Вы находитесь на странице: 1из 4

Copyright 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

Internal Cyberforensics
Sunil Bakshi, CISA, CISM, AMIIB, MCA

onvergence has helped organizations in deploying IT resources at faraway places. Integration of enterprise applications and the ability to access information anywhere has added to the productivity of each business sector. This has also made the technology solutions more complex for the organizations to handle. Though laws in many countries have provided definitions of cybercrimes, laws merely provide a disciplinary framework, which is of no use in preventing a security breach. Also, a law is effective only if proper evidence is collected and established to find and convict the culprit. The 10th Annual Computer Crime and Security Survey conducted by the Computer Security Institute (CSI) and the US Federal Bureau of Investigation (FBI)1 has brought out various facts about security issues in the US. The major findings are included in figure 1. The survey has consistently concluded that the major threat to organizations security is from the inside, i.e., employees, past employees or business associates.

the incident and minimize the damages. This results in the culprit going free to make another try. The common mistake of deploying popular automated tools without understanding their effects leaves the security gaps open (for example, when an antivirus tool is purchased and installed, but no procedure is defined for regular updates, or a firewall is installed but not configured properly). Security technology (hardware and/or software) is a tool and not the solution.

IT Security Management
Organizations that deploy security technology use various methods to protect their information assets. These methods/solutions are mainly management practices that bridge the gap between IT assets and a security incident, supported by automation technologies, such as firewalls and intrusion detections systems. The main objective of these activities is directed toward ensuring the confidentiality, availability and integrity of information assets. An organizations internal IT security policies and procedures provide a basic framework for security. Security procedures are generally aimed at preventing a security breach. However, depending upon the cost of preventive controls, the business impact due to loss of assets, and the organizational culture, trust models, etc., the organization may employ detective and corrective controls to minimize the impact of the incident. The impact of a security breach (figure 2)2 directly affects one or more security criteriaconfidentiality, availability and integrity of the informationpotentially resulting in loss of assets, loss of data, broadcasting of confidential information about customers or employees, and loss of faith. Figure 2Impact of Incident

Figure 1Major Findings of CSI/FBI 10th Annual Computer Crime and Security Survey
Security outsourcing88 percent prefer in-house. BudgetSecurity is less than 5 percent of IT budget. Security insuranceOnly 25 percent said yes. Unauthorized use12 percent are not aware, and 55 percent accept the existence. Number of incidents28 percent do not know, more than percent acknowledge more than 10 incidents in a year. Security audits87 percent feel they are a must. Sarbanes-OxleyPositively impacts security and IT governance, though the focus is more on security. Security incidents 39 percent did not report the incidents. 20 percent reported to law enforcement. 16 percent took help of legal counsel. Why the 39 percent did not report the incidents: Negative publicity43 percent Competitors would use to their advantage33 percent Civil remedy seemed best16 percent Unaware of law enforcement interest16 percent

Incident

Information Availability

Most organizations have taken steps to secure their information assets. The most popular step is the creation of an IT security policy, and the least popular is security outsourcing. Most organizations are aware of the security issues and try to address them in various ways. International standards, such as BS 7799, ISO 17999:2000, ITIL, COSO, Basel II committee reports and COBIT, have been adopted and implemented. The main focus has been on preventing security breaches. When an intentional security breach is detected, efforts are made to stop
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2005

Information

Corrupt Data Integrity Information Confidentiality

Consequences Fraud Competitive disadvantage Business loss Legal liabilities Wrong decision Low morale Reputation loss

The cause of the breach could be intentional or accidental. The CSI/FBI survey pointed out that internal or authorized users cause the majority of security breaches (figure 3). Therefore, it makes more sense to implement management practices for securing the organizations assets. Figure 3Security Breach Statistics3
Accidental Internal control weakness: 10-12 percent Perimeter control weakness: 0-5 percent Intentional Internal attack/ security policies: 65-80 percent Attack: 5-8 percent

The first step in this process is learning how to separate harmless scans that occur hundreds of times a day from determined attacks. Not only do the firewall logs have to be carefully reviewed, but so too does the internal system for signs of a firewall or modem breach. If signs are present, a full forensic investigation is merited.

