For years I have heard people complain about having to learn things for the CISSP exam that they would never use in their life. When I was studying for this exam several years ago, I said the same types of things. I also hear people saying that they have to learn security through (ISC)2’s view for this exam, which does not match with reality.  The thought on both of these statements is that someone would have to memorize items for the test that are not helpful in their career – thus a waste of time. Again, I fell into this bucket when I studied and took the exam forever ago. Now I see it completely differently.

I have found that since I have written books and taught CISSP classes for many years, I understand the material at a much greater degree than I would have if I just studied and took the test and moved on with life.

The things that people complain about having to learn (Bell Lapadula, Biba, Clark-Wilson, etc.) are very beneficial to their understanding of security in a holistic manner instead of just focusing on their original thought of what makes up security.  Many technical people seem to think that learning anything above technology is a waste of their time. This is a common thought patterned because they are stuck in a realm that dictates that anyone who does not understand technology like they do are inferior. But companies are not in business to just have software and networks in place. The software, network, and systems are just some of the tools the company uses to support and further their business. So understanding things that are above technology, commonly referred to as soft skills, are actually more critical in the world of business – which is where we all live and work.

Although I am pretty disappointed with the way that the questions on the CISSP exam are worded (confusing, vague, subjective), I have a great appreciation for the actual Common Body of Knowledge CBK.  I was a security consultant before I took the exam, and then I wrote books, and taught CISSP – and I am still a security consultant, but the difference in my knowledgebase and view on security has drastically changed.

I, like most people, focused on what security topics I was to perform in my specific job. At the time on-line banking was just coming to the market (yes I am that old) and I worked with programmers, software architects, project managers, analysts, and end customers – all focusing on on-line banking . I sure as hell was not interested in the different types of fire suppression, access control models, trusted computing base or anything outside of my domain of topics that I lived, worked and breathed in.

Part 1 of 5 extracted from an original article written by Shon Harris entitled:

The CISSP Exam is Out of Date, Irrelevant, and Subjective
Busting through the Myths of the CISSP Exam

To be continued…

By Shon Harris

http://www.LogicalSecurity.com

I have been in the "CISSP world" for over 10 years now. I have taught it for 8 years around the world for corporate and government agencies. I have written books on it, developed products, webinars, study materials, etc.

Over the years I have noticed that the students who are attempting to achieve their CISSP certification have changed in their approach. Five years ago people studied material on their own for months before attending a CISSP bootcamp course. This is necessary because no one can really learn the extensive material that the CISSP exam covers in just 5 days. Over the last few years, I have seen a real switch in the approach of achieving this credential.

Since the information security market is continually growing and security professionals are in such high demand, many people are jumping into the industry without a solid foundation of knowledge and experience.

People who worked in information security five years ago and back had to be very self motivated to learn this trade because there were no security courses, books, websites, and resources available to them as there are today. These individuals had to have a solid system and network skill base in place because that is where security was in those days – just at the protocol and port level.

Sadly, like many other certifications, too many people are achieving their CISSP certification through memorization of key components that they will most likely see on the exam. While many individuals want to increase their career opportunities and companies want to brag about the number of CISSPs on their staff – the individual, company, and industry are cheated with this approach.

While the CISSP exam is not made up of very useful and effective questions, the Common Body of Knowledge (CBK) is the crux to understand for any type of security today. If an individual has a solid grasp of the concepts and topics that make up the 10 domains of the CBK, advancement in a career is a given where just obtaining the CISSP certification is not.

I have taught classes where people have asked me what a MAC address is, what ARP does, asked me to explain Remote Procedure Calls (RPCs). Internally I cringe because I see that the person does not have a solid technical base. Although security is more than just technology, technology is still the important core that most security practices surround.

I also cringe when I hear students complain because there is too much information covered in the five day class. I agree that there is a tremendous amount of topics covered in a CISSP course, but it is only overwhelming if the person has not studied on their own for months before attending one of these courses.

Studying for the CISSP exam correctly can be one of the best investments you will ever make in your career, because all fields of security builds upon the foundational material that the CISSP exam covers.

Because of this shift from attempting to learn the material to just looking for brain dumps and other shortcuts, I have made a shift in my company’s CISSP offerings. Materials that we once charged for are now included in our CISSP offerings or free. Although this does affect our bottom line, I think it is critical that people actually LEARN the security information – otherwise we are all wasting our time.

