Date post: | 02-Nov-2014 |
Category: |
Technology |
Upload: | kevin-wharram |
View: | 619 times |
Download: | 0 times |
© 2008 Guidance Software, Inc. All Rights Reserved.
“Why have a Digital Investigative Infrastructure”
Kevin Wharram CISSP, CISM, CEH
Technical Manager – Guidance Software Inc. – The Maker of EnCase
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 1
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 2
Agenda
� Industry Headlines
� Cause and Cost of data breaches
� Identify some methods on how data is taken
� Identify Challenges in protecting data
� What to do after you have a had a data breach
� Case Study
� EnCase Enterprise
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 3
Old hard drives still full of sensitive data
Hard drives full of confidential data are still turning up on the second-hand market, researchers have reported.
T.J. Maxx Breach Costs Hit $17 Million
BOSTON - Information from at least 45.7 million credit and debit cards was stolen by hackers who accessed TJX’s customer information in a security breach that the discount retailer disclosed more than two months ago.
Thieves setup data supermarkets
Web criminals are stepping back from infecting computers themselves and creating "one-stop shops" which offer gigabytes of data for a fixed price. Credit card details are cheap, however, the log files of big companies can go for up to $300
3
Industry Headlines
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 4
Source : The Ponemon Institute - (PGP Survey)
4
Cause of Data Breaches
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 5
� Key Statistics
� Data breaches cost US companies an average of $197 for every record lost
� The size of the losses examined ranged from from $225,000 to almost $35 millionSource : The Ponemon Institute
5
Cost of Data Breaches
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 6
Intellectual Property
� Design Documents
� Source Code
� Trade secrets
6
Corporate Data
� Financial data
� Mergers & Acquisition info
� HR data i.e. employee
data
� Marketing and Sales data
Customer Data
� Personal Data
� Credit card numbers
� Customer financial data
Government Data
� Economic data i.e.
Dobanda – “what is it
worth?”
� Intelligence information
� Law Enforcement
Information
What type of Data are at Risk?
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 7
� Lack of senior management understanding and recognition of a problem
� Criminal / Malicious Intent
� Lack of internal processes and controls
� Weak internal controls (role and access right changes)
� Vulnerability Management / Patching practices
� Organisation Culture (they owe me attitude)
� Incidental opportunities
7
What leads to a Data Breach
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 8
� Portable storage devices – USB, Cameras, PDA’s etc
� iPods and MP3 players – “PodSlurping”
� email – personal webmail i.e. Yahoo, Google, etc
� Taking out or sending DVD / CD’s
� Spear Phishing – targeting specific companies for information; then using that information to steal data
� Exploiting corporate systems, networks and laptops through system and software vulnerabilities
� Using telephone conference pin numbers
8
How is Data Taken?
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 9
� Confusing Regulatory environment – EU Data Protection Directive 95/46/EC, Internet Banking Code MCTI, International Banking Regulation, SOX, PCI compliance, etc
� Ensuring sensitive data is not located in unauthorised areas of the network
� Not being able to remediate instances of confidential information residing where it shouldn't be
� Not being able to remediate instances of unauthorised applications, software and files on systems
� Not having a procedural and technical infrastructure in place to respond to security breaches
9
Challenges facing Companies
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 10
My Data is gone! – “what do I do?”
10
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 11
� Don’t panic
� Follow your incident response plan and procedures
� Investigate completely using a forensically sound investigation platform
� Disclose information only on a need to know basis
� Clean up & Remediate
11
Incident Response
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 12
You can’t FIX
or STOPwhat you can’t FIND… quickly
RISK!RISK!
OPERATING SYSTEM
HARD DISK & MEMORY
Inadequate Incident Response
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 13
ResultsSolutionSituation
Case Study
Global 100 Technology Firm –
EnCase Data Audit & Policy Enforcement
�Global 100 computer entertainment company suspected IP leakage across the network
�Need to search globalnetwork spanning 91 countries
�Goal was to identify source, all instances of leaked IP, identify the trail to external sites, preserve evidence, and remediate
�Process required significant stealth so as to not alert employees
�EnCase Data Audit & Policy Enforcement implemented in 24 hoursat a central site
�EnCase identified the suspect had access to numerous other workstations & servers across the network
�Audit performed overnight on all endpoints, including a 4 terabyte server, to find files
�Targeted audit of over 50 devices in one day including; laptops, desktops, servers, email accounts, USB’s and internet histories
�Zero disruption to the business
�Entire investigation took 2 weeks from start to finish with significant cost savings vs. outsource options
�EnCase Data Audit deployed as part of a standard IP & HR audit process company-wide
““The non-disruptive element of EnCase minimized the financial, commercial and operational impact
of the leaked IP and accelerated the successful resolution of this incident.”
CEO & President - European Operations, Global 100 Technology Firm
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 14
EnCase Enterprise is a powerful, network-enabled, multi-platform enterprise investigation solution.
EnCase enables immediate response to computer-related incidents of any kind and enables thorough forensics platform and framework allowing organisations to immediately respond to enterprise information incidents and threats.
14
EnCase Enterprise
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 15
Benefits of EnCase Enterprise
� Contain and reduce corporate fraud
� Conduct network-enabled forensic investigations for anything, anywhere, anytime
� Perform a complete compromise assessments after a security intrusion
� Reduce business disruption and losses due to security breaches
� Respond to more security incidents with less manpower
� Conduct network-enabled HR investigations
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 16
16
� Additional data uncovered by EnCase Enterprise
� Purposely deleted files
� Renamed to disguise content
� Concealed files
� Misplaced / Difficult to locate files
Data found by common tools
(such as Windows Explorer)
The “Data Iceberg”
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 17
Threat / challenge Examples
Leavers � Possible unfair dismissal claims� Corporate espionage – taking out confidential data
Employee Integrity � Harassing co workers� Pornography - (Civil Action can be brought upon by an employee for
being affected by porn
HR Policy Breaches � E-mail misconduct� Internet misconduct� PC / Desktop misuse (Personal Software)
Audits � Software audits� SOX audits
Regulatory Compliance � EU Data Directive 95 / 46
Fraud � Investigating various forms of fraud
IP Theft � Investigating IP theft within your organisation
Legal Cases � Helping legal with various request for legal cases
Malware & Rootkits � Investigating and finding various forms of Malware and Rootkits
Unauthorised software � Finding and detected unauthorised software i.e. MP3, Video etc
Investigating Incidents � Helping the security team to investigate incidents
Examples of where EnCase helps
© 2008 Guidance Software, Inc. All Rights Reserved.
P A G E 18
EnCase Customers