A Forensic Investigative Response Approach for Suspected Security Breach - Case Study Example

A forensic investigative response approach for suspected security breach: Of late, wide scale cyber-attacks have buttressed that security and safety safeguards of ICT (information and communication technology) in many essential infrastructures are obviously not adequate as the aimed attacks perused by talented individuals or organizations. One can witness huge economic losses if there is attack on ICT systems used by the industries. For instance, the Stuxnet malware that eventually destabilized about 1000 numbers of enrichment of Uranium centrifuges in Natanz in Iran which is most famous reported illustration of ICT attack affecting ICS (Industrial Control System). Stuxnet attack exposes non-availability of mechanisms and procedures for evaluating security incidents in industrial settings (Dacer, Kargl, König & Valdes, 2014, p.62). Computer technologists are now focussing on structuring security mechanisms that assist to investigate hackers’ profiles while they are in headway, and forensic tools that assist to evaluate computer intrusion after they have transpired. By employing botnet detection tool, one can know about the information about the hacker. For instance, botsniffer and BotMiner tools are used to know about intrusion when they are in active stage (Filippoupolitis, Loukas & Kapetanakis 2014). The science which is used to recognise, evaluate, uphold, document and elucidating information and evidence from electronic and digital tools and it is intended to safeguard the privacy of the computer users from being attacked or exploited is known as computer forensics. Forensic experts have an onus to their client to show attention about the information and data to be identified that can become probable corroboration , particularly , it can acts as digital proof in investigation and can help to initiate legal action against attackers. Chief characteristics of a probable cyber-attacker have been shown in the following table and figure. Ed Speed of the attack is directly associated with high level IT skill of the attacker. Further, a highly skilled attacker may leave no tracks or commit misstates as contrasted to not experienced attacker. Further, the tracks or traces left by the attacker will offer clue about the attacker. A well-experienced attacker will remove log files whereas a less experienced attacker may not delete log files (Filippoupolitis, Loukas & Kapetanakis 2014). Specific forensic response plan By engaging a well-experienced external forensic investigator, a company can know the nature of the data exposure. External consultants like Ernst & Young (E&Y) can use their expertise to recover the deleted logs and files, is well-versed in the novel procedures employed by hackers, and is well-experienced in exposing the countless of hidden computer artefacts that can expose the actions of a suspect by using search history in the Internet, usage of removable media, and the usage of cloud-oriented warehousing. Further, external expert like E&Y have facility to use a broader range of forensic analytical and capture tools. E&Ys advanced solution centers can facilitate to offer huge quantum of processing power that facilitates advanced and sophisticated searches to be carried immediately and precisely. E&Y has developed a forensic tool namely “Triage” which can fastly recognise mistrustful activity for instant evaluation. This tool helps E&Y not only evaluating the suspect’s computer at his workplace but also other computers which collected the suspicious data source , or that have been replicating and forwarding files with an analogues data profile. Forensic Response Plan for materials requirements In a forensic fact-finding response tactic for doubted security violation such as intrusion or hacking case, the investigating team has to verify the log files as a first step. Further, the investigating team can also view recent folders and recycle bins that include links to the recently seen files on Windows. By using a Software Write Blocker, a forensic investigator can identify the hacking attempt. This is a design of software that lies between the authentic device driver for the disk and the operating system. By using this software, the automatic process of writing to the disk is stopped mainly through all disk access requests which employ standard operating system (Solomon & Rudolph, 2011, p.74). In the place of employing the write blockers, a specialized imaging device and investigation machines could be employed. EnCase is a software that contains preprogramed scripts that can be used against a corroboration file to “habitually “manage many of the elements of the investigation. HBGary Responder is a dump review tool of GUI memory which carryon runtime and live memory analysis mainly employed to find out, detect and retort to contemporary’s advanced threats to systems. This tool facilitates a responder to deconstruct and evaluate a memory scrapheap or dump without having to use the same affected or probable pretentious system’s API (Carvey, 2009, p.140). Ninja Forensic imager is a top-quality and high- velocity imager meant for Hard Disc Drive backup. This software can copy at about 2.4 Giga Bytes per minute and has the potential to avoid HDD sectors impacted with hacking. Among the data recovery applications that are available on the market of date is the Ninja as it has the best hard drive imagers (Gogolin, 2012, p21). Forensic Response Plan Planning &distribution A famous Private Bank from Europe engaged E&Y