We have changed our model of teaching by providing students with study material in several formats (CBT, on-line questions, MP3s, books, etc.) for free to help them properly prepare themselves for our five day CISSP course. People learn in different ways (reading, listening to lecture, doing) which is why we have developed several different formats for proper knowledge transfer to take place.

I know many people’s goal is to be able to have CISSP after their name on their business cards, but my and my team’s goal is to ensure that the effort of studying is directly beneficial to the individual, their company, and the industry over all.

For more information, please visit CISSP Training  or contact me directly at ShonHarris@LogicalSecurity.com.

We are all in it together, so it is important to help each other out as much as we can.

Evolving technologies, security, software updates, and regulatory compliance continue to drive training services, but Harris has witnessed a distinctive shift during the past three years from a brick-and-mortar model to online learning. "Everyone agrees that doing an online class just isn’t the same as in person; that’s where we’ve gone because it’s easier, and we have the technology," says Harris. "What’s interesting today is the people currently in college have a lot of online classes, so it will become more acceptable because they’ve already been in that structure."

"Amid an evolving and dynamic landscape, early signs of maturity prevail as the buyer and vendor communities engage in more realistic discussions about e-learning’s capabilities," notes Peter McStravick, senior research analyst for IDC’s Learning Services. "At the same time, both groups are recognizing the potential e-learning has to be more than a mere training tool."

Another factor contributing to e-learning is the rise of globally distributed and decentralized organizations. Providing on-demand CISSP Training via the Internet or intranet removes logistical (and expensive) challenges such as transportation, administration coordination, and classroom facilities.

An area in which Harris plans to focus and others are sure to follow is specialized training for specific technology segments. "The Security Training industry has gone from security at a general level to really specialized CISSP Training. We’re at a place within the security industry where no one can know it all," she says.

Logical Security delivers courses designed to combine conceptual knowledge with interactive classroom demonstrations and hands-on lab exercises for in-depth knowledge.

by Norm Beznoska, Directory of Enterprise Security, Infiniti Systems Group

During a recent discussion with a valued friend and business associate, Don Heestand, CEO of e-Merging Technologies Group, Don posed a very interesting question, which demands an answer from every organization that outsources many of its Application Development activities to Off Shore Programming firms. “What is the difference between Imported Steel and Imported Program Code”, Don asked? Half jokingly, I answered: “Imported Steel doesn’t contain Trojan Horses, Backdoors, or Malicious Code. And Imported Steel doesn’t threaten the very security of our nations’ infrastructure, either”.

As an Information Technology professional and former MIS Director, I appreciate the fact that many North East Ohio companies have turned to Off Shore programmers and   Application Developers, in the interests of lowering costs and expediting their workflow. After all, by utilizing Off Shore programming resources, Northeast Ohio companies can eliminate the time and expense of advertising, interviewing, screening and background checks. Not to mention the burden of FICA, payroll taxes, unemployment taxes, workers compensation premiums, and health benefits normally paid to American workers. Of course, our local, state, and federal governments suffer, since these Off Shore firms don’t pay taxes or administrative costs. And, what of the potential for the destruction of American information assets stored on Off Shore systems in those countries close to going to war? And isn’t Lake Erie, not the Indian Ocean,  “off shore” to NE Ohio?

But in their rush to market, North East Ohio companies have placed themselves at great risk. They do not impose the same stringent Program Testing and Production Turnover requirements as they insist on with their own programming staffs. And what of the critical need to provide up-to-date documentation, describing which software patches and other “fixes” were applied in the Application Development life cycle? Do these companies naively believe that foreign nationals, whose comprehension of the English language and American business culture, is based largely on watching Al Jezera reruns of Southpark or the Simpsons, can write coherent documentation?

Every computer professional at some point in his or her career has accidentally caused a major error. These errors occur in every business today; often costing American companies billions of dollars a year. A one-line coding error out of hundreds of thousands of lines of code at the Bank of New York, caused a critical system to crash causing a $5 billion shortfall. The bank had to borrow the money from the Federal Reserve to cover the loss until the error was corrected. The interest on the borrowed money cost the bank $23 million!

Without even a comment about a background or security check, companies routinely place Off Shore contractors in positions of great responsibility where they can cause grave damage by inserting malicious code or conducting corporate espionage under the guise of writing program code. Of course, background checks cost money; they cause delays, and sometimes cause embarrassing information to come to light. But is the reader’s organization willing to hire or contract with somebody who later is shown to be a terrorist or an accomplice to a terrorist?  Off Shore contractors must not be given access to sensitive information, or be allowed to access critical information systems without first having gone through a background check commensurate with background checks given to regular employees. Period.

