Emerging Technologies Committee - 6/17/02 1 EMERGING TECHNOLOGIES COMMITTEE JUNE 17, 2002 EMERGING...

Emerging Technologies Committee - 6/17/02

1

EMERGING TECHNOLOGIES EMERGING TECHNOLOGIES COMMITTEECOMMITTEEJUNE 17, 2002JUNE 17, 2002

Frank DeCandido, CPA, Vice PresidentPrudential Financial

Thomas Doughty, First Vice President, Manager – Information SecurityPrudential Financial


2

Table of Contents

Content Page #

• Evolution of Fraud 3-5

• 2002 FBI/Computer Security Institute Annual Survey 6-8

• Incident Response 9-42

• Congressional Statutes 43-45

• What’s Next 46

• Computer Crime Organizations 47

• Other Websites 48

• Website of the Month for June 2002 49

• Presenters 50

• Bibliography 51-52


3

Evolution of Fraud

• CPE Classes used to concentrate on Corporate Fraud• Check Kiting• Check Fraud• Credit Card Fraud• Advise: do not write checks with Felt Pen


4

Evolution of Fraud

•Over the years Computer Fraud became more prevalent

•Hackers

•Viruses

•Firewalls


5

Evolution of Fraud

• Evolution of the Internet has opened up the flood gates in the way of access to personal

and business information.


6

2002 FBI/Computer Security Institute Annual Survey7

• Computer Security Institute--Computer Security Institute (CSI) http://www.gocsi.com/ is the world's leading membership organization specifically dedicated to serving and training the information, computer and network security professional.

– Started Survey in 1995

– On April 7, 2002 issued the results of its Seventh Annual “Computer Crime and Security Survey”

– Heaviest concentration in High Tech (19%) and Financial Services (19%)


7


• Results:– 90% of respondents detected computer security breaches with the last 12

months;– 80% acknowledged financial losses due to computer breaches;– 44% were willing to and/or able to quantify their losses ($445 million);– Most serious financial losses occurred through the theft of proprietary

information and financial fraud;– For the 5th year in a row, more respondents cited their Internet connection

as a frequent point of attack than cited their internet systems as a frequent point of attack;

– 34% - reported the intrusions to law enforcement (1996-16%);– 44% - systems penetration from the outside;– 44% - denial of service attacks;– 78% - employee abuse of Internet access privileges (downloading);– 85% - detected computer viruses


8


If your Organization Has Experienced Computer Intrusion(s) Within the Last Twelve Months, Which of the Following Actions Did You Take:

77% Patched Holes

40% Did Not Report

34% Reported to Law Enforcement

19% Reported to Legal Counsel


9

Incident Response• Methodologies 1:

– Definition of Computer Forensics– **Pre-Incident Preparation– Detection– Initial Reponses– **Strategies (Tom Doughty to Discuss)– **Forensic Process– Investigation– Security Measure Implementation– Network Monitoring– Recovery– Reporting– Follow-up


10

Computer Forensics• fo·ren·sics6 Pronunciation Key (f -r n s ks, -z ks)

n. (used with a sing. verb) 1. The art or study of formal debate; argumentation. 2. The use of science and technology to investigate and establish facts in criminal or

civil courts of law. _____________________________________________________________________

Computer Forensic Service deals with preservation, identification, extraction and documentation of computer related evidence on computer storage media.5

Process of unearthing data of probative value from computer and information systems.1

Computer Forensics is the collection, preservation, analysis and court presentation of computer related evidence.12

http://www.dictionary.com/help/ahd4/pronkey.html


11

Incident Response• Pre-Incident Preparation1-Why is it important?-Common Themes

– Preparation of a computer related incident will

• help create an infrastructure that provides quick resolutions after an incident occurs; (Computer Data is easily altered, erased)

• help in the preservation of the evidence;

• provide thorough, complete documentation needed to verify integrity of files;

• help provide technical and procedural measures that need to be in place so some of the basic but vital questions can be answered quickly to expedite the collection of evidence;

• Preserve Chain of Custody;

• prevent poor performance;

– University studies have found that more than 90% of all information is now created in digital form (University of Berkley – 93%)


12

Incident Response• Pre-Incident Preparation 1 (con’t):

– Establish Computer Incident Response Team:

• Point of Contact?– During business hours, after business hours, holidays and weekends– 24/7 Availability

• Establish Team’s Mission• Members of the Team:

– Systems– Human Resources– Corporate Security– Legal (Internal)– Accounting (Financial Fraud)– Outside Consultants (Incident by Incident)– Law Enforcement (Incident by Incident)– Senior Management (Incident by Incident)


13

Incident Response• Pre-Incident Preparation 1(con’t):

– Preparation steps to take to verify integrity of files:• Response Tool Kit:

– Hardware (see page 14)– Software (Safeback, EnCase, or other Forensic software packages)

(see page 15)– Network Monitoring Platform

• Create a “known-good” copy of the system on a regular basis. Allows the comparability of the known-good files to the corrupted files.

