More Related Content
Similar to Why Have A Digital Investigative Infrastructure
Similar to Why Have A Digital Investigative Infrastructure (20)
Why Have A Digital Investigative Infrastructure
- 1. “Why have a Digital Investigative
Infrastructure”
Kevin Wharram CISSP, CISM, CEH
Technical Manager – Guidance Software Inc. – The Maker of EnCase
© 2008 Guidance Software, Inc. All Rights Reserved.
- 2. P A G E 1
© 2008 Guidance Software, Inc. All Rights Reserved.
- 3. Agenda
P A G E 2
Industry Headlines
Cause and Cost of data breaches
Identify some methods on how data is taken
Identify Challenges in protecting data
What to do after you have a had a data breach
Case Study
EnCase Enterprise
© 2008 Guidance Software, Inc. All Rights Reserved.
- 4. Industry Headlines
P A G E 3
T.J. Maxx Breach Costs Hit
$17 Million
BOSTON - Information from at least 45.7 million
credit and debit cards was stolen by hackers who
accessed TJX’s customer information in a security
breach that the discount retailer disclosed more
than two months ago.
Thieves setup data Old hard drives still full
supermarkets of sensitive data
Web criminals are stepping back from infecting Hard drives full of confidential data are still
computers themselves and creating "one-stop turning up on the second-hand market,
shops" which offer gigabytes of data for a fixed researchers have reported.
price. Credit card details are cheap, however, the
log files of big companies can go for up to $300
© 2008 Guidance Software, Inc. All Rights Reserved.
3
- 5. Cause of Data Breaches
P A G E 4
Source : The Ponemon Institute - (PGP Survey)
© 2008 Guidance Software, Inc. All Rights Reserved.
4
- 6. Cost of Data Breaches
P A G E 5
Key Statistics
Data breaches cost US companies an average of
$197 for every record lost
The size of the losses examined ranged from from
$225,000 to almost $35 million
Source : The Ponemon Institute
© 2008 Guidance Software, Inc. All Rights Reserved.
5
- 7. What type of Data are at Risk?
P A G E 6
Intellectual Property Customer Data
Design Documents Personal Data
Source Code Credit card numbers
Trade secrets Customer financial data
Corporate Data Government Data
Financial data Economic data i.e.
Mergers & Acquisition info Dobanda – “what is it
worth?”
HR data i.e. employee
data Intelligence information
Marketing and Sales data Law Enforcement
Information
© 2008 Guidance Software, Inc. All Rights Reserved.
6
- 8. What leads to a Data Breach
P A G E 7
Lack of senior management understanding and
recognition of a problem
Criminal / Malicious Intent
Lack of internal processes and controls
Weak internal controls (role and access right changes)
Vulnerability Management / Patching practices
Organisation Culture (they owe me attitude)
Incidental opportunities
© 2008 Guidance Software, Inc. All Rights Reserved.
7
- 9. How is Data Taken?
P A G E 8
Portable storage devices – USB, Cameras, PDA’s etc
iPods and MP3 players – “PodSlurping”
email – personal webmail i.e. Yahoo, Google, etc
Taking out or sending DVD / CD’s
Spear Phishing – targeting specific companies for
information; then using that information to steal data
Exploiting corporate systems, networks and laptops
through system and software vulnerabilities
Using telephone conference pin numbers
© 2008 Guidance Software, Inc. All Rights Reserved.
8
- 10. Challenges facing Companies
P A G E 9
Confusing Regulatory environment – EU Data
Protection Directive 95/46/EC, Internet Banking Code
MCTI, International Banking Regulation, SOX, PCI
compliance, etc
Ensuring sensitive data is not located in unauthorised
areas of the network
Not being able to remediate instances of confidential
information residing where it shouldn't be
Not being able to remediate instances of unauthorised
applications, software and files on systems
Not having a procedural and technical infrastructure
in place to respond to security breaches
© 2008 Guidance Software, Inc. All Rights Reserved.
9
- 11. P A G E 10
My Data is gone! – “what do I do?”
© 2008 Guidance Software, Inc. All Rights Reserved.
10
- 12. Incident Response
P A G E 11
Don’t panic
Follow your incident response plan and
procedures
Investigate completely using a forensically
sound investigation platform
Disclose information only on a need to know
basis
Clean up & Remediate
© 2008 Guidance Software, Inc. All Rights Reserved.
11
- 13. Inadequate Incident Response
P A G E 12
OPERATING SYSTEM
You can’t
FIX
or STOP
what you
can’t FIND
… quickly
SK!
I SK!
RI
R
HARD DISK & MEMORY
© 2008 Guidance Software, Inc. All Rights Reserved.
- 14. Case Study
Global 100 Technology Firm –
EnCase Data Audit & Policy Enforcement
P A G E 13
Situation Solution Results
Global 100 computer EnCase Data Audit & Targeted audit of over 50
entertainment company Policy Enforcement devices in one day including;
suspected IP leakage across implemented in 24 hours laptops, desktops, servers,
the network at a central site email accounts, USB’s and
internet histories
Need to search global EnCase identified the
Zero disruption to the
network spanning 91 suspect had access to business
countries numerous other
workstations & servers Entire investigation took 2
Goal was to identify across the network weeks from start to finish
source, all instances of with significant cost savings
leaked IP, identify the trail Audit performed vs. outsource options
to external sites, preserve overnight on all endpoints,
EnCase Data Audit deployed
evidence, and remediate including a 4 terabyte as part of a standard IP &
server, to find files HR audit process company-
Process required
significant stealth so as to wide
not alert employees
“The non-disruptive element of EnCase minimized the financial, commercial and operational impact
of the leaked IP and accelerated the successful resolution of this incident.”
CEO & President - European Operations, Global 100 Technology Firm
© 2008 Guidance Software, Inc. All Rights Reserved.
- 15. EnCase Enterprise
P A G E 14
EnCase Enterprise is a powerful, network-enabled,
multi-platform enterprise investigation solution.
EnCase enables immediate response to computer-
related incidents of any kind and enables thorough
forensics platform and framework allowing
organisations to immediately respond to enterprise
information incidents and threats.
© 2008 Guidance Software, Inc. All Rights Reserved.
14
- 16. Benefits of EnCase Enterprise
P A G E 15
Contain and reduce corporate fraud
Conduct network-enabled forensic
investigations for anything, anywhere,
anytime
Perform a complete compromise assessments
after a security intrusion
Reduce business disruption and losses due to
security breaches
Respond to more security incidents with less
manpower
Conduct network-enabled HR investigations
© 2008 Guidance Software, Inc. All Rights Reserved.
- 17. The “Data Iceberg”
P A G E 16
Data found by common tools
(such as Windows Explorer)
Additional data uncovered by
EnCase Enterprise
Purposely deleted files
Renamed to disguise content
Concealed files
Misplaced / Difficult to locate files
16
© 2008 Guidance Software, Inc. All Rights Reserved.
- 18. Examples of where EnCase helps
P A G E 17
Threat / challenge Examples
Leavers Possible unfair dismissal claims
Corporate espionage – taking out confidential data
Employee Integrity Harassing co workers
Pornography - (Civil Action can be brought upon by an employee for
being affected by porn
HR Policy Breaches E-mail misconduct
Internet misconduct
PC / Desktop misuse (Personal Software)
Audits Software audits
SOX audits
Regulatory Compliance EU Data Directive 95 / 46
Fraud Investigating various forms of fraud
IP Theft Investigating IP theft within your organisation
Legal Cases Helping legal with various request for legal cases
Malware & Rootkits Investigating and finding various forms of Malware and Rootkits
Unauthorised software Finding and detected unauthorised software i.e. MP3, Video etc
Investigating Incidents Helping the security team to investigate incidents
© 2008 Guidance Software, Inc. All Rights Reserved.
- 19. EnCase Customers
P A G E 18
© 2008 Guidance Software, Inc. All Rights Reserved.