The Future of Information Assurance Chapter 5

The following is the fifth and final excerpt from my Norwich MSIA Seminar 4 final paper, in which I speculate on how IA will evolve.

I would love to hear what you think, so leave a comment and let me know how you think things will turn out.

Computer Incident Response and Forensics

Computer incidents will happen so it is very important to be able to respond and investigate them. The main goals of an incident response team are to reduce the financial impact of the incident and return the systems to their desired state as quickly as possible. It is always best to be able to have a defined plan to follow when faced with an emergency or crisis situation. It is even more important when your actions may have to be explained in court. Therefore, organizations must create policies to define the scope and authority of the incident response team and create a plan before a crisis hits.

The following are steps that could be taken to create a plan (as modeled from the Generic Computer Incident Response Team Plan):

• Map threats to vulnerabilities
• Define skills / training / certification required for CIRT members
• Identify employees who have skills / training /certification required
• Define equipment required for monitoring / sniffing
• Monitor assets
• Define logging levels
• Define alarm thresholds
• Define response levels for each incident type (for example, Red, Yellow, Blue)
• Define team members for each response level at both the local and corporate offices
• Define incidents that will be escalated to law enforcement and the process for escalation to law enforcement
• Document contact information for all team members
• Document contact information for

• ISPs
• Vendors
• Local and Federal law enforcement organizations

• Create a communications plan

• Internal documentation
• Internal communication
• Public communication

• Create response plan for each alarm / incident type
• Communicate the plan to the organization
• Practice the plan

Different people will be required to respond based on the type of incident. This should be spelled out in the response plan. Each person should know what role they are expected to perform in response to each incident type as defined by the incident response plan. Types of skills/functions needed on a CIRT include (True “Computer Incident Response Teams” 4):

• System administrators
• Network administrators
• Security administrators and specialists
• Management
• Public relations
• Legal

This team has a good mix of skills needed to respond to an incident. The technical people can find and fix the problem, the PR people can communicate with the press and public, the management team has the authority to act and can communicate internally, and the legal people can insure any laws and regulations are met.

Forensics

Computer forensics and incident response overlap to a certain degree. At some point in the incident response it may become necessary to collect or seize evidence. Consequently, it would be a good idea to treat every incident as if it will end up in court.

Computer forensics is a highly specialized skill and the results of the forensics investigation may be reviewed in a court of law. The people responsible for computer forensics must be highly trained and ideally possess industry and vendor certifications. Ideally, the organization would also have access to a lawyer who specializes in this field.

How the forensics investigation is handled has a direct impact on the ability to successfully prosecute the accused criminal. This reinforces the importance of creating a good response plan and practicing that plan so people know how to respond. The alternative is that people lose evidence or mishandle it, rendering it inadmissible in court.

The organization’s security policies must detail who has authority to conduct a forensics investigation, the actions that a first responder must take, and when, how and who will escalate to law enforcement.

Information, especially computer forensics information, is extremely fragile, and it can be destroyed very easily if improperly handled. The Secret Service’s Best Practices for Seizing Electronic Evidence document suggests these steps that should be taken by a first responder (p 2,3):

“Secure the Computer as Evidence
• If the computer is “OFF” do not turn “ON”.

• If computer is “ON”

• Networked or business computers
• Consult a Computer Specialist for further assistance
• Pulling the plug could
• Severely damage the system
• Disrupt legitimate business”

Another critically important step is documenting what happened. This should be spelled out in the incident response plan, but it will be part of the evidence that is presented to law enforcement, or used in civil court.

Finally, eDiscovery is another category of computer forensics. Some companies have justified hiring computer forensics specialists due to the amount of eDiscovery work they must perform, usually in response to law suits.
The Future of Incident Response and Forensics

Many businesses of all sizes do not have an incident response plan or forensics capabilities, nor do they have a provider lined up to respond. In the future, this will be unacceptable, as both businesses and the public better understand IA. Companies will probably be required to properly respond and investigate incidents, and escalate to law enforcement because their insurance companies and the laws are likely to require it.