Imported Steel and mis-management has caused the demise of LTV Steel and the loss of 7,500 jobs. Its’ full impact on the city of Lorain and the entire Northeast Ohio community has yet to be felt. In today’s brain-based economy, we can ill afford another LTV Steel. Or in the words of George Santayana, “Those who cannot remember the past are condemned to repeat it”!

Emerging Threats For The Offshore Outsourcing Industry - The offshore outsourcing industry in India may currently be doing quite good, but just like any other successful industry, it also cannot afford to rest on it’s past laurels. If the achieved competencies are to be sustained, … Are Security Issues Really Affecting Offshore Outsourcing Business? - Well, newspapers and news outlets would certainly like people to believe that, but if we analyze properly, it will not take us long to realize that things are actually a lot different on the offshore outsourcing front. … Offshore Employment Challenges Can Be Solved - 3) Offshore employment ruins productivity 4) Etc. The truth of the matter is many people have experienced this frustration with outsourcing, but the source of the problem does not necessarily come from the outsourcing company but from … Is Everything What it Seems in the India Offshore Legal … - According to a number of surveys and studies the offshore Indian legal process outsourcing industry is booming and shows absolutely no signs of slowing down. Last month the comprehensive ValueNotes report “Offshoring Legal Services to … The Outsourcing of America - by Dave McGill maj 17, 2008 01:41 AM EDT It’s gotten so prevalent that even the outsourcing is being outsourced. A firm in India is performing offshore outsourcing services for at least one American pharmaceutical company. …

When it comes to the Internet and web-based applications, many situations are unique to this area. Rarely are threats of vandalism an issue in typical computing environments. Also, the potential risk for fraud is higher due to the universal availability of these applications over the Internet. The reason we are using the Internet is to expose our product or service to the widest possible audience. We smartly put these web servers in the DMZ so those who access these servers don’t have direct access to our other internal servers. One of the unfortunate issues when using web-based applications is that you need to allow the Internet to access them in order for them to function, so you must open up the ports related to the Web (80 and 443) on your firewall—so now any attack that can come through on these ports is “game on.” The alternative to developing your own web application is using an off-the-shelf variety instead. Many commercial and free options are available for nearly every e-commerce need. These are written in a variety of languages, by a variety of entities, so now the issue is “Whom should we trust?” Do these developers have the same processes in place that you would have used yourself? Have these applications been developed and tested with the appropriate security in mind? Will these applications introduce any vulnerabilities along with the functionality they provide? Does your webmaster understand the security implications associated with the web application he suggests you use on your site for certain functionality? These are the problems that plague not only those wanting to sell homemade pies on the Internet, but also financial institutions, auction sites, and everyone who is involved in e-commerce.

 

The following are some common input validation attacks:

• Path or directory traversal - This attack is also known as the “dot dot slash” because it is perpetrated by inserting the characters “../” several times into a URL to back up or traverse into directories that weren’t supposed to be accessible from the Web. The command “../” at the command prompt tells the system to back up to the previous directory (try it, “cd ../”). If a web server’s default directory was “c:\inetpub\www”, a URL requesting http://www.website.com/scripts/../../../../../windows/system32/cmd.exe?/c+dir+c:\ would issue the command to back up several directories to ensure it has gone all the way to the root of the drive and then make the request to change to the operating system directory (windows\system32) and run the cmd.exe listing the contents of the c: drive.


• Unicode encoding - Unicode is an industry standard mechanism developed to represent the entire range of over 100,000 textual characters in the world as a standard coding format. Web servers support Unicode to support different character sets (like Chinese), and, at a time, many supported it by default. So, even if we told our systems to not allow the “../” directory traversal request mentioned earlier, an attacker using Unicode could effectively make the same directory traversal request without using “/”, but with any of the Unicode representation of that character (three exist: %c1%1c, %c0%9v, and %c0%af). That request may slip through unnoticed and be processed.


• URL encoding - If you’ve ever noticed that a “space” appears as “%20” in a URL in a web browser (Why is it only me who notices that?), the “%20” represents the space because spaces aren’t allowed characters in a URL. Much like the attacks using Unicode characters, attackers found that they could bypass filtering techniques and make requests by representing characters differently.

