In the first three articles in the SMB Security series, I discussed some reasons why you should take computer security seriously.

In the next series of articles, I’ll discuss steps you can take right now to reduce the likelihood of suffering a data breach or loss. Help make your business more resilient and less attractive to computer thieves by implementing these basic steps. These are the same things larger companies do to protect their businesses.

And don’t think that just because you are small you are safe. The graph to the left indicates that small businesses are being targeted at a much hirer rate than larger businesses. Hackers are now targeting the little guy because they know small businesses are less secure than big businesses, and you have information worth stealing.

5 Simple Steps to Improve Your Computer Security

1. Backup your data
2. Patch your operating system and your applications
3. Use individual logins and passwords
4. Encrypt your wireless network
5. Protect remote access
6. BONUS: Shred printed documents that have sensitive customer or business data

Backup Your Data

How long can you stay in business if you lost your customer data, contracts, or financial information? How much time would you have to spend to try to recover that data? Can you afford that cost?

Do you have paper copies? Are they in the same building as your computers? What happens if there is a fire, flood or burglary?

• Keep a copy of your critical data offsite; far enough away that the same disaster cannot wipe out both copies.
• Make a backup as often as needed. How much data are you comfortable losing? One day? A Week? The answer is up to you, but you’ll need to make backups on a regular basis.
• Verify that things are working as you expect. Test your backups by trying to restore or build from your backups. Do this at least once a year.
• Consider using service like Iron Mountain.  They’ll help you get started and help you if you have to recover your data.

Patch Operating Systems and Applications

One way hackers steal information stored on computers is through known flaws in software. You can think of these flaws like open windows to your car or home; most people won’t take advantage, but some will.

• Set your operating system (Windows, Mac, Linux) to automatically check for patches. Make sure to backup your critical data before patching.
• Set your applications to automatically check for updates. Common applications are: Adobe Acrobat, MS Office, Outlook
• Set your browser software to automatically check for updates. (Internet Explorer, Firefox, Safari, Chrome)
• Do you have a website? You need to patch and back that up too.

Use Individual Logins and Passwords

• Make a login and require a password for everyone that uses a computer
• Do not give any user administrator rights
• Make an administrator account that is used for administrative work only. Do not share this account – make more if needed
• Delete any group login accounts
• Require strong passwords, but don’t go crazy. People will write down their passwords if you get too strict.
• Tips for creating a strong password

Encrypt Your Wireless Network

One of the largest and most expensive data breaches in history took advantage of weak wireless encryption. It is one of the easiest ways for computer criminals to steal your data.

• Set your wireless access points and clients to use WPA-2 encryption.
• Do not use WEP – it is too easy break the encryption
• I strongly recommend that you make the investment on new equipment if yours is too old to support WPA-2
• Use RADIUS if you have it, if not use a strong pass phrase if you are going to use WPA-2 Personal
• See instructions for your operating system and access points for details on how to set this up. There is a lot of information on the Internet.

Protect Remote Access

• Decide if you really need to allow anyone to access your computers from outside the office
• Disable remote access if not needed
• Use the firewall settings on your computers to block remote access for file sharing
• Require a VPN if you are going to allow remote access. This limits who has access to your computers and encrypts the connection making it difficult to eavesdrop on your communications.
• This step is more technical than some of you might feel comfortable tackling, so seek help from a security or computer network professional to help you. This is a very important step, so don’t skip it.

Shred Printed Documents

A couple years ago I went to a mortgage company to inquire about a loan, and I saw stacks and stacks of documents in the office, but not a single shredder or shredder bin. It made me very nervous about doing business with them. I suspected that all of those documents with personal and financial data would one day end up in the dumpster.

What information are you throwing in the trash? Anything with Personally Identifiable Information (PII)? Bank or credit card account information? Job applications? Customer contact information? Do you know you are responsible for protecting this data?

