements will also enhance its credibility.
At a more practical level, companies need to assess the quality of advice and consultancy they are likely to receive from their prospective partner. Key questions to ask here include: do they follow accepted procedures? Are they familiar with the Association of Chief Police Officers (ACPO) guidelines? For example, can they advise on discovery and preservation strategies and have they served as expert witnesses in court cases?
Businesses also need to be aware of the terms of engagement they are likely to have with their prospective partner. Some consultancies operate on a ‘no data, no fee’ basis and it can be tempting to automatically choose this option rather than selecting a business which charges an upfront fee. Whilst initially this may appear a very cost effective approach, the reality is that a modular approach to pricing invariably yields little or no real cost savings across the term of an investigation.
Making the right choice
The nature of forensics is essentially that of incident response. Recovering and reacting to such incidents can be a long, drawn-out and costly process, particularly when the evidence is based on a computer system rather than on paper.
The forensic examination of the contents of a computer is a skilled job and requires special procedures; techniques and tools to ensure that any information that is retrieved can ultimately be presented as evidence in a court. That is why, wherever possible, businesses should ensure that they resist the temptation to carry out the work themselves. Instead, they need to make the right choice of partner to manage each investigation to consistent quality levels and ensure that continuity of evidence and integrity of data is maintained throughout.
By doing this, they will give themselves the best chance of limiting the damage caused by an IT security incident and of resolving the problem quickly, efficiently and cost-effectively.
Forensic help: how to deal with IT security incidents
There are many different forms of IT security incidents that affect businesses. Some are caused by deliberate wrongdoing. A few […]
IFSEC Insider
IFSEC Insider | Security and Fire News and Resources