< VI/MAREC 2010 >

WHAT TO DO IN CASE OF SECURITY BREACH ANDHOW TO PREVENT THEM?

tema meseca

VAROVANJE KONČNIH TOČK (ENDPOINT SECURITY)

SAŠA AKSENTIJEVIĆ

here are several typical cases when cor-porate clients ask for services of foren-sic analysis of computer systems andanalysis of front-end perimeter breaches,the most common ones being litigationsand proceedings towards current or ex

em-ployees. In this article I will try to give someadvice to those responsible for respondingto security breaches and what to do in orderto resolve the situation. It is important tounderline what to do

and even more im-portantly, what NOT TO DO when re-sponsding to security incidents. In mostcases, doing nothing is better than doing just anything, so I will start with a list of ac-tions not to be done, and that are usually prevalent in most organizations that do nothave well established incident response pro-cedures, or when they are entrusted ran-domly, either by hierarchy or by placementof the incident within organization, thus“avoiding hot potato in their own lap“.

Saša Aksentijević

spent his entire educationaland professional life in ICT area. First heworked several years as an independent ICTconsultant, an owner of a start-up companyand a specialist for mass storagetechnologies.During the past seven years he has beenworking in one the world’s biggestmultinational companies in the oil and gassector which performs off shore andonshore turnkey projects. Holds B.Sc titlein business informatics, Master title inICT Management and ICT Security andISO 27001:2005 Lead Auditorcertificate. On top of that, he works asbusiness strategy consultantspecialized in safety at work andhuman resource management andhe is certified ICT forensics courtexpert at Commercial andMunicipal Courts. Recently, hestarted his ph.d. studies inBusiness economy.

phone calls. In most cases, the damage isalready done when the information aboutthe security breach or incident has be-come apparent. Even though quick re-sponse is of high importance, it is evenmore important to approach the issuecalmly and in analytical manner avoid-ing an „emotional“ response. If there is areasonable doubt that there has beendamage incurred to the company’s re-sources

computer and network systems,company’s image and reputation, or thecomputer systems and information havebeen used in a way that is contrary to thebusiness policy and strategy or that thelocal laws have been violated, it is impor-tant to discuss the hard facts in completeconfidentiality with the highest decisionlevels within organization while mini-mizing the number of involved people.The reasoning is simple: security and in-formation breaches are often initiated by people who are either highly positionedwithin organizations or have directhands-on knowledge of the informationsystem maintenance, therefore wideningthe number of people involved in inci-

Fig 1: five petals of ICT forensic investigation“don’ts”1

–

Avoid emotional response

–

Do not confront suspects and avoidevidence contamination

–

Do not avoid authorities

–

Ensure consistent state of hardware

–

Do not conduct internal investigation with-out professionals

51234

1. Approach the issue calmly and withoutpanic and avoid any form of written andelectronic communication including

VARNOSTNI FORUM

dent response might easily backfire andrender such attempts unsuccessful. Atthis stage it is important to avoid doubtsin those who are subject of the investiga-tion, as it could result in further compro-mising the integrity of the informationsystems or data deletion.2. A common error made by most manag-ers is immediately confronting the sus-pects personally after suspicion of a se-curity breach, even before the forensicinvestigator has securely analyzed theavailable data, ensured the chain of evi-dence and secured the evidence dataavoiding contamination. This step is very important because at this stage, evidenceis secured for possible future proceed-ings in court processes3. Contact with the police should not beavoided. This is true for information se-curity breaches. Being honest andstraightforward towards public andstakeholders is a staple in successful cri-sis and PR management. If the law hasbeen violated in any way, after consensuswith responsible within organization,police and other authorities have to beinvolved.4. Never turn off computers and computersystems that could be compromised. Thisis also one of the most common mistakes– managers usually want to turn off com-puters in order to preserve evidence,however, sometimes it can be deleted by powering down systems. On the contra-ry, if possible, try to ensure uninterrupt-ed power supply until the forensic inves-tigators arrive, but do not use those sys-tems, to ensure that no changes are madeto data and file systems.5. Reversal of the previous point is also val-id – do not turn on the computer systemsthat are turned off, if they could havebeen tools used in computer crime orsystem breaches, and it could also com-promise and delete traces needed for investigation.6. The biggest damage that can be done by „do-gooders“ from ICT departments isusually done when trying to do an inter-nal investigation. Area of computer fo-rensics is very complex and people whohave high levels of computer educationare not necessarily people who can runcomputer crime and information securi-ty breaches investigations. Unless thepersonnel is authorized, has all the ade-quate forensic tools, and understands le-gal implications of collected evidencecontained within computers and compu-ter systems, it is quite possible that evi-dence could be corrupted, destroyed, orrendered not accepted in possible futurelegal proceedings.Once that we have established what notto do, let us put some emphasis on what todo in case there is a suspicion that organiza-tion’s computer and network systems wereabused, or that there is external security pe-rimeter breach. The same applies for possi-ble misuse of computers, notebooks, palm-tops, external memories and ports, mobiletelephones and other computer and tele-communication equipment. Let us outlinewhat should be done in order to ensure ad-equate response and analysis to forensic in- vestigators and court experts once they areinvolved in the process.

