Image
1. ‘Implement an incident response plan to respond immediately to a system breach’ 2. ‘Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider’Whilst under the ISO/IEC27001 (A.13.2.1), there is a stipulation that the organisation shall:
1. ‘Deploy management responsibilities and procedures shall be established to ensure a quick, effective, and orderly response to information security incidents’It has, however, been observed on multiple occasions that it is in the area of incident response in which many organisations can be lacking in their operational capabilities – but which is now gathering interest in many reputable organisations who are seeking to plug this open wound with pragmatic and robust solutions. To further qualify the interest in the area of digital forensics, it is noteworthy that the respected, and Royal Charted Society of Forensic Sciences has also adopted and evolved their areas of scientific interest to encompass digital forensics, joining their wide portfolio of disciplines including ballistics, fluid and other speciality areas of forensic scientific support for the investigative landscape. Of all the components of the incident response lifecycle, it is the element of digital/cyber forensics which seems to represent the highest wall to climb. But this is not necessarily the case, as with the correct approach, it is possible to deploy adequate mechanisms and solutions to accommodate a desired and pragmatic level of incident/event support, which does not necessarily have to represent a significant investment for the business. For instance, start the security mission by agreeing the levels at which the internal organisation will have the capabilities of engaging, and where there is need to pass-off to another party where the complexities of the activities exceed the internal skill-set. It is also essential to have a recognised team, be they physical or virtual, with established roles, responsibilities and capabilities to meet the operational expectations. Remembering that with the international organisations, they may also leverage the virtual-team approach of follow-the-sun incident management, which can bring 24-hour benefits and continuity to the activity. Of course, there will be a need to enable the incumbent team with an adequate level of technological resource to underpin operations, which may be provisioned by open source and zero cost solutions, such the Magnet Forensics RAM acquisition tool, through to professional solutions like AccessData’s FTK toolset. However, the most critical component of all with the Digital Forensics mission is to remember that ‘Process-is-King’ to assure the validity of the outcome is robust and where required admissible in court of law. It is equally important to have awareness of the applicable local, and international laws which may, by implication concern the operation. For instance, if working in, or outsourcing to India, an appreciation of the Indian Technology Act 2000 (ITA2000) is important, as it carries some explicit expectations. When working in areas like North America, an understanding of some of the applicable disclosure laws can be essential, whilst in the UK/EU, possessing knowledge of the area of Child Abuse Images under COPINE (Combating Paedophile Information Networks in Europe) and The Protection of Children Act 1978 (PCA 1978) to provision awareness of the legal constituents, and implications of any acquired, and potentially illegal images, and the associated handling and reporting obligations. Neil Hare-Brown CEO at STORM Guidance commented:
“When a security breach is suspected it is absolutely vital that digital evidence be properly preserved and analysed by skilled digital forensic specialists. All too often I have had seen organisations fail to pay attention to proper forensic process, only to regret it later when giving evidence in a previously unexpected employment tribunal, civil or criminal court. Always be prepared!”Thus further mirroring Neil Hare-Browns observations, many professionals will concur that if a business is seeking to deploy such internal capabilities of digital forensics disciplines, there must be an acceptance that the capability will be tight fit, and recognise the importance of the process orientated, Disciplined Security, which goes well beyond that of ticking boxes. There are basically six areas which should be in place to accommodate a digital forensics operation, and they are:
- Timely response engagement
- Practice Contemporaneous documentation and notes
- Assure engagements follow an agreed Process
- Conduct all investigations in a manner which is Legal
- Always be Consistent
- Recognise the limitations