• Get a shredder if you have a few documents to shred
• Get a shredder service if you have a larger volume of documents to shred. Some will shred onsite in your parking lot, some will take the documents back to their office and shred there. Know how the service will handle the documents before you hire them.
• Make sure the shredder bin remains locked to protect the data from visitors or employees

Wrap Up

I hope this article helped you understand a few basic steps that will help you make your business more secure and less attractive to computer thieves. Most of these you can do on your own, but please seek assistance from a security or IT pro if you need help.

This is a start, there are many more things you can do, but it’s easier to do if you do a piece at a time. Get started today and do a little to get better every week.

Feel free to leave a comment, email me, or contact me on Twitter if you have any questions.

This article will continue the SMB/SOHO business owner or IT manager’s introduction to computer security. The entire series can be found here. Subscribe to the RSS feed if you find this valuable.

Usual disclaimer: I am not a lawyer and am not qualified to provide legal advice. Please talk to your lawyer for legal advice.

Why, with all the other things you have to worry about, would you concern yourself with computer security? The fact is you probably wouldn’t if you did not have a compelling reason. You might have to comply with PCI-DSS, or with HIPAA HITECH, or maybe you would like to do business with the government and you need to comply with FISMA. Or you maybe you recently learned that you are required to comply with one of the many state laws governing computer security.

Want to know the biggest reason you should care about computer security? It will help you stay in business.

Businesses that pay attention to computer security know where their data is, who has access to it, and they monitor access. They encrypt sensitive data, store it offsite, and they test that everything is working as planned. These businesses have a reasonable expectation that their data is safe and that they can recover from a disaster. In other words, they have lowered the probability that a computer security incident or disaster will put them out of business.

Avoiding Losses Through Disaster Planning

Computer security can help you survive a disaster like a flood, fire, or burglary. According to the SBA, 25% of small businesses don’t reopen after a disaster. How long can you afford to have your business closed due to data loss?

Remember the first article where I asked you to find out where your critical business data (customer information, financial information, contracts, device configuration, etc.) is stored? What did you find? Is it located in the office on one machine? Is it backed up, encrypted and stored offsite? Do you know if you can restore the data if necessary? Have you tried to restore it?

Avoiding Losses Through Compliance

You can avoid data and privacy breaches and avoid the fines and penalties that accompany them. You can lose important business data and not know it. Who has access to your data? Do you share passwords or leave the computer logged on? How many former employees, partners, spouses or significant others know that password? Do you or your employees email customer information home? Do you put it on a laptop or USB drive?

Any one of these common practices can lead to data loss, fines, penalties, and legal fees. What’s your budget for that? I’m guessing that most of you would go out of business if you had to pay these costs.

What is Computer Security Going to Cost

The answer depends on many factors. What are you required to do by law or industry mandate? What systems do you have in place? How many devices? Where is your data? How many people need access to your data and do they need to access it from outside the office?

This probably isn’t a do-it-yourself project unless you are in the computer security business. That means you’ll need to find someone to help you. There are many, many businesses that are happy to help you, and not all of them are reputable or qualified. Learn enough to ask good questions, and get referrals. Some security industry groups that can help you are (ISC)2, ISACA, ISSA, and SANS.

I hope that this introduction has helped you become more informed. I plan to continue with specific topics like hiring, security awareness, security policies, anti-virus, malware and other topics of interest to the SMB/SOHO business owner. In the meantime, please review this introduction to computer security and check out the links in each article.

Related Links

• Hacker’s New Target: Small Firms with Lax Security
• SBA Disaster Planning
• SANS Information Security Policy Templates
• How Not to Suck at Information Security
• SANS Top 20 Security Controls

In the first article of this series, I wanted to get you thinking about the basics of information security for your small-to-medium sized business. I asked you to learn which legal and industry security requirements your business is subject to, and I wanted you to think about where your business data is and who has access to it. If you’re like most owners or IT managers for a small business, you probably don’t feel very confident about your answers. Let’s help you get there.