when they witnessed the pilferage of sensitive information and data. The data theft was exposed by a whistle-blower who exposed the sample of records that have been pilfered. The data theft was carried over by a technician who had confidential information knowledge about the compromised systems. As forensic investigator, E&Y tracked data to various data storage facilities within the bank. E & Y was able to recognize emails of the concerned staff, it recognized the file having passwords to the system access, it was able to recover data theft spanning immediately previous three years and was able to recover the deleted programs that were employed by the alleged staff to download the information (EY.com 2014). Forensic Response Plan Finance, ERP system of a business is regarded as the most vital tool as it warehouse the most sensitive business information data and this is evidenced by CISO , a fortune 1000 company , if our ERP system is hacked , then , the company has to lose $22,000,000 per minute. In excess of 95% of ERP system are vulnerable to cyber-attacks as the cyber-attackers have taken the whole control of the business by hacking the ERP software as almost all the ERP modules that had been attacked were in the public domain for more than five years. Hackers will always target ERP system of a business as it warehouse key data like manufacturing formulas , data on employees , employees’ credit cards , company’s financial data and on-line banking account details. ERP module of a business handles important functions of a business like purchasing, manufacturing, supply chain management, finance, accounting, payroll and sales. As many ERP systems are directly interconnected with the Internet through mobile, cloud deployments, web applications, etc. In 95% of the cases, the fundamental Security Log has not been enabled which makes the job of hackers easy to penetrate into ERP system of an organization. Further, even if the standard Security Audit features are enabled, detection to the attacks made on the technical layer may not easily find out. Many organisations have high profile security for their ERP module through Segregation of Duties (SoD) and through controls. Many businesses are of the view that that were finding solution to the issue by instituting a devoted ERP Security Team implementing SoD controls but despite of this initiative, there are cyber-attacks on ERP modules of the organizations (Nunez 2014). Thus, ERP security team should incorporate secure configuration and security patch management to their ERP modules. Forensic Response Plan Intellectual property. To prevent the theft of data relating to intellectual property immediately after an acquisition, it is essential to see that all codes and designs in the acquired company should be deleted from their computers. The issue that the acquirer company may face that it deleted selectively the data stored that was found widely across its IT landscape that too in an amorphous manner. To avoid future attack on a company intellectual property data, it is necessary to develop a forensic technique, it is necessary to avoid technical flaws in deleting software employed by the IT department. In one case, E&Y found that there was a failure on the IT department to delete data from more 500 computers – in spite of adhering to be in accordance with the standards fixed by the US Department of Defence. E&Y structured a forensic model to look out for documents pertaining to proprietary design, program binaries, source code and testing documentation as regards to more than 100 computers. Forensic Response plan for the all the above four major system As a security advisor , one should monitor all the systems owned by the business for any security lapses , he should act as a mediator both in receiving the security lapse incident reports and to report the same to the proper organization about the incident. He should document the entire episode of hacking and should list the security incidents. He should also educate among employees about the security awareness within the organization to stop the occurrence of the incidents in the near future. Through penetration testing and vulnerability evaluation, the organizations’ support system is maintained in secure manner mainly through periodical network auditing. He should have zeal to learn about new incidents of attacks and vulnerabilities used by the attackers and should indulge in researching about new software patches. He should also constantly evaluate and construct new technologies for avoiding security risks and vulnerabilities. He should work on continuous basis to update the present procedures and systems (Ellis & Speed, 2014). References Carvey, H. (2009). Windows Forensic Analysis DVD Toolkit. USA: Syngress Dacer, M. C., Kargl, F., König, H., & Valdes, A. (2014). Network attack detection and defence: securing industrial control systems for critical infrastructures (Dagstuhl Seminar 14292). Dagstuhl Reports, 4(7), 62-79. Ellis, J & Speed, T. (2014). The Internet Security Guidebook: From Planning to Deployment. New York: Academia Press EY.com. (2014). Investigating about a breach IT Forensic Services. accessed 13 March 2015 Filippoupolitis, A., Loukas, G., & Kapetanakis, S. (2014). Towards real-time profiling of human attackers and bot detection. Proceedings of CFET. Gogolin, G. (2012). Digital Forensics Explained. USA: CRC Press Nunez, M. (2014). Too critical to fail .Cyber-Attacks on ERP. accessed 13 March 2014 Solomon, M G & Rudolph, K. (2011). Computer Forensics Jumpstart. New York: John Wiley & Sons Read More