One thing I've noticed over the past year is that the majority of information on the web relating to digital forensics is geared toward two audiences. The first is law enforcement and the second are consulting firms. This makes complete sense. Law enforcement probably does more evidence collecting and review that anyone else and most companies don't need (or want) a full time forensics team. So it completely understandable that the bulk of materials cater to these groups.
What concerns me is how underserved those in corporate incident response are by the larger forensics community. Even if incident response at the corporate level is a small market, it is a market nonetheless. Many times companies want to add these capabilities to their in-house arsenal but have no idea where to start. If you are in that camp....keep reading. This article is just for you.
Companies which are considering adding digital forensic investigation capabilities in-house need to ask themselves several questions upfront.
Why do we need this capability?
Who's going to provide the services and where will they report?
Is the cost to purchase and maintain a lab and provide continuing education worth the expense?
Questions 1 and 2 are typically easy to answer. Number three is more difficult. A typical 1 week engagement from one of the well know consulting groups like IBM, Deloitte and others can easily surpass $10,000. Can you provide this in house cheaper? If you plan to do investigations once or twice a year, probably not. If you plan to do it once or twice a month, then likely so. Many times though we forget to look at all of the costs associated with standing up a unique environment like a forensic lab. It shouldn't be hooked to your network which creates management concerns around patching, updating, etc. The hardware most likely will be vastly different that what you purchase for other needs. If you choose to utilize commercial software packages they must be continually updated and software maintenance is a must.
Once an organization decides to offer these services, some immediate steps need to be taken to ensure uniformity in your investigations. An incident response plan must be developed which lays out who can request or initiate an investigation, what the grounds for cause are, who can perform the investigation, who sees the results and what actions should or must be taken based on the outcome. One thing organizations must protect against is the witch hunt mentality. You've got suspicion someone is up to no good but nothing more than that. Just a hunch. I advise my clients never to start an investigation this way. Make sure there is always a reason to investigate. Last thing you want is for your employees to feel there is a culture of mistrust and accusations within the organization. At best your morale will sink to new lows. At worst you could be sued by employees for harassment, privacy or other accusations.
The next thing to guard against is who can call for an investigation. I usually like to see a 2nd level manager be in the approval chain. Let's say Bob is an employee who's manager suspects he's creating fraudulent transactions. If Bob works for Sally and Sally works for Meg then Sally would make the request for investigation and Meg has to approve it. This again helps reduce the chance for a witch hunt and ensures a level of accountability in the process.
You'll also want to make sure investigations are only completed by those who've had some specialized training in acquiring and handling evidence, digital forensic processes and reporting of results. I wish I could say you'll never have to worry about your internal investigations ending up in civil or criminal court but I can't. You should always approach new cases as having the potential to have aspects of civil or criminal law to them. This will save you a lot of headache later.
In terms of who should have access to the final reports, that will vary by organization. Needless to say it should be restricted by need to know. Also remember that many times an initial investigation will lead to one or more follow on investigations and the fewer people who are privy to this fact the better.
So as you begin to build a forensic unit within your organization, here are some things you'll want to consider.
Develop an Incident Response Plan prior to doing any investigations
Create a dual or dotted line reporting structure to maintain independence
Build a self-sustaining lab and staff it appropriately
Create a set of criteria for requesting and initiating investigations to ensure objectivity
Build a communication framework for investigators to ensure they have support of executives, HR and Legal.
Develop a plan for when and how to call for outside help including law enforcement or more experienced investigators.
By following these steps you'll be well on your way to providing these services in house. I can't promise everything will be picture perfect. In fact I can almost guarantee at one or more points along this path you'll wonder if this was the right decision. Adding forensic capabilities to your internal service offering will change the culture at your organization. Make sure you're leadership, all the way to the top, are on board and understand this decision.
The Washington Post published a story last week about the rising threat of fraud against small business in the US. (Read) Brian Krebs does a good job of finding some examples of small businesses as well as government agencies like a school district which have been hit with financial fraud.
The FBI has begun to investigate cyber crime rings in Eastern Europe which are targeting US businesses. One of the concerns is the lack of data to support there is a problem. Many companies fear the bad publicity of announcing they are the victim of cyber crime. This creates a big dilemma. First, if not reported as a crime the company has few legal options in trying to recover any loses. Second, crime is investigated based on statistics. If nobody reports cyber crime, law enforcement agencies will never staff those investigative divisions appropriately and the waves will continue to roll.
Mr. Krebs' article included a quote from the controller of a small electronics calibration company in Louisiana. The company lost close to $98,000 in two attacks days apart. There real loss however was the investigation and recovery which is estimated to be 3 times their hard financial loss. That's nearly half a million dollars. This would effectively cripple most small businesses from a cash flow and operations perspective. Many of which might never recover.
If you own a small or medium business and think information security is an expenditure you can't afford, I beg you to reconsider. Not because I want your business, but because I BELIEVE in small business. It's the foundation of our economy. A risk assessment, vulnerability scan and some help with remediation efforts will most likely cost you between $20,000 and $50,000 when using a reputable and experienced consultant. That's no small chunk of change. But when compared with the staggering losses, both soft and hard, which are being felt by others it's really a drop in the bucket.
I can't guarantee you won't be a victim just because you spend some money on security. I can however assure you that you have reduced your risk of being a victim. That's what smart business people do on a daily basis, manage risk.
I don't like VPNs. I take that back. I like them a lot, I just don't trust them. Ever had a friend like that? They're fun to be around, are really helpful, always there when you need them, etc. For the most part you're great friends, but…they can't keep their mouth shut. You always have to watch what you say around them because you know it will be repeated. Probably multiple times to multiple parties. That's the view I have of VPNs.
I've been using some sort of VPN for probably a little more than a decade now. Not just remote access but truly secured communication channels. The goal of a VPN was to make location irrelevant in the computing equation. We've done that. You can login to an application or system remotely from just about any device with a processor and operating system, including mobile phones and PDAs.
We've gotten more secure in how we transport the data but for the most part continue to ignore the endpoint. This is my concern.
I've worked with several organizations which have implemented VPNs either in IPSec or SSL form. They go to great lengths to secure the communication channel but completely ignore the endpoint on the remote end. They rely on things like internet history scrubbers to "erase" the sensitive data from the remote machine. Who are they kidding?
There all sorts of rudimentary ways to defeat this. The easiest is to mirror a read only copy of an OS to a removable drive. Presto…scrubber defeated. Another is an application that places a hook into your video driver and captures screen prints every 10, 15 or 20 seconds then stores it to a file. Combine this with a keystroke logger and you have a pretty easy yet effective way to defeat a history scrubber.
The point is, when you lose control of any part of your communication system, you lose control of your data. I routinely recommend organizations restrict access to their VPN from only devices which they control. This ensures there are other protections, such as malware detection and firewalls, in place which help limit exposure on these devices.
The biggest complaint I hear when I recommend this solution is the cost of providing laptops or mobile devices to employees who will work remotely. I think this argument is very short sighted and usually the entire risk environment is not being evaluated. My suggestion in these cases is to consider the risk of data leakage or security and privacy attacks from VPN usage and then recalculate the ROI. Typically this changes the discussion points. Sometimes even re-evaluating who actually needs remote access can reduce the risk and costs simultaneously.
If nothing else, organizations must understand that once data leaves a system which is completely within their control, they lose control of that data. If this risk has been evaluated and either accepted or mitigated then by all means forge ahead. My concern is with the organizations which haven't considered this risk and therefore have a false sense of security. Anytime risk is unknown, hidden or ignored, catastrophe will be lurking in the shadows.
Get our blog articles delivered
to your inbox: