The Network View » information security

What is Computer Forensics?

Tommy P. Landry — Wed, 12 May 2010 15:30:46 +0000

This week we will cover a basic take on Computer Forensics, a growing and very important skill set in today’s complex (and threat-heavy) technical networking environment. Enjoy this guest post by Michael Linn.

______________________

When an unauthorized incident occurs against your network, such as an attacker breaking though your network’s defenses, an appropriate response is required. The response to the intrusion includes using forensic science to properly respond to the event.

Forensic science, or forensics, is the application of science to problems that are of interest to the legal profession and deals mainly with the recovery and analysis of evidence. Computer forensics attempts to retrieve information that can be used in pursuit of the attacker or criminal.

Computer forensics is also called digital forensics because its uses techniques to identify, collect, examine and preserve information or evidence, which is magnetically stored or encoded.

When your team responds to a criminal event that requires an examination using computer forensics, there are generally four basic steps that are followed.

Secure the crime scene
Collect and preserve evidence
Establish a chain of custody
Examine evidence

The first step in reacting to a computer forensics incident is for the first responders to secure the crime scene. The response team should document the physical surroundings of the computer or electronic device that is suspected of containing digital evidence. This includes photographing the area from different angles before anything is touched and labeling cables connected to the computer.

Additionally, the team should interview anyone who had access to the computer and take custody of the entire computer along with the keyboard, external memory devices, and peripherals.

Since digital evidence is easily altered or destroyed, only properly trained computer evidence specialists should process computer evidence in order to ensure that integrity is maintained and the data obtained can withstand scrutiny in a court of law.

The computer forensics team should capture any data that may be lost when the computer is turned off including:

RAM contents
Current network connections
Logon sessions
Network configurations
Open files

After the volatile data is preserved the team should create a mirror image backup of the hard drive. A mirror image backup, or bit-stream backup, is an evidence-grade backup that is admissible in court and must be done in a controlled manner by trained professional.

Establishing the chain of custody documents who had access to the evidence and when. Serial numbers should be recorded and the evidence should be kept under strict control at all times.

Finally, after the mirror image is created and the original system is secured, then the mirror image is examined to reveal evidence.

All data should be investigated for clues including:

Word processing documents
Spreadsheets
Emails
Caches
Cookies
Metadata
Database entries

Additional sources of hidden clues may come from RAM Slack or Drive Slack. When Windows computers use memory to process data information that has been created, viewed, modified, downloaded, or copied it may still be available.

______________________

The author is a computer security professional with experience protecting small business and home networks. He also teaches the basics of computer network security at 365 Computer Security Training where he blogs regularly and creates video training and educational materials related to information security. Learn more at http://www.365ComputerSecurityTraining.com

______________________

Article Source: http://EzineArticles.com/

RSA 2010: A look inside the expo

Tommy P. Landry — Wed, 03 Mar 2010 17:14:31 +0000

I’m blogging this from the hotel room near Union Square, and so far, RSA has been a lot of fun. Yesterday I took a few minutes to take some [very raw] video footage of the Expo to share with those of you who were unable to attend the show. Please excuse the audio quality; as you know, trade shows come standard with built-in white noise.

For those of you who did make it to the show, I concluded the video by showing where you can go to find Anue Systems in Booth #329. If you are planning to be here today or tomorrow, please stop by and introduce yourself to me or one of my esteemed colleagues.

With that said, enjoy our video:

Information Security and the New Generational Gap

Tommy P. Landry — Thu, 12 Nov 2009 18:12:15 +0000

We are taking a brief hiatus from the ALIST series this week to focus on an important topic that deserves discussion. We all know that each generation (i.e. Baby Boomers, Generation X, etc.) brings with it new and different behaviors, attitudes, opinions, and interests. However, with the rapid advancement of technology in general, we are just now learning exactly how pervasive connectivity is impacting the younger sect of our working population.

Earlier this week I came across a very intriguing commentary on this very topic, Lifestyle Hackers, which appears on CSO Online. This insightful article talked about what is being referred to as the “Net Generation“, the younger subset of our population that has never known life without the Internet and other communication technologies (as opposed to Baby Boomers who were raised with television as the primary technology/communications breakthrough early in life).

Connectivity: A threat or a productivity tool?

Technology exposure has upsides and downsides, and we won’t go into all of the social implications of being connected and interacting virtually rather than face-to-face. However, twenty-somethings, the first true group of working adults among the Net Generation, seem to have a knack for finding their way around security measures. The ever-present Insider Threat is no longer solely a problem of user ignorance or malicious intent; it is now a problem of technical competence and motivation. How can that be you ask?

You see, the Net Generation views life, business, and productivity through different glasses than previous generations. While your security team is blocking access to social media, instant messaging, and other “high risk” applications, NetGeners (as we’ll refer to them from here forward) find those media to be crucial to their productivity. But your leadership team likely sees these tools as hindrances to productivity, hence the desire to block access. In the end, we’re all chasing the same goal – to get more done and to do it as efficiently as possible.

How do YOU define productivity?

Basically, the problem all comes down to perspective. Baby Boomers are more likely to focus on a specific task, much like watching a show or channel on TV. NetGeners, on the other hand, prefer the connectivity of the internet and have come to embrace multitasking as a fact of daily life. The article elaborates on this point, “As Internet-facing technology became ubiquitous and leaped from the home to the mobile device, the Net Generation adapted by incorporating new technology into its very social fabric.” Heck, NetGeners even have their own slang these days.

So who is right? Everyone is in some way. NetGeners see Facebook as a tool for collaboration to more quickly solve problems. They use Text Messaging (SMS) much like Baby Boomers have come to embrace email, but NetGeners prefer the instant gratification of knowing the message delivers now and the answer will come quickly, rather than a day or two later. For these reasons, many NetGeners actually refer to themselves as “Generation Now”. [Editor's Note: It's curious that most NetGeners somehow fail to grasp the value of Twitter, but that's another discussion altogether.]

The bottom line is this – media changes and evolves, as does technology. Different generations work in different ways. This has been true for hundreds of years now, through the Industrial revolution, which first made the term “economies of scale” relevant, to today, where micro-anything and real-time is deemed superior to the old way of doing things. First there was snail mail, then the telephone, then the facsimile (“fax” to all you NetGeners), then the Internet, then email, and then finally, widespread acceptance of cell phones. Cell phones naturally forced the whole equation to evolve again, and now, real-time is key.

So what’s a security professional to do? As a technologist, the smart approach is to embrace and enable safe usage of these new technologies. Revisit your Security Policy. If it’s too restrictive, expect problems if/when you hire twenty-somethings. They will find a way around it, and your policy won’t work. Ultimately, you risk failing to enforce the very security that you aim to establish.

Security is here to ensure safe operation of the network, but not here to handcuff workers from being able to be productive. We’re not there yet, but a balance must be struck, and it’s up to CSOs and Security Management to determine the optimal approach.

Have you managed to figure out the balance? Please share your thoughts, tips, or even any criticisms of this viewpoint. This is a topic that must be discussed, and we’re happy to take the lead on drumming up the discussion.

Security Pros on Twitter (SPoT): Erin Jacobs/@SecBarbie

Tommy P. Landry — Tue, 04 Aug 2009 12:55:07 +0000

Welcome to our third installment of Security Pros on Twitter (SPoT).

This week we offer you Erin Jacobs, the first of two female Security Pros who have agreed to participate in the SPoT series. Ms. Jacobs goes by “SecBarbie”, or Security Barbie, on Twitter, a nickname she adopted after attending a SANS Conference in 2003. We won’t steal her thunder by telling the story in our own words, but you can read it for yourself on the About page for her blog, Security Sociability.

SPoT: Erin Jacobs (@SecBarbie)

Real Name: Erin Jacobs
Twitter Handle: @SecBarbie
Top 3 Social Media/Networking Sites:
Twitter, FriendFeed, foursquare

1. In which area(s) of security are you most involved?
By Day: Security Compliance, Policy, and strategic forecasting.
By Night: Social Media Security, OS X Security, Social Engineering, and Tech Addict.

2. What security topics will be the most important in the next 18 months? Why?
Mobile Malware attacks: It’s the most logical and largely unprotected space in corporate networks. With the ease of receiving and housing wonderful bits of malicious data though over-the-air transmission, then bringing it back to sync and spread to corporate network from the inside, this is going to be one sexy topic in the next 18 months.

Social Networking Security Compliance: Controlling information about an organization that is being transmitted outside of company networks, not on company equipment but by employees, is already proving to be challenging. This will lead to ease of Social Engineering attacks, as well as changing the landscape of how security professionals direct their efforts.

3. Biggest Pet Peeve: Name one thing about Network Security that you wish business stakeholders would understand and why.
Sense of entitlement to be exempt from security controls is, and likely will always be, one of my biggest pet peeves. Network and Information Security is everyone’s responsibility, and more so for key stakeholders. Understanding what key stakeholders perceive as important information and what they would consider damaging to the business if there were to be a breech is key in communicating why exemptions should NOT be made, as well as ensuring adequate controls.

4. Tell us why you became so active on Twitter and any other important social media outlets. What value are you getting?
Twitter became part of my life in early 2007, but it wasn’t until I attended an industry conference that I really saw great value. Twitter has proven to be a very powerful networking tool, both professionally and socially. It’s also a fantastic barometer of what is going on in the information security space for me, as I follow a lot of people who author some of the most ground breaking research in that space. Twitter also can prove to be a great release, a place where it is okay to be a real person.

5. Name one security peer whom everyone with an interest in Network Security should follow. (OK to name 2 if you can’t decide on only one)
Ryan Naraine (@ryanaraine)
I’ve followed Ryan about since I first got on Twitter, and his tweets are always extremely interesting and generally full of knowledge or good links. Overall, it’s a great Twitter feed to follow.

6. What’s your take on security for social media and cloud services in general? Top concerns, overstated issues, etc.
Of the top concerns that I see in cloud services especially in social media are the overstated security controls within these multi-tenant environments, as well as the privacy law and regulations in regards to jurisdiction over data based upon physical presence of the hosting.

7. What are the top 3 real-world (i.e. live) events you’d recommend for networking with security professionals?
Look for Barcamps or Bsides conferences in your area, these events are wonderful in that there is little or no cost, and it will build your ability to interface with local security professionals.

SOURCE Conferences are the best conference where price and networking abilities are pristine. Top rated speakers are at SOURCE Boston and SOURCE Barcelona, and with the smaller conference size, networking and actually interfacing with industry experts is a lot easier.

RSA Conference is a networking dream for security professionals on a grand scale. It’s very easy to get lost in the crowd at this conference if you do not have the best social skills.