DISEÑO Y EJECUCIÓN DE ACTIVIDADES PARA LA PROTECCIÓN, CONSERVACIÓN Y USO RACIONAL DEL AGUA

In this chapter, we will discuss the field of computer forensics. We’ll subdivide the field into three parts: computer forensics, cyber forensics, and software forensics. There is a purpose behind this subdivision which, as far as I know, is new to the computer forensics discipline. While the overall definition of forensics seems to be generally agreed upon, the subfields which relate to the computer are not.

Recently, I attended a conference on computer crime. There were at least four speakers who touched on the issues surrounding computer forensics. Each gave a slightly different definition. While all four definitions got the job done and were similar, it was clear to me that the science of computer forensics was well understood only within the ranks of computer forensics specialists. Since this book is intended for the general security, information security, or audit specialist, it is probably appropriate that we posit a definition (or set of definitions) for the disciplines we are discussing. We’ll do that each time we discuss a particular computer forensics discipline.

We’ll begin this section by setting the stage. We’ll define a security incident and discuss the number one problem of all investigators: timeliness. Then, after we expand on the problem, we’ll discuss the solutions. Finally, we’ll go into the single biggest asset or liability, depending upon their condition, system logs. The logs, or audit trail, constitute the investigator’s leading potential asset. Without them, the investigator has a much more difficult task. Also, we will look at the limitations of logs and what you can do about them when they are not complete enough. Let’s set the stage … .

WHAT WE MEAN BY A COMPUTER SECURITY

INCIDENT

A user bolts out of her office, into the hall, shouting with panic in her voice, “I’ve got a virus!!!!!! My computer’s down!!!!! It’s going to kill the network!!!!!” Fifteen minutes later, the system administrator determines that the problem has nothing to do with a virus. It was just a sick PC. A fantasy? A war story conjured up to add interest to this book? Not on your life! I experienced that precise scenario at a major Department of Energy national laboratory in 1994. Trust me … it still happens.

The point is that not all computer incidents are security incidents. Responding to a security incident costs money. I did an investigation that cost my client over $50,000 and our conclusions were not satisfactory enough for the prosecutor. You can save your company (and the criminal justice system) a lot of money if you are able to identify, with believable certainty, the source and reality of the incident.

Many of my clients have created specific definitions of security incidents, and a few have subdivided those definitions into classes of incidents. The latter approach is the one I strongly recommend. It allows you to set up appropriate responses to various degrees of threats. For example, “calling out the militia” may not be appro- priate to a minor incident, such as an isolated virus, but it certainly would be if your firewall is being attacked in earnest by a well-equipped, determined hacker.

Two to three categories of security incidents are appropriate for most organiza- tions. A category one incident might be an incident that doesn’t pose a major global threat to the enterprise. A category two incident may be one that could cause the whole enterprise to shut down, or could compromise a core system — financial, operational, marketing trade secrets, or development trade secrets, for example. It is important that we make a distinction between what requires immediate attention and what can wait. Medics in hospital emergency rooms call this approach triage. We need a triage system for security incidents if we are to maintain the credibility and appropriate responses to protect the enterprise. How can we do that?

Our first step must be a formal risk assessment of our system. We need to know what is at risk, where it is at risk, and what could compromise it. Then, we need to evaluate countermeasures. Finally, we need to assume the worst: nothing was suc- cessful in protecting us. We were penetrated, a loss was sustained, or damage was done. What is the impact? What is our potential loss?

By ranking risks in this manner, we can determine the appropriate response to an incident. As part of a formal intrusion management program, this is probably the most beneficial return: we know what can hurt us, we know where it can hurt us, and we know what it will cost us if the hurt is successful. Knowing these elements will help us to define three things: appropriate countermeasures, appropriate recovery priorities (part of a business or disaster recovery plan), and response priorities to incidents exploiting the identified vulnerabilities.

Using the example above, a class two incident should get immediate response. It should be reported to the proper authorities (depending upon your response plan) immediately. The response team should take immediate action, as defined in your response plan. The response team should be convened and the true nature of the event should be analyzed to determine the next appropriate response.

Some of the types of incidents that could spell disaster are:

• Successful, or potentially successful, attack on your Internet firewall • Successful, or potentially successful, attack on core financial, marketing,

production, or development systems

• Successful, or potentially successful, attack on your protection or security systems at any level (information, logical, or physical, such as security or protective systems)

• Compromise of any critical or sensitive data — especially incidents that are not or do not appear to be isolated — this includes attacks on laptops that appear to be global against your organization, rather than attacks of opportunity (referred to as distributed, coordinated attacks)

• Any attack on your monitoring, logging, or auditing systems or data By defining what we mean by a security incident, and defining the required response, we can significantly simplify our task of intrusion management. We also can require, by policy or corporate procedure, a particular response from users, administrators, or system managers. Without such a set of definitions, we may or may not be able to respond appropriately.

Remember that we have emphasized, throughout our discussions so far, the requirement that all incidents be investigated using techniques that would allow our investigation to stand up in a criminal proceeding, if necessary. No investigation can withstand the attacks of the opposition in a courtroom unless it has been conducted with care, professional due diligence, a proper procedure, and with proper attention to the issues we have already discussed. These include preservation of evidence, chain of custody, and adherence to the rules of evidence.