• Cryptographic Checksums/Fingerprint– Created by applying an algorithm to a file;– Unique to that file;– Create Checksums for critical files BEFORE an incident occurs and

compare to the file after the incident occurs– Most commonly used is the MD5 Algorithm (SAVE OFFLINE)


14


– Hardware Needed:

•High-end Processor

•A minimum of 256MB of RAM

•Large-capacity IDE Drives

•Large-capacity SCSI drives

•SCSI card and controller

•A fast CD-RW drive

•8mm extabyte tape drive (20GB native, 40GB compressed), or a drive for DDS3 tapes (4mm) if you have less funding

•Portable Memory Devices

Other Items:Extra power extenders for peripherals such as drives and any gear that goes in your forensic tower

•Extra power-extension cords

•Numerous SCSI cables and active terminators

•Parallel-to-SCSI adapters

•Plenty of Category 5 cabling and hubs

•Power Strips

•CDs, 100 or more

•Jaz or zip media

•A digital camera


15


– Software Needed

•Two to three native operating systems on the machine, such Windows 98, Windows NT, Windows 2000 and Linux, all bootable via LILO (the Linux Operating system loder that can load Linux and other operating systems)

•Safeback, EnCase, DiskPro, or another forensics software package, used to re-create exact images of computer media for forensic-processing purposes

•All the drivers for all of the hardware on your forensic machine

•Quickview Plus, HandyVue, or some other software that allows you to view all types of files.

•Disk-write blocking utilities


16


– Preparation steps to take to verify integrity of files:

• Increase or Enable Secure Audit Logging-Configuring log files can make them more complete and less likely to be corrupted.

– UNIX: Controlling Logging, Remote Logging and Process Accounting

– WINDOWS: Security Auditing, Auditing File and Directory Actions, Remote Logging

• Topology/Architecture Maps

– The arrangement in which the nodes of a LAN are connected to each other

• Enhance Host and Network Logging to make sure that backups are performed on a regular basis.


17


– What are the threats to your organization?

• Types of Damage: Loss of Business? Reputation?

• Concerned about loss of Intellectual Property?

• Destruction of Databases?

• Who poses a threat?

• Do you fear an outside intrusion?


18



• Others (Security):

– Firewalls/Intrusion Detection

» Ford Levy, CPA from Maxwell, Shmerler & Company will be presenting a session on Firewalls on Tuesday, July 9, 2002 @ 9am.

– Perform a Trap and Trace (check legal requirements)

– Monitoring at the User Level

– Violation Logs

– Improperly Configured Devices

– Exception Processes

– Monitor Internet Activity

– Monitor Employee Modems


19



• Others (Security):

– Scanning Network;

– Back up critical data;

– Access Control Lists on Routers;

– Encrypt Network Traffic;

– Build Up Your Hosts Defense-Use the latest release and make sure that all patches, hot fixes and updates are installed;

– Educate Users

» No external software


20

Incident Response• Detection 1:

– Alerts about suspicious activities should be made through Firewall/Intrusion Detection Systems(IDS)

– Alert should be immediate;

– Black Ice at the Individual level


21

Incident Response• Initial Response 1:

– Use of Notification Checklist to list all pertinent details:

• Point of Contact

• Assemble Response Team

• Which hardware/software?

• What time/place?

• Nature?

• Record all pertinent facts (Platform, Ports/IP Address, etc)

– Immediate Actions to be taken from the standpoint of who is monitoring

– Network Mapping confirming an incident has or is occurring;

– Evaluation of incident (use of Cryptographic Checksums/Fingerprint);

– Type of Incident and Business Impact is determined.


22

Incident Response• Strategies 1:

– Denial of Service: Reconfigure Routers;

– Virus Outbreak: Isolate machine as soon as possible;

– If a workstation in a development population is affected, segregate the network(turn off choke points);

– Awareness/Communication/Documentation of Policies;

– Factors:

• Critical Systems Affected?

• Sensitivity of the compromised information?

• Who are the perpetrators and what is their skill level?

• Is the incident known to the public?

• Dollar lose involved?

• Tolerance of user and system downtime?