Smaller organizations will probably need to outsource the incident response and forensics responsibilities to a managed security service provider (MSSP). Some larger companies may choose to outsource these functions if they decide they do not have the necessary skills, outsource their IT functions, or do not want to add staff.

The law is still being sorted out regarding computer forensics. For example, there is confusion over what evidence can be collected by a lay person and what must be collected or analyzed by an expert. As reported on the Federal Evidence Review blog, “Distinguishing lay and expert testimony can be a challenging feat, as other courts have recognized. See, e.g., United States v. Hilario-Hilario, 529 F.3d 65, 72 (1st Cir. 2008) (“There is no bright-line rule to separate lay opinion from expert witness testimony; circuits, and indeed decisions within a circuit, are often in some tension.”) This same challenge can arise in considering computer forensic testimony. For example, can lay testimony be used to present results by “running commercially-available software, obtaining results, and reciting them”? The circuit noted that whether testimony about “computer-related” issues is expert testimony “is a relatively new question.” The Sixth Circuit addressed this issue and answered the question in the negative.”

The article concludes with the Court’s explanation, “The Sixth Circuit disagreed concluding that interpreting the results of the software tests required the witness “to apply knowledge and familiarity with computers and the particular forensic software well beyond that of the average layperson. This constitutes ‘scientific, technical, or other specialized knowledge’ within the scope of Rule 702.”

Imagine trying to account for such possibilities during a crisis.

Predictions

• Companies will recognize the value of customer trust, and will manage their risks to maximize customer trust.
• The public will demand more secure information systems. This will be reflected in new laws and regulations, and new insurance rules.
• The cost and inconvenience of replacing debit and credit cards, or the nightmare of dealing with identity theft will cause the public to lose faith and trust in electronic payment methods.
• The cost and bad publicity of data breaches will cause businesses to focus more on IA.
• Security will become a competitive advantage, especially as some companies begin to differentiate themselves from their competitors in a way that the public understands.
• Many of these tactics require highly specialized skills. Consequently, many of these functions will be outsourced or centralized by larger businesses when it makes financial sense to do so.
• The market for MSSP will increase as more SMBs, and even larger companies require their services.
• Companies will decide that managing a MSSP is easier and cheaper than having a large security staff.
• Companies will use cloud computing and other service providers in an attempt to transfer risk.
• Cloud computing will be a factor in BC and DR, but there will be security incidents while the technology matures.
• Defense systems will get smarter and respond dynamically to threats.
• Software development and programming practices will include security testing throughout the SDLC.
• Software vulnerability testing will improve, and websites will signal to the user that they are safe from common vulnerabilities.
• The line between vulnerability assessment testing and penetration testing will blur.

Conclusion

Wing Chun, a form of Kung Fu, has a saying, “When your opponent retreats, chase. When your opponent attacks, receive it.” What it means is not to fight against your opponent, but to use his energy against him. This system allows a physically weaker person defeat a physically stronger person. There are no planned or set responses to attacks, but it promotes the use of principles to neutralize attacks. The better one can apply these principals without thinking, the better they can neutralize and defeat their opponent.

Contrast this approach with how today’s computer security is applied. We erect firewalls, scan for vulnerabilities and patch holes. We attempt to detect intrusions, we establish long lists of rules for people to follow, and we try to account for every threat to our systems and build specific defenses against them. These are very static and programmed responses to threats, and leave these systems very vulnerable to new or blended attacks.

Our ability to deliver networked data and services currently outstrips our ability to deliver them securely. New methods must be developed, starting with the acceptance that threats exist and some will materialize. The information system must be able to respond to the threat, neutralize it and survive it. This is true whether the threat is man-made or environmental. After all, it does not matter to the business or to the customer why the system is not secure or unavailable, only that is not operating the way that it should.

Bibliography

Brussin, David and Stephen Cobb and Michael Miora. 2003. Generic Computer Incident Response Team Plan.

US Secret Service. 2002. Best Practices for Seizing Electronic Evidence.

Editor. “Drawing The Line On Computer Forensic Expert And Lay Testimony (Part I)”. Federal Evidence Review. 8/22/2009 .

Tagged as: computer forensics, e-discovery, ediscovery, Information Assurance, MSIA, norwich university