These are just a few attacks, and many more are cover in the Shon Harris CISSP Course!

Google Web Security for Enterprise - Google Enterprise blog announced its “Web Security for Enterprise”, a product that protects organizations against malware attacks in real time. The product allows organizations to control how employees use the Internet, according to Tim … Why security is still failing; McAfee, Yahoo team on Web security … - McAfee, Yahoo team on Web security, 05/07/2008 McAfee and Yahoo today announced a partnership on Web security in which Yahoo’s search engine is making freely available to users the warnings about unwanted or malicious code on Web sites …

The industry as a whole has an increasing need for understanding and implementing identity management (IdM) solutions. Regulations and laws are requiring dependable accountability, which is the push for the necessary IdM products and processes. The different components that are required for an enterprise IdM is so complex, many security professionals have to specialize and become experts in just this type of technology.
 
The following are many of the common questions enterprises deal with today in controlling access to assets:

• What should each user have access to?


• Who approves and allows access?


• How do the access decisions map to policies?


• Do former employees still have access?


• How do we keep up with our dynamic and ever-changing environment?


• What is the process of revoking access?


• How is access controlled and monitored centrally?


• Why do employees have eight passwords to remember?


• We have five different operating platforms. How do we centralize access when each platform (and application) requires its own type of credential set?


• How do we control access for our employees, customers, and partners?


• How do we make sure we are compliant with the necessary regulations?

Identity management is a broad and loaded term that encompasses the use of different products to identify, authenticate, and authorize users through automated means. To many people, the term also includes user account management, access control, password management, single sign-on functionality, managing rights and permissions for user accounts, and auditing and monitoring of all of these items. The reason that individuals, and companies, have different definitions and perspectives of identity management (IdM) is because it is so large and encompasses so many different technologies and processes. Remember the story of the four blind men who are trying to describe an elephant? One blind man feels the tail and announces, “It’s a tail.” Another blind man feels the trunk and announces, “It’s a trunk.” Another announces it’s a leg, and another announces it’s an ear. This is because each man cannot see or comprehend the whole of the large creature—just the piece he is familiar with and knows about. This analogy can be applied to IdM because it is large and contains many components and many people may not comprehend the whole—only the component they work with and understand, proven incapable of keeping up with complex demands and thus has been replaced with automated applications rich in functionality that work together to create an identity management infrastructure. The main goals of identity management (IdM) technologies are to streamline the management of identity, authentication, authorization, and the auditing of subjects on multiple systems throughout the enterprise. The sheer diversity of a heterogonous enterprise makes proper implementation of IdM a huge undertaking.

Many identity management solutions and products are available in the marketplace. The following are the types of technologies that make up IdM solutions:

• Directories


• Web access management


• Password management


• Legacy single sign-on

The Shon Harris CISSP course cover all of the above technologies and how they fit together enterprise wise.

Colin Fletcher - Unlocking the Value of Identity Management - Unlocking the Value of Identity Management with Colin Fletcher. Improved Security on the Identity Infrastructure - It simply shows that the provisioning engine connects to multiple identity data stores. As we know, provisioning systems have the potential to do a very good job at providing work flow and business rules around creation and management … Control access by privileged users - … PowerBroker customer, and commits to a complete replacement of PowerBroker. The detailed review of our product can be found here. Technorati Tags: Active Directory, identity management, privileged account management, Quest Software. Next steps in Identity - Novell has long been a leader in technology for Identity Management – founding the entire discipline in the 1990s. That puts us in a position where we are the first to recognize new trends in this area. …

One of the most recognizably and important book for the information security field has been updated and released. The book (CISSP All-In-One Study Guide) is commonly referred to as the information security bible and is used all over the world for studying for the CISSP exam, but even more important it is used continually as a resource by security professionals because it covers all of the elements needed to develop and maintain a security program for any organization. Some of the new items that this book, and its corresponding CISSP course, dives into technologies which are just starting to mature in the industry, thus are confusing to thousands of people. One of the items that are fully covered in the book and its extensive course is the Dimater protocol.

Diameter protocol, one of the newer protocols, is unknown to many security professionals, but is silently spreading and will soon be known as well as people’s understanding of Radius and TACACS+. Diameter is this protocol that has been developed to build upon the functionality of RADIUS and overcome many of its limitations. The creators of this protocol decided to call it Diameter as a play on the term RADIUS—as in the diameter is twice the radius.

Diameter is another AAA protocol that provides the same type of functionality as RADIUS and TACACS+ but also provides more flexibility and capabilities to meet the new demands of today’s complex and diverse networks. At one time, all remote communication took place over PPP and SLIP connections and users authenticated themselves through PAP or CHAP. Those were simpler, happier times when our parents had to walk uphill both ways to school wearing no shoes. As with life, technology has become much more complicated and there are more devices and protocols to choose from than ever before. Today, we want our wireless devices and smart phones to be able to authenticate themselves to our networks and we use roaming protocols, Mobile IP, Ethernet over PPP, Voice over IP (VoIP), and other crazy stuff that the traditional AAA protocols cannot keep up with. So in came the smart people with a new AAA protocol, Diameter, that can deal with these issues and many more.

Diameter protocol consists of two portions, as shown in the graphic below. The first is the base protocol, which provides the secure communication among Diameter entities, feature discovery, and version negotiation. The second is the extensions, which are built on top of the base protocol to allow various technologies to use Diameter for authentication.

Mobile IP is a technology that allows a user to move from one network to another and still use the same IP address. It is an improvement upon the IP protocol because it allows a user to have a home IP address, associated with his home network, and a care-of address. The care-of address changes as he moves from one network to the other. All traffic that is addressed to his home IP address is forwarded to his care-of address. Up until the conception of Diameter, IETF has had individual working groups who defined how Voice over IP (VoIP), Fax over IP (FoIP), Mobile IP, and remote authentication protocols work. Defining and implementing them individually in any network can easily result in too much confusion and interoperability. It requires customers to roll out and configure several different policy servers and increases the cost with each new added service. Diameter provides a base protocol, which defines header formats, security options, commands, and AVPs. This base protocol allows for extensions to tie in other services, such as VoIP, FoIP, Mobile IP, wireless, and cell phone authentication. So Diameter can be used as an AAA protocol for all of these different uses. As an analogy, consider a scenario in which ten people all need to get to the same hospital, which is where they all work. They all have different jobs (doctor, lab technician, nurse, janitor, and so on), but they all need to end up at the same location. So, they can either all take their own cars and their own routes to the hospital, which takes up more hospital parking space and requires the gate guard to authenticate each and every car, or they can take a bus. The bus is the common element (base protocol) to get the individuals (different services) to the same location (networked environment). Diameter provides the common AAA and security framework that different services can work within.

Diameter Protocol is just one of the many topics covered in the Shon Harris CISSP Course!

My OpenDiameter Experience, Part I, Build and Installation - Diameter is a AAA protocol that is supposed to be the successor to RADIUS, and OpenDiameter is an open source implementation of the Diameter Protocol. I recently started playing around with OpenDiameter and, to my surprise, …

If you are a security professional or practitioner, getting a CISSP certification will give you an edge over your competitors. In this podcast, Shon Harris, author of CISSP All-In-One Exam Guide and creator of The Shon Harris CISSP Solution discusses the benefits and value of obtaining CISSP certification. She further explains the 10 domains of the CISSP exam and other valuable tips that will help people prepare and take the test.

Up-to-Date Earning the Certs the Market Demands - The CISSP certification is well-known in the security industry as a valuable credential. Corporate interest in security and the demand for security practitioners have grown dramatically over the last few years in industries across the …

by Shon Harris

In your opinion, what are the key business risks associated with outsourcing in developing countries, and what role can security risk management play in mitigating them?

Although outsourcing can greatly reduce labor costs, because countries have different laws, regulations and enforcement motivations, many companies have to deal with a range of unfamiliar issues to ensure their work is secure. For example, in 2002, Shekhar Verna, an employee at Indian company Geometric Software Solutions Ltd. (GSSL) became a lethal weapon after he was fired. He stole a copy of a customer’s source code, contacted several of their competitors and sold the information to the highest bidder. Fortunately, Verna unknowingly sold the code to an undercover Indian Intelligence agent. Unfortunately, stealing trade secrets did not violate Indian law, so Verna was only charged with a simple theft.

It is also unfortunate that this is not the only incident. There have been several cases in the past few years where off-shore employees have taken customer intellectual property. However, it’s important to note that while they still do not have intellectual property or privacy laws in place, many governments, including India, have been actively working to decrease these risks, because these incidents directly affect the vendor’s reputation and bottom line — their revenue.

People who aren’t familiar with outsourcing may think it’s just too risky. However, many organizations are having a hard time staying in business, because they are competing with companies that do outsource, which drives down the market price for their goods and service. So, in many industries, outsourcing is unavoidable and therefore must be properly managed. If you are in one of these industries and are hesitant, again think of the profit — several sources have estimated that U.S. companies that outsource labor will save hundreds of billions of dollars by 2010.
Choosing an offshore outsourcing company can be difficult. As you look for a company, it’s important to look under the covers and do the necessary due diligence. Also, it’s a good idea to address the following issues:

• Don’t rely on a supplied customer list or claims that they adhere to quality management standards and regulations.
  • Physically go to the facility. Hire staff that can manage the company locally, hire an attorney in that region to review the legitimacy of the contract as it pertains to that country’s laws and interview the vendor’s current customers.
• If the company is in a country that is a member of the World Trade Organization it may adhere to the intellectual property protection objectives laid out in TRIPS (Trade-Related Aspects of Intellectual Property Rights)
  • Note: This has to be enforced locally, therefore, investigate the track record for this type of enforcement.
• If the company is incorporated in the U.S., it can be sued under the U.S. legal system.
  • If the vendor has assets in the U.S., it can be more easily controlled by the U.S. legal system.
• Ensure the company does background checks on all employees and contractors.
  • Review the actual documentation instead of just listening to the vendor’s sales staff.
• Review the company’s history, how financially stable it is, and the retention rates of employees.
  • Many offshore vendors experience high turnover, which increases the risks of loss of control over your company’s IP.
• Ensure that indemnification agreements are in place.
• Obtain a software escrow company and get insurance to protect your source code.
• Define an acceptable risk level with the vendor and monitor enforcement efforts.
• Audit the company to ensure it is compliant with your contract and policy, and that it is meeting your regulation requirements.
• Understand the laws of the country this company resides in. For example, Singapore has more mature intellectual property laws than China, India and Russia.
• Understand your company’s legal and regulatory requirements that can come into play. For example, if the outsourcing company handles your customer’s medical or financial information how will you ensure HIPAA and SOX compliancy?
• Review how the vendor uses subcontractors, and how they ensure this crew meets the same requirements as their employees.
• Give the proper amount of time and effort to due diligence before moving forward with a vendor.
• Remotely monitor firewalls, IDS and other security technologies within the vendor’s facility.
  • Your company may be able to own and deploy the systems and technologies to ensure a certain level of protection.
• Check to see if the vendor has disabled floppy, CD-ROM and USB drives on employee and contractor workstations to reduce the risk of theft of your company’s IP.
• Review physical security and business continuity measures.
• Understand the political context of the country the company resides in. If there is potential for civil war or other types of unrest, this is not where you want to do business.
• Require non-disclosure and non-compete contracts for the vendor, employees and contractors.
  • Investigate if these items are recognized and enforced in the country the vendor resides in.
• Put financial sanctions in your contract instead of just relying upon the legal system.
• Make payments "performance-based" on both security and quality control performance.
• Require that all legal disputes be handled in U.S. courts. Document it in your contract.
• Require the vendor to carry insurance that will protect its customers from losses.
• Ask for proof of security certifications obtained by employees and contractors (CISSP, GIAC, Security+).
  • This will show the exposure of information security this group has had.
• Evaluate the vendor’s access control procedures and ensure that least privilege is enforced.
• Find out if the vendor has a SEI Capability Maturity Model (CMM) or ISO 17799 certification.

Since different companies have different levels of acceptable risk, management of outsourced companies will vary based on effort and cost. A company that outsources its call center or assembly line will not have the same security risks as a company who outsources its software development or processing of sensitive data. Remember, no matter what type of contract you put in place, enforcement can be very difficult when it crosses country boundaries. This does not mean your company should not outsource specific types of labor - just be prepared to do what it takes to ensure the processes are secure.

 

 

 

by Shon Harris

February 28, 2005 — Juju Jiang was sentenced to 27 months in prison for installing key loggers on computers at various Kinko’s locations throughout Manhattan. He collected confidential information that gave him access to individuals’ bank accounts.

July 14, 2005 — Allan Eric Carlson was convicted of 79 counts of computer and identity fraud and sentenced to 48 months in jail. An unhappy baseball fan, he spoofed e-mails complaining about the poor performance of the Philadelphia Phillies from writers at area newspapers, Fox Sports, ESPN and other media.