Information Security Requirements by Law

As a business owner, you are required by law or statue to do a lot of things. For example, you are required to have a business license, pay taxes, pay workman’s comprehension insurance premiums, and any number of other legal and regulatory requirements depending on which business you are in and where you conduct your business. You can think of information security requirements in much the same way.

You can choose to ignore these regulatory requirements, just like you can choose not to pay your taxes, but you should at least be aware of the rules and the consequences for not following them.

State Computer Security and Privacy Laws

Disclaimer: I am not a lawyer and am not qualified to dispense legal advice. Please see your lawyer for legal advice.

You are probably aware of the well known government and industry compliance requirements such as PCI-DSS, HIPAA HITECH, SOX, but are you aware that many states now have computer security and privacy laws?

For example, Nevada requires that personal information be protected and it defines how it should be protected. Any organization that collects “nonpublic personal information” is subject to the law. This means if your business is in Florida and you store personal information of people who live in Nevada, it is my understanding that you are subject to this law.

At least 38 states have laws that relate to computer security, privacy and data breaches, and new laws are passed every year. For example, Texas just passed a new health privacy law that is tougher than HIPAA. Keeping up with these changes is tough for those of us in the information security business, and probably impossible for the SMB owner.

Data breaches in violation of these laws can result in heavy fines and restitution costs. Many SMBs would be wiped out by such penalties.

What is Computer Security Compliance Going to Cost

The last thing you want to do is overspend on your computer security program, but how do you know how much is enough and how much is too much? I use the computer security requirements to define how much I need to spend. For example, why would I spend money on data encryption if I’m not required to encrypt my data? Another example might be that I change a business process rather than spend money on security. I don’t have to secure data that I don’t collect. I also can’t lose and be fined for data that I don’t collect – think about that.

Hiring a security partner who can help you understand and stay current with your regulatory compliance requirements is probably your best option. If you want to do this yourself, the UCF has products that can help you keep up to date on new laws and regulations.

Please leave a comment or contact me on Twitter if you have anything to add or if you have a question.

All related posts will be in the SMB/SOHO Computer Security category on this site. If you like it, subscribe to my blog and come back for future articles.

Some time ago I realized that it was time to leave my job, but I stayed longer than I should have. I wanted to help the people who reported to me and to wait for some planned changes to take place. This week the decision was made for me and I couldn’t be happier.

I’ve been blessed to have great friendships and professional relationships and have been contacted by dozens of people giving me support, job recommendations, and offers to help. It’s truly humbling to have all of you reach out to me and I can’t say thank you enough.

I am excited about the future. While I look for my next full-time gig, I’m looking at a couple of options for consulting and will take this opportunity to spend with family, focus on exercising and enjoying life. I’ll also be working on a couple of certifications and my eBook about security compliance for small businesses. Boredom won’t be a problem.

Thanks again to all of you who have shown me such friendship and support. I appreciate it very much.

I wish my former employer and coworkers nothing but the best. They have a difficult and important job and deserve the best.

What advice would you give to students just entering the IT / Computer Networking / InfoSec field?

As an adjunct instructor at ITT Technical Institute, students often ask me what they can do to get hired or what certifications they should get. Here’s what I tell them:

1. Do what you enjoy doing. Life is too short and this business is too demanding to spend your time working on things that you don’t enjoy.
2. You’ll spend the rest of your career learning. Technology changes too fast and there’s so much to learn. You can’t learn everything, so you’ll eventually need to narrow your focus. See #1
3. Find people who know more than you about your area of interest and learn from them.
4. Certifications in your area of focus help you get the interview, especially if you have little experience. For example, if your focus is networking, an A+ isn’t that interesting to me but a CCNA is.
5. Show me why I want to hire you and why you’ve got more to offer than the other people competing for the job. Have a portfolio to exhibit your work: Visio drawings, scripts, project time lines, statement of work documents, device configurations. Don’t fake this stuff – make sure it’s yours and that you can back it up!
6. Get a lab at home and use it!! You’re new to a field that requires constant learning; I want to know that you are committed and that you know what it takes to learn. You don’t have to spend a lot of money on a lab. Use virtual machines or GNS3 for networking. See the Helpful Resources section below for more ideas.
7. Have a website where you discuss what you are learning, how you are learning it, and how you overcome obstacles. Besides seeing what and how you learn, I can see how well you communicate in writing.
8. Learn Linux. I can’t tell you how many students interested in security tell me that they hate Linux. Almost every security person I know uses Linux or OS X to run their security tools. Limiting yourself to Windows is a mistake in my opinion.
9. Learn to write useful scripts. Scripting multiplies your effectiveness and makes you more valuable.
10. Keep asking questions. Curiosity is one of the best assets an IT / Networking / InfoSec person can have.

I’ve hired scores of people and sat on more interviews than I can count. These are the traits that I look for in people that I hire, but I’d love to hear what advice others in this industry would give. Leave a comment or send me a tweet @true62 so we can continue the discussion. Also, feel free to send me links to sites  to add to the resources list below.

Helpful Resources

Here are some helpful resources that are relatively inexpensive that will help the student or person new to the technology field:

• O’Reilly School of Technology – Instructor lead certificate programs through the University of Illinois. Programs include system administration (including scripting) and web programming. Classes currently $398

“…unique, online, hands-on courses leading to Certificates of Professional Development from the world-famous University of Illinois, OST will help you gain an edge in your career — on your own time, at your own pace. When you have completed our courses, you will not only have a Certificate, but you will also have a portfolio of completed projects to show for your effort.”

• Cisco Networking Academy – take classes at high schools, community colleges, technical colleges, or universities in your area. Cost is typically the same as tuition for a 4-credit course plus lab fee.

“Cisco Networking Academy is a global education program that teaches students how to design, build, troubleshoot, and secure computer networks for increased access to career and economic opportunities in communities around the world.”

• Internetwork Experts – take instructor led or self-paced CCNA bootcamps. Self-paced CCNA bootcamp currently $495.
• GNS3, Dynagen, and Dynamips, – Cisco router emulator software
• Amazon Compute Cloud – setup servers in the cloud without buying hardware
• Security Onion – bootable DVD with software for installing, configuring and testing Intrusion Detection Systems
• Backtrack – Linux pen testing distribution (thanks Steve)
• Penetration Testing and Vulnerability Analysis – Careers

Why You Want to Create a Career Path

Everyone should have at least a rough outline for their career path. The last thing you want is to decide that you want to get into a field or specialty only to find that you haven’t prepared. For example, you don’t want to interview for a leadership position without having at least thought about why you want to transition into management.

From time to time, each of us needs to take some time out to assess what it is that we enjoy and are willing to exchange our time for money. After all, our interests, desires and needs change over time. Once you decide what it is what you want to do, you need to decide how to get there. There are lots of ways to reach a destination, it’s just that some are more efficient than others. You can take the Jeffy route (I have) or take a more direct route – the choice is yours.

Certifications for Technical Leaders

Technical leaders are different from other leaders because we are responsible for using technology to deliver business results. That means we need to be adept at both technology and business (in addition to leading people – easy huh?). Since we need to be at least functional in those areas, it makes sense to me that we need to be trained and stay up to date in each area.

I like to alternate between technical and business or leadership training / certifications. I recognize that I still need to be at least somewhat creditable with my engineers, so I feel that it is important to get technical certifications or attend technical training. Consequently, since I just finished a Masters degree primarily business focused, I’m looking at technical training and certifications from SANS; specifically their Cyber Guardian program.

Please do not get me wrong, this isn’t some random technical certification that earns me a certain level of creditability with my engineers. Rather, this is a technical certification that helps me further down my current career path of becoming an information (cyber) security people leader.