Electronic Evidence
Any electronic document, data, information capable of establishing that a criminal act has been committed and can identify the flow of data, and information about the person who originated the action can be used as electronic evidence, provided there is sufficient manual or electronic proof that contents of electronic evidence are in the original state and have not been tampered with or modified during the process of collection and analysis. For example, if person A sent a threatening e-mail to person B by spoofing the e-mail address so the message appeared to have come from person C, what would constitute evidence to prove that a crime was committed, and that it was committed by A, not C? In this case, the following procedures should be used: 1. To obtain tangible evidence to initiate an investigation, a printout of the e-mail has to be taken as soon as possible. 2. Preserving the e-mail as received on Bs computer is basic evidence. The header of the e-mail received by B provides the exact path and IP addresses of the computers through which the e-mail has traveled. 3. The ISP can provide the exact location, from the IP address, of the computer from which the e-mail was originated, even though the senders identity has been spoofed. The request to the ISP needs to be backed by proper authority from law enforcement agencies and/or judicial authorities. 4. The law enforcement agencies then perform a physical raid to seize the computer from the location. This process has to be done manually. After the seizure, the hard disk of the computer is identified and a replica is made in the presence of an independent third-party witnesses. The replica is then used for further analysis to gather the electronic evidence. The original hard disk has to be sealed and kept in tamperproof custody. 5. The analysis of the replica can fetch the necessary evidence to determine whether the e-mail originated from said computer. Even though the original data/files have been deleted or overwritten, the latest forensic tools can recover the original file. 6. It is then necessary to establish the identity of A and confirm that he/she has used the computer for sending e-mail. This follows the manual forensic procedures. This procedure clearly indicates that the presence of a law enforcement agency is mandatory for investigating an attack from external sources, and the attack must be defined as a crime by the law. However, an attack from internal sources and a noncriminal attack from external sources can be investigated privately. For this, it is essential to have proper internal procedures to preserve the evidence acceptable by law enforcement and judiciaries to protect the organizations interest.

Internal

External

Two management practices often used are IT security policies and procedures, and business continuity management. Figure 4 depicts the relative position of these methods in security management. Though prevention is better than cure, these practices also address the issue of investigation and analysis of the incident since 100 percent security is not possible. Figure 4Security Management

Risk Management Business Impact Analysis IT Security Policies Procedures Training and Awareness Incident Response Compliance Investigations and Analysis Incident

Business Continuity Management Business Disaster Maintenance Recovery and Continuity

Forensic Requirements
Most organizations have excellent policies and procedures relating to computer use. They also have a firewall to protect their assets from Internet intrusions and to log violations. They have a security officer or firewall manager who is responsible for enforcing security. The problem is that they may not know how to determine when an attack should be investigated or simply blocked. In most cases, serious attacks are blocked with no investigation. The perpetrators can then lay low until controls relax and try again. They are also free to attack other sites, as their actions have not been reported to authorities. Hence, it is essential to implement analytical and forensic procedures within the organizations incident response procedures. The serious events have to be investigated, evidence gathered and authorities notified if a crime has been committed. Many security officers and firewall administrators do not have the forensic skills required to determine if an event merits investigation, nor the knowledge to conduct the required investigation. Now is the time to acquire these skills and implement new techniques.

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2005

These procedures are also required to protect the organizations interest. In the previous example, if A, B and C are employees and/or authorized users of the organizations intranet and disciplinary action is taken against A, and if A decides to pursue legal action, the organization should be able to prove that A initiated the improper act. That means the procedures defined by the organization should be able to prove that the evidence collected is in its original state and has not been altered. If it is observed at any time that the improper act of the employee is a crime under the legal system, the matter should be handed over to the law enforcement agency. Otherwise, the organization and the investigator might become accessories after the fact. In the example discussed previously, if the contents of e-mail are offensive but do not constitute a crime, the organization can proceed with the private investigation. As a real-life example illustrating the importance of proper policies, a US federal judge has sanctioned an investment bank for destroying or failing to produce in a timely manner e-mails in a gender discrimination lawsuit. The judge faulted the bank for disobeying its own lawyers instructions to preserve evidence. The case involves a former equities trader at the bank, who filed suit in 2002 accusing the company of failure to promote because of gender The judge found that bank personnel deleted relevant e-mails, some of which were recovered from backup tapes and some of which were lost. If the bank had policies in place that established protocols and lines of communication for preserving backup tapes when they become relevant in litigation, it could have avoided a lot of grief.3

Guidelines for Internal Forensics


To avoid the issues arising out of a lack of evidence preservation, the organization should have proper security policies covering the procedures for tamperproof evidence collection. Some basic procedures include:4 Be prepared by: Creating an assets management program or taking inventory of all IT assets, such as systems, equipment, devices, applications and processes Implementing a risk management program and business impact analysis in case any of the assets listed above are not available Ensuring that policies and procedures that relate to accessing and using the systems are listed in the inventory Listing the administrators responsible for the routine maintenance of the systems, devices and/or applications Making a detailed list of the steps used in collecting and analyzing evidence Defining a trust model and procedure for selecting trusted third parties acceptable by law, if required Listing the possible targets Listing possible causes of the incident Listing knowledge about known attacks, including the tools and techniques used Identify the attack by: Reviewing logs (intrusion detection, firewall, system logs, login attempts, etc.): I Note repetitive login attempts. I Review the accounts that were targeted. I Review primary system files (user additions, password files, trust files, service files, etc.) for alteration. I Review inbound and outbound traffic on firewall logs, note all IP addresses that consistently scan the organizations Internet-based systems, and review all scans directed specifically at the firewall.