August 12, 2005 — Scott Levine was found guilty of 120 counts of unauthorized access of a protected computer, two counts of access device fraud and one count of obstruction of justice. He and some of his coworkers at e-mail distributor Snipermail stole more than one billion records containing personal information from business partner and data management firm Acxiom.

Headline-grabbing crimes like these are helping make computer forensics one of information security’s fastest-growing markets. While forensics tools are used to help track down perpetrators in high-profiles cases, they are also being used in everyday civil and criminal cases to prepare for potential lawsuits over intellectual property theft, enforcement of non-compete clauses and regulatory compliance issues.

One of the requirements in SOX, SB 1386, GLBA and HIPAA is the ability to detect fraudulent activity, which is where forensics usually comes into the picture. Coupled with increased cybercrime, regulatory compliance is yet another business driver that is making more organizations bring forensics capabilities in-house and look to tools to help them.

But before you make your IT staff detectives, forensics requirements must be truly understood.

Defining Process

While forensics is sometimes confused with incident response, their objectives are quite different. Every company should have an incident-response team to deploy when something suspicious takes place and stop malicious activity, but a forensics team has different requirements.

Your forensics team needs technical know-how and a sound understanding of all legal requirements. The team must also know how to gather and preserve the evidence, and have the ability to present the information. Forensic investigators must be prepared to defend their activities in court because, on the witness stand, their work and reputation will be scrutinized and attacked. If they don’t properly collect and analyze the evidence and present their results well in court, their evidence can be thrown out–which could cost the company the case. Therefore, it’s important to set up an internal forensics team to perform the following tasks:

 

• CHOOSE team members from security, IT, management, legal, human resources and public relations, and assign necessary responsibilities to those roles.
• OUTLINE the forensics methodology that will be used. Include steps such as incident verification, bit-image creation, evidence collection procedures, timeline creation and review, media and operating system analysis, data recovery processes, and report generation.
• IDENTIFY critical systems and how they should be handled if breached. Some systems cannot be brought down for investigative purposes because of the negative business impact.
• DETERMINE the chain-of-custody steps for collected evidence.
• SELECT the various documentation types that will be used for gathering evidence.
• DETAIL recovery procedures by creating standardized steps for rebuilding affected systems and recovered data.
• DEFINE the team’s forensics toolkit.

A hybrid approach combining internal forensics capabilities with external consultants is often the best approach.
The internal team carries out the investigation and collects evidence, and is responsible for the crux of the case; the external team verifies that the investigation was carried out properly, ensuring the evidence is admissible in court.
While the in-house team has more intimate knowledge of the company, its systems and business needs, the outside team has seen many more types of crimes. Together, these groups can provide more effective results.
There are several tools available to forensics teams to help ensure a proper investigation. Guidance Software’s EnCase, AccessData’s Ultimate Toolkit, and Paraben’s NetAnalysis are some of the most widely used forensics tools in the industry. e-fense’s Helix is a strong open-source alternative.

Tools

Guidance Software’s EnCase

Guidance Software has long been the leader in forensics software with EnCase, the most-used forensics acquisition and analysis tool by law enforcement and the private sector.

EnCase has ample court history to support its usability, and it supports the acquisition of evidence from just about every operating system, file system and media type, including live systems. Through what Guidance calls a passive agent, it performs over-the-network acquisition of evidence from live systems to a remote analysis station. EnCase then creates well-organized, detailed reports that are understood by experts and attorneys alike.

EnCase images hard drives and partitions via a proprietary format in which equal-sized chunks of information are read from the source media and then written to the destination, along with an accompanying hash for data integrity. This serves as an integrity check–the benefit being the rapid reacquisition of data should any chunk’s hash fail the check.

For searching, EnCase employs an extremely flexible Unix grep-like facility. These searches, which take time but yield valuable results, parse evidence byte by byte and can uncover deleted files and other non-file data.
Though its enterprise edition is more expensive than the other tools listed here, EnCase Enterprise also offers additional features such as network-based acquisition.

AccessData’s Ultimate Toolkit

AccessData’s Ultimate Toolkit (UTK) incorporates a password recovery tool capable of decrypting just about any file, an enhanced registry viewer designed to illuminate evidence hidden in system-only accessible registry keys, a disk wiper and a distributed-computing en-cryption breaker.

