why have a digital investigative infrastructure

© 2008 Guidance Software, Inc. All Rights Reserved.

“Why have a Digital Investigative Infrastructure”

Kevin Wharram CISSP, CISM, CEH

Technical Manager – Guidance Software Inc. – The Maker of EnCase


P A G E 1


P A G E 2

Agenda

� Industry Headlines

� Cause and Cost of data breaches

� Identify some methods on how data is taken

� Identify Challenges in protecting data

� What to do after you have a had a data breach

� Case Study

� EnCase Enterprise


P A G E 3

Old hard drives still full of sensitive data

Hard drives full of confidential data are still turning up on the second-hand market, researchers have reported.

T.J. Maxx Breach Costs Hit $17 Million

BOSTON - Information from at least 45.7 million credit and debit cards was stolen by hackers who accessed TJX’s customer information in a security breach that the discount retailer disclosed more than two months ago.

Thieves setup data supermarkets

Web criminals are stepping back from infecting computers themselves and creating "one-stop shops" which offer gigabytes of data for a fixed price. Credit card details are cheap, however, the log files of big companies can go for up to $300

3

Industry Headlines


P A G E 4

Source : The Ponemon Institute - (PGP Survey)

4

Cause of Data Breaches


P A G E 5

� Key Statistics

� Data breaches cost US companies an average of $197 for every record lost

� The size of the losses examined ranged from from $225,000 to almost $35 millionSource : The Ponemon Institute

5

Cost of Data Breaches


P A G E 6

Intellectual Property

� Design Documents

� Source Code

� Trade secrets

6

Corporate Data

� Financial data

� Mergers & Acquisition info

� HR data i.e. employee

data

� Marketing and Sales data

Customer Data

� Personal Data

� Credit card numbers

� Customer financial data

Government Data

� Economic data i.e.

Dobanda – “what is it

worth?”

� Intelligence information

� Law Enforcement

Information

What type of Data are at Risk?


P A G E 7

� Lack of senior management understanding and recognition of a problem

� Criminal / Malicious Intent

� Lack of internal processes and controls

� Weak internal controls (role and access right changes)

� Vulnerability Management / Patching practices

� Organisation Culture (they owe me attitude)

� Incidental opportunities

7

What leads to a Data Breach


P A G E 8

� Portable storage devices – USB, Cameras, PDA’s etc

� iPods and MP3 players – “PodSlurping”

� email – personal webmail i.e. Yahoo, Google, etc

� Taking out or sending DVD / CD’s

� Spear Phishing – targeting specific companies for information; then using that information to steal data

� Exploiting corporate systems, networks and laptops through system and software vulnerabilities

� Using telephone conference pin numbers

8

How is Data Taken?


P A G E 9

� Confusing Regulatory environment – EU Data Protection Directive 95/46/EC, Internet Banking Code MCTI, International Banking Regulation, SOX, PCI compliance, etc

� Ensuring sensitive data is not located in unauthorised areas of the network

� Not being able to remediate instances of confidential information residing where it shouldn't be

� Not being able to remediate instances of unauthorised applications, software and files on systems

� Not having a procedural and technical infrastructure in place to respond to security breaches

9

Challenges facing Companies


P A G E 10

My Data is gone! – “what do I do?”

10


P A G E 11

� Don’t panic

� Follow your incident response plan and procedures

� Investigate completely using a forensically sound investigation platform

� Disclose information only on a need to know basis

� Clean up & Remediate

11

Incident Response


P A G E 12

You can’t FIX

or STOPwhat you can’t FIND… quickly

RISK!RISK!

OPERATING SYSTEM

HARD DISK & MEMORY

Inadequate Incident Response


P A G E 13

ResultsSolutionSituation

Case Study

Global 100 Technology Firm –

EnCase Data Audit & Policy Enforcement

�Global 100 computer entertainment company suspected IP leakage across the network

�Need to search globalnetwork spanning 91 countries

�Goal was to identify source, all instances of leaked IP, identify the trail to external sites, preserve evidence, and remediate

�Process required significant stealth so as to not alert employees

�EnCase Data Audit & Policy Enforcement implemented in 24 hoursat a central site

�EnCase identified the suspect had access to numerous other workstations & servers across the network

�Audit performed overnight on all endpoints, including a 4 terabyte server, to find files

�Targeted audit of over 50 devices in one day including; laptops, desktops, servers, email accounts, USB’s and internet histories

�Zero disruption to the business

�Entire investigation took 2 weeks from start to finish with significant cost savings vs. outsource options

�EnCase Data Audit deployed as part of a standard IP & HR audit process company-wide

““The non-disruptive element of EnCase minimized the financial, commercial and operational impact

of the leaked IP and accelerated the successful resolution of this incident.”

CEO & President - European Operations, Global 100 Technology Firm


P A G E 14

EnCase Enterprise is a powerful, network-enabled, multi-platform enterprise investigation solution.

EnCase enables immediate response to computer-related incidents of any kind and enables thorough forensics platform and framework allowing organisations to immediately respond to enterprise information incidents and threats.

14

EnCase Enterprise


P A G E 15

Benefits of EnCase Enterprise

� Contain and reduce corporate fraud

� Conduct network-enabled forensic investigations for anything, anywhere, anytime

� Perform a complete compromise assessments after a security intrusion

� Reduce business disruption and losses due to security breaches

� Respond to more security incidents with less manpower

� Conduct network-enabled HR investigations


P A G E 16

16

� Additional data uncovered by EnCase Enterprise

� Purposely deleted files

� Renamed to disguise content

� Concealed files

� Misplaced / Difficult to locate files

Data found by common tools

(such as Windows Explorer)

The “Data Iceberg”


P A G E 17

Threat / challenge Examples

Leavers � Possible unfair dismissal claims� Corporate espionage – taking out confidential data

Employee Integrity � Harassing co workers� Pornography - (Civil Action can be brought upon by an employee for

being affected by porn

HR Policy Breaches � E-mail misconduct� Internet misconduct� PC / Desktop misuse (Personal Software)

Audits � Software audits� SOX audits

Regulatory Compliance � EU Data Directive 95 / 46

Fraud � Investigating various forms of fraud

IP Theft � Investigating IP theft within your organisation

Legal Cases � Helping legal with various request for legal cases

Malware & Rootkits � Investigating and finding various forms of Malware and Rootkits

Unauthorised software � Finding and detected unauthorised software i.e. MP3, Video etc

Investigating Incidents � Helping the security team to investigate incidents

Examples of where EnCase helps


P A G E 18

EnCase Customers


Multumesc!

[email protected]

why have a digital investigative infrastructure

Technology

confidential data

hr data

gigabytes of data

type of data

data breach p

data audit deployedevidence

cost of data breaches

cause of data breachesp