From the Lab to the Boardroom; Forensics goes mainstream

Transcription

1 From the Lab to the Boardroom; Forensics goes mainstream Jim Butterworth, EWC USN (Ret.), EnCE & GCIA, Director of Incident Response, Guidance Software Definition: P A G E 1 Computer Forensics The Scientific Examination And Analysis Of Data Held On, Or Retrieved From, Electronic Storage Media In Such A Way That The Information Can Be Used As Evidence In A Court Of Law 1

2 The Issue P A G E 2 Every company in existence has, is, or will be presented with an immediate need where having a computer forensic capability will be critical to an effective, timely and cost efficient response. Today s Problems Intellectual Property Theft Malicious Mobile Code Political Embarrasment Identity Theft Financial Manipulation State Sponsored Activities Corporate Espionage Crime Defacement Virus Outbreak/Containment Misuse of Corporate Assets 2

3 Your Data Iceberg The Data Found By Common Tools (such as Windows Explorer) The Additional Data Found By Computer Forensics (Deleted, Renamed, Hidden, Difficult To Locate.) Example: Recovered Chat Discussing Home Invasion Robbery Burglary Selling Drugs Buying Guns 3

4 Example: Example: Repository of Data: Who is taking? What did they get? When did they get it? 4

5 Example: Review of files sifted: Trade restriction? Sensitive projects? Desktop PC s Laptop Computers Personal Data Assistants Wireless/Cellular Telephones Digital Answering Machines Digital Cameras GPS Devices USB Devices 5

6 Opportunity 256mb Gig DVD s Drive Gig DVD s Drive 86,346 DVD s Gig Drives 1-42Tera Server Empire State Building 1,454 Mount Everest 29,035 Earth 7,926 Miles/41,849,280 Today s Timelines 3m:57s start to finish 6

7 P A G E 12 Case Study: Network Associates Situation: Network Associates had contracted to sell its Sniffer Technologies Unit for $275 Million. Issues: The contractual terms required Network Associates to ensure that none of the tool s source code remained on Network Associates computer systems computers in 20 different locations worldwide totaling approximately 100 TB. P A G E 13 Case Study: Federal Agency Situation: Issue: Data had leaked from Classified Network to Unclassified Network 1600 workstations totaling approximately 13 TB in aggregate and 2 terabytes of additional stored data required to be searched for the leaked data 100% confidence in the discovery and isolation of leaked data due to congressional oversight Exposure and control of search terms Prior vendor had spent approximately 3 months and $1 Million to complete only 3 TB 7

8 P A G E 14 Case Study: Local School District Situation: Local K-12 School District had one of their servers hacked. Internal IT resources investigated and successfully uncovered a grade changing scheme being run by former student. Issue: Even though they had successfully tracked down the student and removed his access, they were extremely concerned that they had missed something. Needed to scan over 40 critical servers spread out over multiple locations throughout the district. P A G E 15 Model Fraud Detection and Mitigation Incident Response ediscovery/audit Fraud/HR Investigations Policy & Regulatory Compliance Automated Response Compromise Assessment Computer Network Defense Litigation Support Info Assurance Compliance & Best Practices 8

9 P A G E 16 Your Client Base HUMAN RESOURCES LEGAL IT GROUP CORPORATE SERVICES P A G E 17 Human Resources Wrongful Termination Inappropriate Use Policy Violations Legal IP Theft Embezzlement Fraud Other Illegal Activities Investigation / Compliance HR - Legal Investigations Policy & Regulatory Compliance 9

10 Compliance P A G E 18 Mandated Compliance FTC Safeguards Rule HIPAA Sarbanes - Oxley California SB 1386 Corporate Compliance Industry Specific Certifications Investigation / Compliance HR - Legal Investigations Policy & Regulatory Compliance P A G E 19 Incident ResponseResponse Compromise of integrity Denial of service Misuse (unauthorized use) Damage Intrusions Proactive Monitoring IDS Integration Processes Applications Ports Automated Response Incident Response Compromise Assessment Computer Network Defense 10

11 P A G E 20 ediscovery Civil Lawsuits Merger & Acquisitions Document Retention Information Spillage Internal Audits Document Retention IT Audits (Apps, Processes & Access) Financial Industry Specific Litigation Support ediscovery / Audit Info Assurance P A G E 21 Fraud Detection and Mitigation Incident Response ediscovery/audit Fraud/HR Investigations Policy & Regulatory Compliance Automated Response Compromise Assessment Computer Network Defense Litigation Support Info Assurance Compliance & Best Practices 11

12 How do I get there? Regulations and Guidelines Procedures & Methodologies Technology & Staffing and Training Review Forms of digital incidents vary Timelines are shrinking Portability is increasing Crisis happens to every company Computers are everywhere Preparation saves $$$ 12