SANS Cyber-Guardian Program

The SANS cyber-guardian program is a technically focused program that attempts to build a cyber special forces cadre, ready to protect and defend our information networks and assets. The SANS cyber-guardian program consists of baseline training in:

• Intrusion Detection
• Forensics
• Network Penetration

A candidate must pass each of the corresponding certification tests, and then they must pass the tests for their area of specialty:

• Blue team: perimeter protections, securing Windows, securing Linux
• Red team: Web application penetration testing, wireless ethical hacking, and developing exploits for ethical hackers.

Finally, to obtain the Security Expert certification, the candidate must pass the GSE exam.

What Do You Think

I’d love to hear what you think. Do you have a career plan? How often do you think about it? How do you make sure you keep up with technology and business or leadership skills? If you’re in the security field, what do you think about the SANS Cyber-Guardian program?

One of the things my fellow Norwich MSIA grads discussed during residency week was that we wished that we could review each other’s final papers. We all thought it would be very valuable because we learned so much from our classmates (cohort in Norwich terms) weekly postings, and thought we would learn even more from the final papers. The problem with doing so is that we signed an agreement to keep our company’s information anonymous, and the final papers were geared to be a consultant paper for our employers.

I changed employers part way through my coursework so I switched to a more generic approach to the topics. Therefore, I can post my final three papers here for anyone to review. I do claim copyright protection for them, but do allow anyone to use portions of the papers as long as you properly attribute the source.

I put links to the papers on my Resources page. The papers are:

• The Future of Information Assurance
  A discussion about the value of trust in business and how IA ensures trust.
• Computer Forensics: Steps to Ensure a Successful Outcome in the U.S. Legal System
• Creating an Information Security Plan for Small & Medium Sized Businesses I plan to build off this to write a how-to book for small businesses.

I hope posting these papers helps anyone considering a Norwich MSIA and hopefully adds to the general knowledge of IA.  I also welcome any comments or suggestions.

The following article is one of my weekly papers for my MSIA degree at Norwich University.

Funding Security Projects

Getting Security Projects Funded in Small and Medium Businesses

This report will examine the process an information technology (IT) employee working for small and medium business (SMB) might use to gain funding for security projects. This process could also apply to an IT or information security consultant hired by a SMB.

SMB IT Organization

SMBs by their very definition are small organizations. Consequently, SMBs typically lack dedicated staff to perform IT or information security (IS) tasks and many times SMBs choose to outsource these functions to a service provider. However, the process to gain funding for security projects should be nearly identical, regardless of whether the IS function is performed in-house or outsourced.

Funding Challenges

SMBs can also present a challenge regarding operating capital. According to SCORE, half of SMBs fail in the first five years. Based on that statistic, it is not surprising that the owners of a SMB are concerned about survival first and foremost. The IS employee or consultant must understand this environment if he or she hopes to gain funding for any security project.

Funding Process

The process for gaining funding for IS projects begins well before there is a need to request funding. The process begins with the IS professional learning the business. Security analyst and author, Mike Rothman, wrote, “Unless you understand your business, you can’t understand the leverage points that will appeal to the business leaders. Read your annual report. Understand how your senior team is bounced. Find out who will get fired if a system goes down.” In other words, learn the pain points. Find a way to help to solve problems.

Become a Valued Advisor

The SCORE website quotes the results of a survey conducted by American Express that asked where small business owners go for advice and these were the results:

• 52 percent from individual mentors
• 51 percent from social networks
• 44 percent from trade associations
• 36 percent from business advisors
• 31 percent from the Internet
• 27 percent from Chambers of Commerce

According to this survey, business owners are asking their friends for advice. Only 36% of the respondents asked their business advisors for business advice. This is an opportunity for the IS professional.