23

Incident Response• Strategies 1 (Con’t):

– Host Based Intrusion Detection:

• Response Focused/Overhead Maintenance Intensive

– Perimeter Based Intrusion Detection

• Easier to administer

– Review Risk Assessment Policies.


24

Incident Response• Forensics Process 1:

– Also known as Digital Evidence Analysis or Computer Media Analysis;

– Common Themes

• Preservation of Evidence is key;

• Thorough documentation;

• Look at the Judicial Process;

Common Mistakes in Handling Evidence

•Failure to Maintain Proper Documentation

•Failure to Control Access to Digital Evidence

•Failure to Report Incident on a timely basis

•No Incident Response Plan-Digital Evidence is altered, damaged, or hidden more easily than any other type of evidence

•Altering time and date stamps before recording them

•Writing over potential evidence by installing software on the evidence media

•Patching the system before investigators respond

•Avoid Live reviews: only if ongoing network based crime


25

Incident Response• Forensics Process 1 (Con’t):

– Maintain Chain of Custody of evidence

• Create evidence tags:

– Time and Date of the action

– Number assigned to the case

– Evidence Tag #

– Was consent required?

– Who the evidence belonged to?

– Description of the evidence

– Who received the evidence and signature?

– Track any transfers of evidence

» E.g. hard drives to CD-Rom


26



• Document Information about the Item(s):

– E.g. duplication of mail servers:

» Occupants of the office;

» Names of employees who have access to the office;

» Location of computer systems in the room;

» State of systems(powered on or not);

» People present in the room at the time of the forensic duplication;

» Serial numbers, models and makes of the hard drives;

» Peripherals attached to the systems.


27


– Maintain Chain of Custody of evidence• Initial Response:

– Steps before Forensic Duplication3:» If the Computer is OFF, DO NOT TURN ON;» If the Computer is ON,

(1) DO NOT POWER DOWN-items will be lost such as memory contents, state of network connections, state of running processes, contents of the storage media and contents of removable and backup media1

(2) Photograph screen and disconnect all power sources; unplug from the back of the computer;(3) Interrupting power from the back of the computer will defeat an uninterruptible power supply;


28


– Maintain Chain of Custody of evidence• Initial Response:

– Steps before Forensic Duplication (con’t):» For Laptops, locate and remove the battery pack if the laptop

does not shutdown when the power cord is removed;» Place evidence tape over each drive slot;» Photograph/diagram and label back to computer components with

existing connections;» Label all connector/cable ends to allow reassembly as needed;» If transporting is required, package components and

transport/store components as fragile cargo;» Keep away from magnets, radio transmitters and other potentially

damaging elements;


29



• Initial Response:

– Steps before Forensic Duplication (con’t):

» Collect all peripheral devices, cables, keyboards and monitors;

» Collect all instructional manuals, documentation and notes (user notes may contain passwords)

» On Networked or Business Computers – Secure the scene. Do not let anyone touch except Network trained personnel;

» Pulling the plug could severely damage the system, disrupt legitimate business and create officer and department liability


30


– Performing Forensic Duplication1:

• Perform all analysis on a copy restored from the duplicate image;

• When is Forensic duplication necessary?

– Likely to be judicial action

– High Profile Incident

– Significant dollar loss

– Will you need to undelete data or search free or slack space to unearth evidence

• If you said yes to any of these questions, then you would need to perform a forensic backup


31


– Performing Forensic Duplication1:• Approaches:

– Remove from the suspect computer and attaching it to a forensics workstation;

» Traditional;» Safeback, UNIX dd command, EnCase;

– Attaching a hard drive to the suspect computer;» Just as common as the first;» Same methodology as first;» Forensics experts typically carry a forensics workstation-minimizes

hardware and software problems;– Sending the disk image over a closed network to the forensics workstation

as it is created.» Usually done when a UNIX system is used as the imaging platform.


32


– Performing Forensic Duplication1:

• Requirements for Forensic Duplication Tools:

– Must image every byte of data on the storage medium from beginning of the drive to the maintenance track;

– Handle read errors in a robust manner;

– Must not make changes to the original evidence;

– Must be able to be held up to scientific testing and analysis;

– Results must be repeatable and verifiable by a third party;

– File created using a checksum or hashing algorithm;

– This functionality may be performed concurrent to the creation of a the file or at the end of the imaging process


33


– Performing Forensic Analysis1:• Divided into two layers:

– Physical Analysis» String Searches» Search and Extract» Extracting File Slack and Free Space

– Logical Analysis• Understanding Where Evidence Resides:

– The Physical Layer– Data Classification Layer– Blocking Format Layer– Storage Space Allocation Layer– Information Classification and Application Storage Layers


34

Incident Response• Investigation:

– Conducted on a forensic duplication of a relevant system;

– Collecting information stage;

– What was harmed?

