|< Day Day Up >|| |
The following case study illustrates the organizational benefits of a planned forensic response:
An IT manager reviews a detection tool report that indicates a company employee is accessing restricted Internet sites and downloading objectionable material. After discovering the activity, the IT manager remotely accesses the employee’s personal computer to obtain evidence. The employee is then dismissed, based on the evidence located and obtained.
An IT manager reviews a detection tool report indicating a company employee is accessing restricted Internet sites and downloading objectionable material. After discovering this activity, the IT manager follows procedures, reporting his suspicions to the nominated computer incident response contact, in this case the Chief Information Officer (CIO).
The CIO then invokes the company’s incident response plan by contacting the Incident Response Team, which includes computer forensic experts. This team isolates the offending machine; conducts a forensic examination of the computer system following methodologies known to be acceptable to criminal, civil, and arbitration courts or tribunals; and establishes where the material came from, how often, and who else knew about it. By following its effective policies and procedures, the organization (via the CIO) is in an excellent position to take immediate legal and decisive action based on all the available facts and evidence.
Only one of these scenarios illustrates a planned forensic response. In Scenario One, the evidence was obtained remotely. This fact alone may put the obtained evidence in doubt.
Any court of law would want to know whether there were policies and IT infrastructure for ensuring the IT staff member knew the correct PC was accessed. Other issues surround the need for evidence to prove that a particular employee’s PC was responsible for downloading the objectionable material. Can it be proved that the objectionable material was viewed on a particular PC? Who else had access to that PC? It is likely that there is not adequate evidence in this scenario to answer these questions.
The IT manager detecting activity is only the first step in forming grounds for suspicion. If action is taken without proper policies, procedures, and processes in place, it is nothing more than an unplanned knee jerk reaction.
Unplanned reactions potentially expose an organization to risk. Clearly, any investigation must not only be thorough and methodical, but also staffs need procedures for reporting the activity, conducting the investigation, and appointing investigators.
In Scenario Two, the established policies let the organization clearly identify the incident and carry out appropriate immediate action. This places the organization in a comfortable position to resolve the situation, contain the potential damage, and effectively seek compensation or prosecution. The bottom line here is that without the appropriate procedures in place to counter detected attacks, an organization is exposed to the risks of lost data, financial loss, network damage, and loss of reputation.
|< Day Day Up >|| |