“IT IS IMPORTANT TO UNDERLINEWHAT TO DO, AND EVEN MOREIMPORTANTLY, WHAT NOT TO DOWHEN RESPONSDING TO SECURITYINCIDENTS. IN MOST CASES, DOINGNOTHING IS BETTER THAN DOING JUST ANYTHING.”

1. In most cases, there should be a fine bal-ance between sense of urgency and pre-serving the evidence. Computer systemsusually preserve evidence on them for alonger period of time, at least longenough to create an action plan. Key questions are the following:a) who should be informed within organi-zation about the information security breachesb) is the law brokenc) is it necessary to contact the policed) is it necessary to contact the lawyerse) is it possible to conduct internal investi-gation2. It is advisable to make a list of used soft-ware and hardware and all compromisedcomputer and other assets. This willspeed up the forensic process as such listcan be readily submitted to those incharge of investigation. This refers to allmedia like floppy disks, CD and DVDmedia, hard drives, USB hard drives, pendrives, memory cards and digital photocameras.3. The list from previous item should bewidened by further answering to the fol-lowing questions – is it possible that oth-er computers other than those immedi-ately identified have been misused, forexample, common terminals or worksta-tions, computers of coworkers from theoffice or company, mobile phones, palm-top computer, electronic organizers?Then the list should be updated whileevaluating not only affected hardwarebut also the informational infrastructureof the organization. Which services anddatabases are maybe compromised andwhere are they located, are they internalor external (distributed)?4. In the case that part of the security breachis also data loss due to corruption anddeletion, tapes and other media contain-ing last functional backup should not beimmediately restored. Instead, forensicinvestigator should first look for evi-dence, and only after evidence has beensecured, the service should be restored.5. All access and activity logs stored oncomputers, network equipment, serversystems, telephone exchange systems andfax systems should be identified and se-cured. They can be of great interest to thebreach investigation and help forensic in- vestigators to reach certain conclusions.

“IF THERE IS A REASONABLE DOUBTTHAT THERE HAS BEEN DAMAGEINCURRED TO THE COMPANY’SRESOURCES, COMPUTER ANDNETWORK SYSTEMS, COMPANY’SIMAGE AND REPUTATION, OR THECOMPUTER SYSTEMS ANDINFORMATION HAVE BEEN USED INA WAY THAT IS CONTRARY TO THEBUSINESS POLICY AND STRATEGYOR THAT THE LOCAL LAWS HAVEBEEN VIOLATED, IT IS IMPORTANTTO DISCUSS THE HARD FACTS INCOMPLETE CONFIDENTIALITY WITHTHE HIGHEST DECISION LEVELSWITHIN ORGANIZATION WHILEMINIMIZING THE NUMBER OFINVOLVED PEOPLE.”

6. The scope of investigation should be wid-ened outside of the organization’s perim-eter, in case it is so indicated. Is it possi-ble that certain parts of misuse were doneto remote computers outside of the com-pany’s perimeter, for example, usingnotebook or home personal computer?What is the current location of suchequipment and is their investigation go-ing to be of interest for the forensic inves-tigator? What should be done in order togain access to that remote informationprocessing equipment?7. In any case, the most important thing ininitial investigation of any perimeter breach

Fig 2: Two pillars of ICT forensic investigation“do’s”

Create list of hardwareresources to be analyzedWiden the scopeCreate reponse planCreate list of servicesto be analyzedPrepare for it, but do notexecute data restoreIdentify and secure logsSecure the equipmentand service from changesSegregate identifiedhardwareChange accesscredentialsEnsure chain of evidence