The IS professional has the opportunity to be viewed as a professional specialist on par with a lawyer or accountant. Business owners and management often do not know the answers to IS related problems, but they do tend to understand risk. Learn to speak to the business leaders in their language. Explain the risk associated with using group passwords or of not performing a basic background check on a candidate for employment. Explain how to reduce or eliminate risks and fines by shredding papers that contain personally identifiable information (PII). A business owner understands that a fine for every leaked data record may put the business into bankruptcy, but he or she may not understand that it is “best practice” to shred papers that contain sensitive information.

Governance and Compliance

SMBs can be subject to governance and compliance as well. These are IS related issues and the IS professional must know which governance and compliance rules to which the company is subject. Examples include:

• Sarbanes Oxley (SOX)
• Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry Data Security Standard (PCI DSS)
• State and Federal data breach laws

In this case, the process for funding is fairly straightforward; the IS professional works with the company’s risk council if they have one, or with the company’s lawyer and top management if they do not. The IS professional would review the governance and or compliance rules with the team, and would make specific recommendations including:

• Costs – both capital and operating expenses
• Project timelines
• Risks – accept, transfer or mitigate and the costs associated with each

The IS professional that follows this process is speaking the language of the business leaders. They are speaking in terms of governance, compliance, risk, and managing risk. These are terms that are very familiar to the business owner and manager, and they can make decisions based on what is presented to them. If an IS professional presents the same information in terms of fear, uncertainty, and doubt, the business leader may have a more difficult time making a good decision.

Conclusion

The IS professional must realize that they are performing a vital business function only if they become integrated with the business. They must understand their business, the governance and compliance rules under which the business operates, and understand the problems the business is experiencing and how they can solve those problems. If the IS professional understands these things, they will have success in getting security projects funded. Conversely, if they propose security projects that do not solve a business need or if it is presented in a way that does not make it clear that it solves a business need, the IS professional will have a difficult time gaining funding for their projects.

Bibliography

“Small Biz Stats & Trends”. SCORE. 1/9/2010 <http://www.score.org/small_biz_stats.html>.

Rothman, Mike. “Guerilla Security Leadership”. FUDSec.com. 1/9/2010 <http://fudsec.com/guerilla-security-leadership-0>.

All you have to do is look at the headlines of any tech magazine to see that large companies have trouble securing their networks, not to mention keeping them available. How much more difficult must it be for SMBs who have little to no IT staff, and the staff they do have is typically inexperienced, poorly trained, and lack technical mentoring?

For once the government really is here to help. NIST has published a draft of a publication titled, Small Business Information Security: The Fundamentals The publication is short (20 pages) and includes 10 steps that are “absolutely necessary” to take, 10 steps that are “highly recommended” and even a little bit about contingency and disaster recovery planning.

Here are some topics included in the publication:

• Protect your systems / networks from damage by viruses
• Secure your Internet connection
• Patch your operating systems and applications
• Secure your wireless access points
• Hiring practices
• How to dispose of old computers and media
• Contingency and Disaster Recovery planning
• Cost-Avoidance considerations in information security

The publication also includes 3 appendices that help the SMB get started:

1. Identifying and prioritizing your organization’s information types
2. Identifying the protection needed by your organization’s priority information types
3. Estimated costs from bad things happening to your important business information

What Do You Think?

I know this is a topic near and dear to some of us in the industry including @jack_daniel. Have you read the draft? Do you think it will help SMBs? What more can we in the industry do to help SMBs?

If you are a SMB do you think this publication helps? What do you think the security industry can do to help you?

Leave a comment and let me know what we can do to help.

The following is the fifth and final excerpt from my Norwich MSIA Seminar 4 final paper, in which I speculate on how IA will evolve.

I would love to hear what you think, so leave a comment and let me know how you think things will turn out.