– How was if damaged?

– Who was to blame? Establishing identity behind the people on a network is increasingly difficult;

– How to fix the compromise.

– The proper collection and analysis of computer evidence through accepted computer science protocol is a critical component to any internal investigation or audit where the results have potential to be presented in legal proceedings12


35


– Windows NT/20001

• Review all pertinent logs;

• Perform keyword searches;

• Review relevant files;

• Identify unauthorized user accounts of groups;

• Identify rogue processes;

• Look for unusual or hidden files;

• Check for unauthorized access points;

• Examine jobs run by the scheduler service;

• Analyze trust relationships;

• Review security identifiers.


36


– UNIX1

• Review all pertinent logs;

• Perform keyword searches;

• Review relevant files;

• Identify unauthorized user accounts of groups;

• Identify rogue processes;

• Check for unauthorized access points;

• Analyze trust relationships.


37

Incident Response• Security Measure Implementation1:

– If you are accumulating evidence for potential civil, criminal, or administrative action, obtain that evidence BEFORE you implement any security measures.

– Isolation and Containment;– Prevent attackers from continuing their activities;– Could be as simple as disconnecting compromised computer from the

network;• Problem here is that you may have to still monitor the attacker’s

activities to gather evidence for criminal prosecution– Electronically isolate the computer, removing other computers from the

same broadcast domain will limit the exposure of other systems;– Network filtering (“fishbowling”) will allow you to continue monitoring

malicious activity while limiting further activity;


38

Incident Response• Network Monitoring1:

– Should start during the initial response and continue until the recovery is complete;

– It allows you to track the attacker, gaining crucial evidence;– It provides assurance that there are no recurrences of similar incidents

during recovery.– Comprehensive monitoring should be used on the subnet hosting the

target computer (laptop configured with a sniffer that flags packet attributes as well as record content is most appropriate);

– Less comprehensive monitoring should be considered at the network boundaries;

– Decide what to monitor. • Log all traffic to and from the victim machine• Traffic originating at the victim system


39

Incident Response• Recovery1:

– Hot Backup on Critical Platforms;

– Restoration of relevant systems to a secure, operational state;

– Take into consideration both the level of compromise and the type and location of system compromised;

• If the system compromised is part of a large trust environment, an attacker is likely to have cracked passwords for accounts that are valid across the domain. In that case every system that shares that account must be investigated and recovered;

– Choosing a Recovery Strategy:

• Rebuilding from “Known-good” media is essential;


40

Incident Response• Recovery1:

– Choosing a Recovery Strategy (con’t)

• Securing (“hardening”) the system involves:

– Turning off unused services;

– Applying operating system and application patches;

– Enabling strong passwords;

– Continuing competent administration;

– Backups can be used during recovery but only if you are sure that the incident occurred after a backup was made;

• Security Countermeasures:

– Host based controls, packet filters, firewalls, ISD, user education, and policy and procedures.


41

Incident Response• Reporting1:

– Goals:

• Document

• Document

• Document

– Reporting should be performed at every stage of Incident Response;

– Tedious, Methodical Process;

– Failure to do so will lead to faulty conclusions and inadequate response;

– Reports may be subject to the eyes of a judge, jury and attorneys;

– Reporting activities include supporting criminal or civil prosecutions, producing final reports and suggesting process development.


42

Incident Response• Follow-up1:

– Analyze the process conducted;

– Record lessons learned;

– Fix any problems;

– Steps after an employee leaves:

• An employee’s hard drive is imaged to CD-ROM disks upon resignation, termination or internal transfer should an examination need to take place at a later date

– Recheck Policies

• Training www.sans.org


43

Congressional Statutes• Computer Fraud and Abuse Act (CFAA)4

– CFAA was first passed in 1984

– At its inception, the Act was directed at the protection of classified information that was maintained on federal government computers, as well as the protection of financial records and credit information on government and financial institution computers.

– Broadened in 1986 when certain amendments extended protection to “federal interest computer”.

– Amended in 1996, with the phrase “protected computer” replacing the previous concept of “federal interest computer”. Protection now covered all computers involved in interstate and foreign commerce, whether or not any federal government proprietary interest is implicated.


44

Congressional Statutes• Computer Fraud and Abuse Act (CFAA)4

– Effects of the Shurgard Storage Centers vs. Safeguard Self Storage Case:• The judge agreed: “Unless otherwise agreed, the authority of any

agent terminates if, without knowledge of the principal, he acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal.”

• The court found that “the authority of the plaintiff’s former employees ended when they allegedly became agents of the defendant.”

