DIGITAL FORENSICS CS4398

GUEST LECTUREJan Kallberg, PhD11/28/2011

• A perspective on security• Systems and today’s challenges• Digital forensics’ role in security• Humans as security risks• New risks: reputation, business risks,

regulatory risks

Topics

2

A perspective on security

•Ensure implementation of decisions•Accountability•Functionality •Institutional control•Maintain trust, authority, and confidence•In government - legitimacy

3

The Ladder of Abstraction

4

Four Steps

TheoryMethodologyToolsImplementation

5

SECURITY CHARACTERISTICSINTANGIBLENOTIONPERCEPTION

6

HOW DO YOU MEASURE SECURITY?

7

GENERAL MISTAKES IN IT-SECURITY

8

CITY WALL

9

Weakness:1.Once given access there are no effective control of actual activity. 2.All of the security processing occur at the point of entrance.

CAPTURE ALL (STASI)

10

Weakness:1.Too much data is captured that no one has enough resources/time to analyze.

2.Security management is overwhelmed by indicators and suffer information overflow.

Example: Pilots in an emergency

11

REFUSAL TO IDENTIFY CRITICAL ASSETS

Weakness:1.All information assets are protected equally leading to what really matters does not get relevant attention.

2.Under time pressure and with the risk that the crime is still perpetrated it is essential to understand what is important to protect and respond to.

Remedy: Business Impact Analysis (BIA).

Systems and today’s challenges

12

ISO 27000

13

The Basic Model

14

The Challenges to ISMS 1(2)• Where does the system begin and end?• Shared resources – responsibility?• Identify resources – cloud, servers, back

locations, devices?• Flat organizations / independent work groups• Remote work – working from home

15

The Challenges to ISMS 2(2)• People • Big plans, mediocre implementation, entropy

over time (Bob retired…)• Stamina in upholding IT-sec policies (Hospital)• Unsafe behavior among executives and mgmt

(laptop DEA)

16

Digital forensics role in IT-security

•Accountability•Regulatory compliance•Audit trail•Monitoring•Policy enforcement•Deterrent

17

Regulatory and Policy Enforcement

• SEC (Securities and Exchange Commission)• SOX audit trail• Internal and external audits• Federal and state law compliance• Agency, corporate or university policies

18

Routine Security Check•Captures all staff/mgmt•You don’t need an excuse to do it•Don’t trigger any concerns•Intermittent pattern

19

Deterrence

• Perpetrators are more focused on the risk of being caught than the repercussions

• Insider information theft are premeditated (Example: sales manager leaving company steals a copy of the customer data base)

• Deterrence only works towards rational actors

• Visible forensic and monitoring abilities deters

• Forensic ability or monitoring structure can not be shared in detail – risk of anti-forensics

20

21

Digital Forensics as a Part of Risk Analysis

Monitoring – Forensics – Incident Reports (feedback loop)

Adaptive “healing” systems

22

Presenting Complex Technical Evidence

23

Humans as risks

•Greed•Jealousy•Vanity•Revanchist•Ideological risks•Addiction (all flavors)

24

Humans vs.

Machines

25

A person works approx 2,000 hrs / year – Google report equals ≈144 years

SECURITY – WORK FLOW

26

Security rules, processes, and policies that are obstacles to work flow tend to be trespassed or ignored.

Office culture prevails.

Collegial bonds are strong

•Don’t disclose to mgmt that something is not right•Often signs are clearly visible•Protecting each other•A + B + C = the complete story

27

• Reputational risks / leaks• Enterprise cloud computing • Facebook• Social media• Google Docs • Unauthorized information

sharing 28

Other considerations

• A perspective on security• Systems and today’s challenges• Digital forensics role in security• Humans as security risks• New risks: reputation, online

clout, business risks, regulatory risks

Topics

29

Discussion

How would you handle the following?

30

1. HOW DO YOU MOTIVATE A BUSINESS LEADER THAT THEIR COMPANY NEEDS IN-HOUSE DIGITAL FORENSIC ABILITY?

31

2. HOW CAN WE LIMIT THE DAMAGE OF CHARACTER FAILURE (UNAUTHORIZED ACTIONS) IN AN ORGANIZATION?

32

3. HOW CAN A SECURITY AWARENESS CAMPAIGN IN A COMPANY PRESENT FORENSICS AS AN INDIVIDUAL DETERRENT?

33

4. TAKING IN ACCOUNT THE ADVANCES IN FORENSICS AND MONITORING. DO YOU THINK IT-SECURITY IS BECOMING EASIER OR HARDER TO EXECUTE?

34

QUESTIONS?

THANK YOU!

JKALLBERG@UTDALLAS.EDU

35