Return-Path: <sentto-279987-2664-1002141304-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Wed, 03 Oct 2001 13:36:08 -0700 (PDT) Received: (qmail 17094 invoked by uid 510); 3 Oct 2001 20:35:09 -0000 Received: from n3.groups.yahoo.com (216.115.96.53) by 204.181.12.215 with SMTP; 3 Oct 2001 20:35:09 -0000 X-eGroups-Return: sentto-279987-2664-1002141304-fc=all.net@returns.onelist.com Received: from [10.1.4.56] by n3.groups.yahoo.com with NNFMP; 03 Oct 2001 20:35:05 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_4_1); 3 Oct 2001 20:35:04 -0000 Received: (qmail 76434 invoked from network); 3 Oct 2001 20:35:04 -0000 Received: from unknown (10.1.10.26) by l10.egroups.com with QMQP; 3 Oct 2001 20:35:04 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 3 Oct 2001 20:35:02 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id NAA18989 for iwar@onelist.com; Wed, 3 Oct 2001 13:35:02 -0700 Message-Id: <200110032035.NAA18989@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 3 Oct 2001 13:35:02 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Can.Your.Organization.Survive.a.Cybercrime?] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Can Your Organization Survive a Cybercrime? By Tom Talleur, e-Business Advisor, 10/3/2001 www.ebusiness.com HIGHLIGHT: Any and every business is susceptible to cybercrimes and security breaches. Take a proactive stance: Follow these eight steps to plan your line of defense in advance -- and hire the right experts to help. BODY: the reduction of Y2K banter over the last year has made room for another pressing topic: cybersecurity. But what should you focus on: threats vs. security, or threats vs. actual losses? Security is about performance measurement and risk management through a preventative lens. Increasingly, many organizations rely on "new and improved" technical tools for their security management strategy. Many, however, disregard the fact that humans can and do circumvent security procedures, and that "inside offenders" are the main source of risk, according to a 2001 global e-fraud survey conducted by KPMG International. And when things go wrong, as they inevitably do, an enterprise can sustain actual losses that seriously impact the bottom line. An actual loss in cyberspace usually takes one of two general forms: 1) the loss of something valuable, such as the theft of intellectual property; or 2) the inability to execute a corporate mission. Either type of activity can lead to actual losses that can devastate a business. Civil litigation is a major threat of loss A consequence of misbehavior and fraud by cybermeans is cyberspace civil litigation, and the recovery of digital evidence from standalone and network devices is playing an increasing role in complex investigations and litigation. Cyberspace incidents can involve the loss of banking and related financial data; information about a business' competitive position; command and control and other system data for satellite systems and aircraft; vital intellectual property, such as trademarks, patents, trade secrets, proprietary data, and other intangible assets; litigation-sensitive documents; and personal identification (customer privacy) data leading to identity thefts and privacy suits. Examples abound: * An employee sues an employer alleging the existence of a hostile work environment for allowing a fellow employee to download sexually explicit graphic files from the Internet. * The manufacturer of an over-the-counter medication is sued for allegedly contributing to the wrongful death of a customer and finds out in the legal process that vast numbers of internal e-mails contain information supporting the claims of the opposition. * An outsourced service provider creates a Web site for a firm and embeds trademarked names belonging to a lawful owner in the file metatags used by the major search engines, which results in a violation of the Federal Trademark Dilution Act. * A firm is victimized by a devastating cyberattack only to learn later that its point of presence on the Internet was later used by hackers (or inside offenders) to cause damage to a third-party site on the Internet. (This is referred to as causing "downstream civil liability" exposure.) REALITY CHECK: Each incident cited above could trigger litigation that subjects the unprepared recipient to legal and organizational chaos. Yet few companies today are prepared to comply with subpoenas issued for electronic records and other facets of the legal process. This type of litigation drives the need for personal and business records, including e-mail, found on computer systems that contain data relating to the valuation of business net worth, real estate, lost revenues, and other information used to calculate potential damages. KEY QUESTION: How does all of this impact you and your organization and why should you care? Your business, like most businesses today, is increasingly dependent upon information technology systems to store and retrieve critical information. This information is part of your system of records created during the routine course of business, and as such, you can use it as evidence to prove the validity of your corporate actions or affix individual responsibility for misbehaviors. Conversely, an opposing party can also use these records as evidence against you. Office e-mail evidence alone can be devastating: Office workers generate billions of e-mails