Published on March 31st, 2015 | by admin
Education and Training for IT Security Investigators
In the late 90s, the IT security role in many large companies was usually a secondary responsibility placed upon a network administrator. It was also mostly reactionary, with the biggest concern around viruses that could bring processes to a halt. IT security has evolved considerably since then, with most major companies having large and diverse departments dedicated solely to protecting an organization’s computing infrastructure and data.
With the growing diversification and sophistication of the types of attacks used against corporate and government networks over the last twenty years, the tools used to detect and protect networks have also evolved. While computer forensics as a science encompasses a wide array of crimes that include child pornography, espionage, fraud and cyberstalking, the biggest concerns for today’s national and global companies are denial of service attacks, industrial espionage, and data theft.
Data theft is one of the fastest rising crimes because the information stolen can return high profits. These easy pickings have even captured the attention of organized crime, who in turn have put structure around the attacks along with a means of using the information before it becomes useless. The biggest problem for companies is in knowing when they have been hacked. Most times hackers have months to siphon off data before anyone realizes they have gained access.
The saying, “The Best Offense is a Great Defense” has a lot of relevance here. Because the field of computer technology has evolved, and continues to evolve at such a fast pace, it’s difficult to keep staff training current with the latest threats. This impedes the ability to keep the bad guys out and increases the risk of a breach.
In this new age of IT security, the term Investigator entails much more than having someone install the latest discovery tools and watching for indications of a breach. It includes the ability to understand the mindset of an attacker and look for opportunities or situations that might be leveraged by the attacker. If someone has set their sights on gaining access to your network, they will attack from a number of different venues. Company employees are usually the weakest link in the chain and if you ignore training them to assist in protecting the company, your other efforts will have been wasted.
When there is a breach, how do you deal with it?
Hiding your head in the sand and pretending that it didn’t happen and hoping no one else notices will only have you looking for a new job. What needs to happen is a concerted effort to initially identify the access point and shut it down as quickly as possible to stop the hemorrhaging of data. At this point the real investigation begins.
As you get into the investigative phase, you need to determine how you will proceed. Do you have individuals on staff with the training and expertise to gather and preserve digital evidence? Do you live in a city with a police department large enough to have a cybercrimes unit? Or, do you turn to an IT security company with a talent pool, along with the latest in forensic tools, to identify the culprits and the data that has been stolen?
While the third choice above may sound like the most costly up front, it certainly saves more in the long run if your investigators are able to move rapidly and recover stolen data before it has a chance to be leveraged. However, if the attackers have had access to your network for months, you won’t be able to save much of what they already walked off with.
The best answer to this type of scenario is to limit exposure right up front. That means having your team trained in digital forensics, with regular refreshers on the latest incursion tools currently in use. Training companies like the SANS Institute offer a host of courses providing both base security training and specialized training for specific types of threats. Many colleges and universities now offer certificate programs in computer forensics; however most of these are focused on developing the basics to provide an overview of the field. One area usually overlooked in the training curriculum is actual investigative skills. While cybercrime is a relatively new field, it still needs to be investigated like other crimes by following rules of evidence, chains of custody and detailed reporting. This is a tall order for most IT departments, let alone the small IT shop.
If you’d prefer to run your investigations in-house, however, it requires an investment in not just security tools, but in investigative tools. Most security tools are focused on preventing malware from slipping into your network, and while a particularly persistent offender will find a way to slip by, they’re still effective in blocking the majority of known threats you will see. It follows, then, that you’ll also need a great remediation plan in place for when the worst does happen. Rapid remediation is the best way to prevent the cost of a breach from spiraling out of control, and it cuts the time to detect an intrusion from months to minutes.