Computer Incident Response and Forensics

Computer incidents will happen so it is very important to be able to respond and investigate them. The main goals of an incident response team are to reduce the financial impact of the incident and return the systems to their desired state as quickly as possible. It is always best to be able to have a defined plan to follow when faced with an emergency or crisis situation. It is even more important when your actions may have to be explained in court. Therefore, organizations must create policies to define the scope and authority of the incident response team and create a plan before a crisis hits.

The following are steps that could be taken to create a plan (as modeled from the Generic Computer Incident Response Team Plan):

• Map threats to vulnerabilities
• Define skills / training / certification required for CIRT members
• Identify employees who have skills / training /certification required
• Define equipment required for monitoring / sniffing
• Monitor assets
• Define logging levels
• Define alarm thresholds
• Define response levels for each incident type (for example, Red, Yellow, Blue)
• Define team members for each response level at both the local and corporate offices
• Define incidents that will be escalated to law enforcement and the process for escalation to law enforcement
• Document contact information for all team members
• Document contact information for

• ISPs
• Vendors
• Local and Federal law enforcement organizations

• Create a communications plan

• Internal documentation
• Internal communication
• Public communication

• Create response plan for each alarm / incident type
• Communicate the plan to the organization
• Practice the plan

Different people will be required to respond based on the type of incident. This should be spelled out in the response plan. Each person should know what role they are expected to perform in response to each incident type as defined by the incident response plan. Types of skills/functions needed on a CIRT include (True “Computer Incident Response Teams” 4):

• System administrators
• Network administrators
• Security administrators and specialists
• Management
• Public relations
• Legal

This team has a good mix of skills needed to respond to an incident. The technical people can find and fix the problem, the PR people can communicate with the press and public, the management team has the authority to act and can communicate internally, and the legal people can insure any laws and regulations are met.

Forensics

Computer forensics and incident response overlap to a certain degree. At some point in the incident response it may become necessary to collect or seize evidence. Consequently, it would be a good idea to treat every incident as if it will end up in court.

Computer forensics is a highly specialized skill and the results of the forensics investigation may be reviewed in a court of law. The people responsible for computer forensics must be highly trained and ideally possess industry and vendor certifications. Ideally, the organization would also have access to a lawyer who specializes in this field.

How the forensics investigation is handled has a direct impact on the ability to successfully prosecute the accused criminal. This reinforces the importance of creating a good response plan and practicing that plan so people know how to respond. The alternative is that people lose evidence or mishandle it, rendering it inadmissible in court.

The organization’s security policies must detail who has authority to conduct a forensics investigation, the actions that a first responder must take, and when, how and who will escalate to law enforcement.

Information, especially computer forensics information, is extremely fragile, and it can be destroyed very easily if improperly handled. The Secret Service’s Best Practices for Seizing Electronic Evidence document suggests these steps that should be taken by a first responder (p 2,3):

“Secure the Computer as Evidence
• If the computer is “OFF” do not turn “ON”.

• If computer is “ON”

• Networked or business computers
• Consult a Computer Specialist for further assistance
• Pulling the plug could
• Severely damage the system
• Disrupt legitimate business”

Another critically important step is documenting what happened. This should be spelled out in the incident response plan, but it will be part of the evidence that is presented to law enforcement, or used in civil court.

Finally, eDiscovery is another category of computer forensics. Some companies have justified hiring computer forensics specialists due to the amount of eDiscovery work they must perform, usually in response to law suits.
The Future of Incident Response and Forensics

Many businesses of all sizes do not have an incident response plan or forensics capabilities, nor do they have a provider lined up to respond. In the future, this will be unacceptable, as both businesses and the public better understand IA. Companies will probably be required to properly respond and investigate incidents, and escalate to law enforcement because their insurance companies and the laws are likely to require it.

Smaller organizations will probably need to outsource the incident response and forensics responsibilities to a managed security service provider (MSSP). Some larger companies may choose to outsource these functions if they decide they do not have the necessary skills, outsource their IT functions, or do not want to add staff.