stored on large volume servers, all of which is discoverable through legal means. Eight steps to a comprehensive incident response plan Your best option is to think about security in broader terms that embrace potential losses through litigation and to plan accordingly. Did I say planning . . . something many of us fail to do well, or at all, in our business and personal lives? I wish I had a dollar for every matter I've been involved with over the years where a failure in planning was a major factor leading to actual losses stemming from some type of misbehavior. HOW TO DO IT: Organizations that plan for losses create forensic incident response plans using integrated, holistic strategies, established in the form of policies, procedures, and practices, and implemented through defined action plans. These plans often embrace technical, legal, core business mission, and other elements, and they're implemented in a way that considers the interests of employees, customers, suppliers, third-party relationships, and other key stakeholders. Organizations have to understand that they will have an incident. How they respond is often more important than the incident itself. TOP TIP: Your incident response process should address digital evidence preservation and collection issues. Designate one official to be in charge once an incident occurs. Also, appoint one official (and only one) to be responsible for coordinating with the media. Key planning factors 1. Identify sources of digital evidence before an incident occurs. Potential sources include network servers, workstations and laptops, backup media, Internet storage sites, wireless devices and personal digital assistants, digital telephony, and other file types such as e-mail and database records. 2. Create and follow a retention and destruction plan for electronic and paper records to provide identification and preservation of potential evidence before an incident occurs. This plan is the first document your company will turn to for guidance when a subpoena is received or when a cyberincident or one involving cybersystems occurs. 3. Halt regular media destruction procedures when you first learn that a legal process has begun and seek legal advice to avoid later claims of contributing to the destruction of potential evidence. 4. Keep enough old hardware and software around from earlier information systems to recover historical data when needed. 5. Provide incident response and awareness training to employees. Specific response training techniques for systems administrators and other technical service personnel must occur since they're the most likely to try to handle -- and likely destroy, albeit unintentionally -- digital evidence. 6. Survey paper and file holdings in advance and reduce duplicate files. This saves time and money when implementing an incident response. 7. Identify strengths, capabilities, and limitations in advance and act accordingly. Generally, for most victim organizations, this means identifying and preserving potential evidence during incident response situations and consulting counsel and calling for professional help when necessary. Years of law enforcement experience have reinforced that people should execute professional functions that they're qualified to execute. I've repeatedly observed legal and IT service personnel in victim environments, unfamiliar with legal issues and their corresponding technical forensic procedures, unilaterally handle and unintentionally alter and destroy digital evidence and undermine the very objectives they wished to achieve. 8. Evaluate and hire experts in advance. CAUTION: Now that the cybersecurity market is a hot business, many personnel in law enforcement and professional services firms claim to be "experts." Incompetence is a cost of business you can't afford. So, how do you wade through all the marketing hype and vet your experts? Get the right security experts Consider the following recommendations when evaluating security experts: 1. Start by understanding the differences between "techie" professionals to reduce confusion. * Information technology (IT) service professionals are typically trained to set up and provide specific technology services to users. Most are neither trained nor experienced in dealing with exploitations of those technologies or the legal issues surrounding a given incident. * IT security specialists focus on constructing defensive measures to mitigate cyber and related threats, and some of them are experienced in understanding exploitations. But today, few IT security professionals have the authentic forensic backgrounds to effectively investigate and gather evidence of network-based cybercrimes for presentation in court. * Cyberforensic specialists typically have extensive hands-on problem-solving experience and knowledge of the art of identifying, preserving, recovering, analyzing, and presenting digital evidence recovered in a network communications environment. Those skills, coupled with experience in digital courtroom presentation methods, make cyberforensic specialists qualified to address the range of issues arising in cyberspace civil litigation. And when matters involve potential criminal activity, it's imperative that the specialists you choose have this breadth of experience, preferably in a federal law enforcement environment. Why seek a cyberforensic specialist? These professionals can deal with: * Altered