Review the type of services used to connect (ftp, telnet, ssh, rlogin, etc.). I Review system logs for superuser login attempts (su, sys, system, root, etc.). Validate the attempts. I Review system accounts (if applicable) for any discrepancies in billing. I Ensure that logs have date and time stamp. I Note the responsibility and identity of reviewer of logs. I Note the procedures to contact law enforcement, if required. I Ensure that the log can identify the persons/users associated with the attack. Identifying primary violators, both internal and external Looking for commonalities over a wide time frame pertaining to scans, probes and other connections After the attack has been identified, follow incident response procedures if present. In the absence of them: First inform and alert user management, then security management and IT management. Inform based on a need to know basis. Do not broadcast. Initiate evidence procedures, if present, or at least back up and secure all logs immediately. If necessary, secure the physical area in which the compromised systems or devices are located. Monitor the activity of compromised accounts, users, services, systems, devices (modems, routers, access point, switch, etc.) and applications. Review the image of files, not the original. It is essential for legal reasons to assure that the evidence has not been tampered with or modified, accidentally or otherwise. Review disclosure options: If the agreements with trading partners require disclosure of incidents, arrange for communication if the incident falls under the required category. (This depends upon the impact of incidence on business operations.) Decide how much to disclose depending upon requirements and/or benefits to the organization. It might be necessary to conceal the incident depending upon the nature of the business. Check for damage insurance for the particular incident. If available, the insurance company may have to be informed. The evidence has to be preserved for the review of the insurance companys representative. If the incident is a crime as defined by law, contact law enforcement authority (e.g., for frauds, pornography, cheating and hacking). Check if the policies address the arising issues. Are these policies sufficient, or do they need to be updated? The policies should provide guidance on whether to seek a conviction. Follow evidence procedures: Put identification tags on evidence. Log all events and steps in a manual format to include date, time, identity of person, activities performed and identifier/tag lists. Create images of these systems and devices. The image creation should be logged and done in the presence of suitable third parties. Brief all personnel associated, particularly those who will be responsible for the custody of assets, about the evidence procedures. This is necessary to ensure that the evidence collected is trustworthy for use in a possible legal case. Ensure that the procedures include maintaining the log for access to the systems or devices in question.
I

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2005

If possible, lock the areas in question with physical access controls. Monitor these devices if an inside job is suspected. Determine whether the attack used login accounts. If so: Restrict access rights of the compromised accounts. If the accounts are needed, change the passwords on the accounts to one that cannot be easily cracked. If the accounts are not necessary, disable the account until the investigation is over and possibly remove it following the investigation. Place additional restrictions in areas that require limited access (such as file and directory permissions). Review any monitoring tools or devices that were installed for any additional evidence: I Follow up on the new evidence. I Continue monitoring if deemed necessary. Identify suspect(s): I Question if you have the legal rights (legal counsel is strongly recommended). I If the suspects systems and/or origination IP addresses have been located, request logs from the suspects ISP for dates coinciding with the intrusion attempts. This may require legal authorization from a court of law. Once received, use forensic tools to review the suspects systems. Determine whether to pursue legal action. If enough evidence has been gathered to prosecute: Choose to address the prosecution by making a low-profile deal with the intruder(s) or making a high-profile case against the intruder(s). Contact all legal entities necessary, including lawyers and law enforcement. List all witnesses who are being considered, including eye witnesses and expert witnesses. Place all logs (procedure logs) in an efficient order, and make them easy to access. Ensure that all evidence can be substantiated. If there is not enough evidence to prosecute: Remove, or at least secure, all accounts suspected of compromise. Close all insecure entry points identified during the investigation. Change passwords on all systems or devices in the area suspected of compromise. Implement better controls to be prepared for the next time. Educate the necessary personnel to gain the skills the organization was missing during the investigation. Update policies or create additional policies if necessary.

Conclusions
So far, forensics has been considered the domain of law enforcement agencies. Though it remains so, it has become necessary for organizations to acquire cyberforensics skills and embed them into security procedures. This will help organizations have structured procedures for disciplinary actions over internal attackers, and provide enough evidence to law enforcement agencies to catch and convict the cybercriminals. Appropriate security policies and procedures developed with the help of legal counsel and cyberforensic experts/investigators will provide a method to maintain the evidence intact for criminal investigations and libel litigations.

References
Marlin, Steve; Financial Firm Sanctioned For Deleting, Withholding E-Mail, Wall Street & Technology, 22 July 2004, www.wstonline.com/story/inDepth/showArticle.jhtml?articleID =23904995 Schperberg, Robert; Incident Response Investigations, International Conference of ISACA, 22-24 June 2004, Boston, Massachusetts, USA New Technologies Inc., www.forensics-intl.com Paraben Corp., www.paraben-forensics.com TeleDesign Security Inc., www.teledesignsecurity.com

Endnotes
Computer Security Institute and Federal Bureau of Investigation, 10th Annual Computer Crime and Security Survey, 2005, www.gocsi.com 2 IT Governance Institute, COBIT Security Baseline, 2004, www.itgi.org 3 Op. cit., Computer Security Institute and Federal Bureau of Investigation 4 Canaudit Inc., www.canaudit.com
1

Sunil Bakshi, CISA, CISM, AMIIB, MCA is a member of the ISACA Membership Board and past president of the ISACA Pune (India) Chapter. He is an experienced banker and IS auditor.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2005 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 6, 2005

Вам также может понравиться