The responsibilities of security professionals have expanded well beyond the range of simple access control as you now face issues of investigations that cross the border between physical security investigations and ones that look into the investigations of IT asset usage, such as computers, email and access to company networks. This means that the scope of the security director is expanding - meaning double or even triple the work and expertise you require -- but the good news is that you will find the approach to managing your computer risk to be similar to managing your physical risk.
This article introduces computer risk and more specifically computer incident response and forensics to an audience who is traditionally accustomed to implementing physical controls such as camera surveillance, physical access, and alarm systems throughout their facility. We'll look at the methodology used during a computer incident, as well as the steps taken during a computer forensics investigation subsequent to an incident. Finally, a real case study will be introduced to fortify the points and demonstrate incident response in practice.
Why bother? How about the fact that in 2003, the Carnegie-Mellon Emergency Response Team (CERT) reported that there were 137,529 computer incidents? You may read that statistic and find it daunting. If you thought that's a daunting number, you're not alone, because even CERT reached a point in 2004 where there was such a proliferation of incidents that they stopped counting. Whether in the papers, on the television, or on the web, the public is exposed to an increasing number of headlines about computer incidents.
Take these headlines:
- "40 million credit cards exposed - Payment processor blamed in mishap" http://www.msnbc.msn.com/id/8260050/, by Bob Sullivan, technology correspondent, MSNBC
- "Bank security breach may be biggest yet" "Account info at Bank of America, Wachovia sold by employees, more arrests expected, N.J. Police say" http://money.cnn.com/2005/05/23/news/fortune500/bank_info/
Even with a conscientious proactive approach towards risk, attackers will successfully penetrate an environment (albeit physical or logical) as long as there is a challenge and/or something they desire for their own gain. If a proverbial "Pandora's Box" exists, attackers will want to open it. The important factor is knowing how to react when the "box" has been opened.
Incident Response Methodology Overview
In our investigations, we approach an incident similar to the way one may approach a physical compromise. The following 11 steps provide a logical framework allowing organizations to deal with a computer incident in a calm and collected manner providing them with the necessary information to make informed decisions.
Prepare...for an incident before the incident occurs by developing an incident response plan and testing it on a frequent basis. Basically, "an ounce of prevention is worth a pound of cure."
Detect...the occurrence of an incident within your system identifying any anomalous behavior during a cursory review of event logs.
Respond...to the incident by performing an initial investigation allowing you to scope the magnitude of the incident. Obtain the most critical evidence and confirm whether an incident has or has not occurred.
Create...a response strategy by analyzing all of the known facts and determine the best response and then inform management as to the strategy.
Duplicate...evidence determining whether to create real physical forensic images for investigative purposes or perform online retrieval of evidence.
Investigate...the incident by taking investigative steps to determine what happened, who did it, and how it can be prevented in the future.
Implement...security measures by actively responding to the victim systems applying security measures to isolate and contain the incident.
Monitor...the network by reviewing network activities to both investigate and secure the victim network.