accounting and client records * Digital forgeries * Fictitious computer-generated and forged documents * Deliberate corruption of business records * Manipulation of invoicing and payment systems * Unauthorized network system access * Cyberidentity theft * Misuse of enterprise resources * Deleted business information * Evidence of corporate espionage and the use of cyber techniques for the concealment of activities * Inappropriate or offensive e-mails * Secured and password-protected data Cyberforensic specialists can take legally sufficient depositions from personnel during investigations; provide corporate and outside counsel with experienced insight in the digital evidence preservation process; provide definitions, instructions, and specific questions about electronic evidence relative to written discovery procedures; preserve the chain of custody of evidence; and provide critical testimony about forensically sound procedures used in the recovery of digital evidence through technical investigation. 2. Ask the expert to describe the technical issues at hand and how they can be solved. You're not looking to become an expert yourself, but for the expert to explain technical challenges in clear, understandable terms. Clarity demonstrates that your expert really does understand his craft and can explain issues in simple, direct, concrete terms, which is critical in the legal process. EXAMPLE: Let's say you have an exploitation of a UNIX operating system. Ask your expert to explain how UNIX works through every run control cycle from bootup until the time of the exploit, how the exploit impacts the operating system, and the safest way to preserve and collect evidence in your scenario. When challenged, some experts will refer to a technical staff member not present to answer your question (who may be "technical" but likely won't have a hands-on forensics background in gathering and identifying digital evidence). BEWARE: This could indicate that you're dealing with a salesperson who uses technical staff to perform forensics work, with neither having any true background in the digital evidence forensics field. I've repeatedly seen this type of scenario in law enforcement and professional service environments. 3. Determine your expert's level of expertise. Many cyberforensics professionals have limited technical and experiential backgrounds that might not be apparent to the untrained eye. Examine your expert's background and look for telltale signs of "technical people," lawyers, or auditors "converted" to perform forensics work. This is a common phenomenon, and is becoming increasingly prevalent given the availability of one-size-fits-all training courses offered by forensics software manufacturers. BEWARE: Generally, most law enforcement and professional service provider organizations have personnel trained to handle issues in particular operating environments, but few have personnel with true network forensic expertise other than limited experience and introductory training in network investigative environments. Cyberforensics takes years of experience and trial and error to acquire the judgment and skills to sport expertise, coupled with formal training in a law enforcement environment. 4. As with any consulting contract, check references. Also look for genuine skill, common sense, and problem-solving abilities. 5. Don't be penny wise and pound foolish. Conserving financial outlays to avoid funding the costs of incident response is the equivalent of burying one's head in the sand and hoping for the best. Talk with your insurance carriers in advance to ensure that the costs of incident response, including investigation and legal action, can be funded through the insurance claims process. 6. Be realistic. The cyberforensics business isn't intuitive. Don't try to "know so much" that you mislead yourself into believing you understand and can do it all. 7. Don't hire ex-hackers or reformed criminals to perform security or forensics work. Giving the keys to your house to allow an ex-burglar to perform a security survey isn't the same thing as giving an ex-hacker root access to servers containing your vital data within your firm's information architecture. There are many professionals to perform services whose backgrounds are clear and authenticated. Why take on more risks when you're trying to reduce your exposure? 8. Finally, don't let software and hardware manufacturers of security or forensics products persuade you that they have the magic bullet that will solve all your security challenges, or that you can save money by performing forensics functions yourself. It simply isn't true. Get started The worst course of action is taking no action at all. If you act by following up on the major points cited in this article, you'll go a long way toward reducing the cost, stress, and uncertainty surrounding the incident response process. Should your security strategy include an incident response plan? Yes: * Cybercrimes are on the rise * Inside offenders are a company's main source of risk * Being caught unawares could result in devastating losses But . . . * You can't do it alone -- you need the help of cyberforensics experts * Experts' level of expertise vary, and in some cases may be misrepresented * New technologies are making it easier to enhance security, but they're only part of the equation ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:53 PST