• The employee could be subject to federal criminal sanction.• Employers can now defend themselves in proprietary rights

agreements.• As a result, the disloyal employee was in effect treated as a hacker,

from and after the time he started acting as an agent for Safeguard.


45

Congressional Statutes• State Computer Crime Laws can be found at:

– http://nsi.org/Library/Compsec/computerlaw/statelaws.html

• Another general site for State Laws:

– www.lawsource.com

• “Incident Response”, by Kevin Mandia and Chris Prosise


46

What’s Next• Smart Cards

• VPNs (Virtual Private Networks)

• Biometrics

• Business To Customer Digital Certificates


47

Computer Crime Organizations1

• Forum of Incident Response and Security Teams (FIRST)– www.first.org

• Incident Response – Investigating Computer Crime– www.incidentresponsebook.com

• Carnegie Mellon’s CERT Coordination Center– www.cert.org

• Security Focus– www.securityfocus.com

• National Infrastructure Protection Center– www.nipc.gov

• Federal Computer Incident Response Center (FEDCIRC)– www.fedcirc.gov

• Department of Defense Computer Emergency Response Team (DOD-CERT)– www.cert.mil


48

Other Web Sites • Cisco Computer Security (www.ciscoisecurity.com.sg)• Search Security.com (www.searchsecurity.com)• Defaced Web Sites (www.attrition.org/mirror/attrition)• The Information Systems Audit and Control Association Foundation

(www.isaca.org)• Association of Federal Fraud Examiners (www.cfenet.com)• Safeback (New Technologies) (www.forensics-intl.com)• EnCase (www.guidancesoftware.com)• Center for Computer Forensics (www.computer-forensics.net)• Computer Forensics Inc. (www.forensics.com)• SANS Institute (www.sans.org)• Computer Security Institute (www.gocsi.com)• Infragard (www.infragard.net)• Cyber Crime (www.cybercrime.gov)


49

Web Site of the Month of June 2002 Searching and Seizing Computers and Obtaining Electronic Evidence

in Criminal Investigations (http://www.usdoj.gov/criminal/cybercrime/searching.html)

The Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations site is a part of the Department of Justice site under the Computer Crime and Intellectual Property Section (CCIPS). The mission of the Department of Justice is to enforce the law and defend the interests of the United States according to the law, to provide Federal leadership in preventing and controlling crime, to seek just punishment for those guilty of unlawful behavior, to administer and enforce the Nation's immigration laws fairly and effectively, and to ensure fair and impartial administration of justice for all Americans. CCIPS has five main sections:

• Federal Criminal Code Related To Searching and Seizing Computers; The Fourth Amendment and the Internet; Communications Assistance For Law Enforcement Act Implementation Section;

• Recognizing and Meeting Title III Concern in Computer Investigations; Computer Records and the Federal Rules of Evidence.

The site is a comprehensive listing of the statutes that are in the Law pertaining to obtaining electronic evidence including links to current versions of Federal Statutes governing computer search and seizure and electronic evidence gathering as well as searchable databases of the U.SCode.


50

PresentersFrank J. DeCandido, CPA, Vice President, Prudential FinancialEmail: [email protected] 212-214-2037

Thomas Doughty, First Vice President, Prudential Financialemail: [email protected] 212-778-4610


51

Bibliography

1. “Incident Response”, by Kevin Mandia and Chris Prosise

2. Cybercrime Prevention and Response: Best Practices – PWC March 22, 2002

3. Best Practices for Seizing Electronic Evidence Version 2.0 – PWC

4. www.Gigalaw.com: The Expanding Importance of the Computer Fraud and Abuse Act.

5. www.ciscoisecurity.com.sg: What is Computer Forensics?

6. www.Dictionary .com

7. www.gocsi.com: Computer Security Institute

8. www.nysscpa.org/committees/emergingtech/firewalls.htm: Emerging Technologies Committee

9. http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci802800,00.html

10. Biometrics Research (http://biometrics.cse.msu.edu/info.html)

11. BusinessWeek Article – June 10, 2002


52

Bibliography

12. Article titled “Computer Forensics Emerges As An Integral Component of an Enterprise Information Assurance Program”, by Douglas Barbin, CISSP, CPA, CFE, and John Patzakis.

Emerging Technologies Committee - 6/17/02 1 EMERGING TECHNOLOGIES COMMITTEE JUNE 17, 2002 EMERGING...

Documents

Transcript of Emerging Technologies Committee - 6/17/02 1 EMERGING TECHNOLOGIES COMMITTEE JUNE 17, 2002 EMERGING...