The law is still being sorted out regarding computer forensics. For example, there is confusion over what evidence can be collected by a lay person and what must be collected or analyzed by an expert. As reported on the Federal Evidence Review blog, “Distinguishing lay and expert testimony can be a challenging feat, as other courts have recognized. See, e.g., United States v. Hilario-Hilario, 529 F.3d 65, 72 (1st Cir. 2008) (“There is no bright-line rule to separate lay opinion from expert witness testimony; circuits, and indeed decisions within a circuit, are often in some tension.”) This same challenge can arise in considering computer forensic testimony. For example, can lay testimony be used to present results by “running commercially-available software, obtaining results, and reciting them”? The circuit noted that whether testimony about “computer-related” issues is expert testimony “is a relatively new question.” The Sixth Circuit addressed this issue and answered the question in the negative.”

The article concludes with the Court’s explanation, “The Sixth Circuit disagreed concluding that interpreting the results of the software tests required the witness “to apply knowledge and familiarity with computers and the particular forensic software well beyond that of the average layperson. This constitutes ‘scientific, technical, or other specialized knowledge’ within the scope of Rule 702.”

Imagine trying to account for such possibilities during a crisis.

Predictions

• Companies will recognize the value of customer trust, and will manage their risks to maximize customer trust.
• The public will demand more secure information systems. This will be reflected in new laws and regulations, and new insurance rules.
• The cost and inconvenience of replacing debit and credit cards, or the nightmare of dealing with identity theft will cause the public to lose faith and trust in electronic payment methods.
• The cost and bad publicity of data breaches will cause businesses to focus more on IA.
• Security will become a competitive advantage, especially as some companies begin to differentiate themselves from their competitors in a way that the public understands.
• Many of these tactics require highly specialized skills. Consequently, many of these functions will be outsourced or centralized by larger businesses when it makes financial sense to do so.
• The market for MSSP will increase as more SMBs, and even larger companies require their services.
• Companies will decide that managing a MSSP is easier and cheaper than having a large security staff.
• Companies will use cloud computing and other service providers in an attempt to transfer risk.
• Cloud computing will be a factor in BC and DR, but there will be security incidents while the technology matures.
• Defense systems will get smarter and respond dynamically to threats.
• Software development and programming practices will include security testing throughout the SDLC.
• Software vulnerability testing will improve, and websites will signal to the user that they are safe from common vulnerabilities.
• The line between vulnerability assessment testing and penetration testing will blur.

Conclusion

Wing Chun, a form of Kung Fu, has a saying, “When your opponent retreats, chase. When your opponent attacks, receive it.” What it means is not to fight against your opponent, but to use his energy against him. This system allows a physically weaker person defeat a physically stronger person. There are no planned or set responses to attacks, but it promotes the use of principles to neutralize attacks. The better one can apply these principals without thinking, the better they can neutralize and defeat their opponent.

Contrast this approach with how today’s computer security is applied. We erect firewalls, scan for vulnerabilities and patch holes. We attempt to detect intrusions, we establish long lists of rules for people to follow, and we try to account for every threat to our systems and build specific defenses against them. These are very static and programmed responses to threats, and leave these systems very vulnerable to new or blended attacks.

Our ability to deliver networked data and services currently outstrips our ability to deliver them securely. New methods must be developed, starting with the acceptance that threats exist and some will materialize. The information system must be able to respond to the threat, neutralize it and survive it. This is true whether the threat is man-made or environmental. After all, it does not matter to the business or to the customer why the system is not secure or unavailable, only that is not operating the way that it should.

Bibliography

Brussin, David and Stephen Cobb and Michael Miora. 2003. Generic Computer Incident Response Team Plan.

US Secret Service. 2002. Best Practices for Seizing Electronic Evidence.

Editor. “Drawing The Line On Computer Forensic Expert And Lay Testimony (Part I)”. Federal Evidence Review. 8/22/2009 .