UTK’s edge is its database-driven architecture. As evidence is imported (typically drive and partition images), it’s scanned and indexed into a case database. This allows for quick ad hoc string queries and organization of extracted files and data without the need to rescan. This same type of search performed by other products can take considerable time; UTK returns instantaneous results.

In addition, all ASCII and Uni-code strings are indexed and export-able. This ties in seamlessly with the password recovery tool as all text strings found within the evidence can be ported into a dictionary for password-cracking purposes. UTK’s password recovery tool is capable of decrypting Microsoft NTFS-EFS and Office, .zip, NTLM and PDF files–just about any type of encrypted file that could be used as evidence.

Included with UTK is Access-Data’s Forensic Toolkit (FTK), which has been around since 1998 and has gained quite a bit of popularity among law enforcement officials and the private sector. Its capability for dealing with e-mail–more and more becoming the silver bullet of evidence–is second to none.

FTK’s ability to quickly catalog e-mail on an evidence image in just about any stored format–and further extract embedded images and elements in a highly searchable fashion–makes it the premier forensic tool for such analysis. FTK is also adept at handling graphics and creating reports that display them in an easy-to-understand and organized manner.

Typical of a commercial tool, FTK can manage a case from acquisition to completion, and includes polished and flexible reporting capabilities that can be easily installed onto an auto-play CD-ROM for distribution.

e-fense’s Helix

e-fense’s Helix, created by forensics specialist Drew Fahey, is an open-source Linux LiveCD distribution designed specifically for digital forensics and based on the popular Knoppix distribution. It contains many forensics- and security-related tools designed to aid in the recovery and analysis of digital evidence from live and post-mortem (powered off) systems. As it’s Linux-based, it has the ability to analyze Linux file systems like Ext2/Ext3, and even the less common ones like ReiserFS, JFS and XFS.

What makes Helix different from other Linux LiveCDs are the measures it takes to preserve all of the drives and partitions present on a system. A common problem with other LiveCDs is that they mount swap partitions when they boot, possibly altering data. Helix will not mount any swap partitions (any auto-mounted partitions are read-only), which preserves data, MAC (Modified, Accessed, Changed/Created) times and other such file metadata. This allows Helix to acquire evidence without the use of a hardware write-block device.

Helix will also auto-play on live Windows systems, on which its self-contained binaries and executables can be used for acquisition of both volatile data, like RAM, and stored data on a variety of media.

Many of its tools, like the venerable dd (a binary data dumper used for imaging of any device or data stream), are open source, and their source code has been scrutinized by the UNIX/Linux community for many years. Helix tools can be run from the command line or in an X session on live Linux systems, and from a self-contained Cygwin environment or the native GUI on live Windows systems.

Among the tools Helix employs are its feature-packed Sleuth Kit and graphical interface Autopsy Browser. Used in tandem, these give the digital investigator a very capable graphical analysis platform similar in functionality to many commercial products.

Since Helix is a shareware tool, it’s inexpensive but lacks the technical support and fixes to bugs when needed. Also, its youth is a drawback; there is little if any court case history in which Helix has been used.

Paraben’s NetAnalysis

Paraben has an extensive suite of tools that can be used to examine e-mail, recover passwords, analyze chat logs and perform powerful Web surfing analysis.

Paraben’s NetAnalysis tool can examine AOL history files, reconstruct a cache for viewing, recover deleted Internet history files, identify Google searches, and provide a cookie and URL decoder. Its ability to capture evidence from most cell phones and PDAs is more comprehensive than similar capabilities in other tools.

Although Paraben has an extensive toolset, it has not caught on in the industry as well as the EnCase and AccessData products.

Post Mortem

After your internal forensics team has carried out an incident or crime investigation with the appropriate toolkit, it’s important to understand what went right and what went wrong so the process can be improved.

Some questions the team should address include whether additional training or tools are needed for future incidents, and whether any recovery activities introduced vulnerabilities or affected the company’s regulatory status. Based on the forensics team’s discoveries and its assessment of damages from a particular incident, a company can decide whether to take the case to court.

The team should be able to determine the technical sophistication of the criminal and the likelihood of being able to catch him. It’s also important to determine what type of individual did this type of crime. Was it a competitor or just some kids hacking for fun?

Choose your battles wisely: It would not be a good business decision to win a multimillion-dollar lawsuit against a few teenagers who have no money.

Ultimately, having a skilled computer forensics team will ensure your company is prepared for the worst. Knowing how to track digital footprints can help your business catch a thief before he escapes into cyberspace.