To effectively fight cybercrime , everyone who deals with it must be educated . This includes the criminal justice and the IT communities, as well as the everyday user . Imagine what would happen to evidence if a law enforcement officer wasn't properly trained and, as a result of his actions, a good portion of evidence was destroyed . Many times, the judge or jury does not understand the topics discussed or lack the technical expertise to interpret the law. What would happen in a complex case if the jury, prosecutor, and the judge had little experience with computers? More likely than not, the defendant would end up getting away with the crime. We are faced with many scenarios where this is true, but probably none more so than that of child pornography. Child pornography issues present circumstances in which the prosecution might have to prove that a photograph is one of a real child due to rulings on virtual pornography. However, not all cases go to court , and the role of a forensic investigator can vary.
Before deciding what type of specific training you need, evaluate the role that you want to fill so that you get the most benefit. Here are some common roles that could involve the process of computer forensics:
Law enforcement officials
Corporate human resources professionals
Security consultants providing incident response services
System administrators performing incident response
The next sections discuss the types of employers for both the corporate and law enforcement worlds and the type of training available for them.
Civil litigators can utilize personal and business computer records in cases involving fraud, divorce, and harassment . Insurance companies might be able to reduce costs by using computer evidence of possible fraud in accident , arson, and workman's compensation cases. Corporations hire computer forensics special- ists to obtain evidence relating to embezzlement, theft, and misappropriation of trade secrets. Individuals sometimes hire computer forensic specialists in support of claims for wrongful termination, sexual harassment, and age discrimination.
Law enforcement officials sometimes require assistance in pre-search warrant preparations and post-seizure handling of the computer equipment. Criminal and civil proceedings often use evidence revealed by computer forensics specialists. Criminal prosecutors use computer evidence in cases such as financial fraud, drug and embezzlement record-keeping , and child pornography.
All these various types of industries rely on properly trained computer forensics investigators. The following sections describe some of the training available to both the corporate and law enforcement worlds. The role that you will play as a computer forensic investigator will ultimately decide which type of training is right for you.
The position an individual holds in the criminal justice community dictates the type of training required. In other words, legislators need to understand the laws that are proposed and that they are passing, whereas prosecuting attorneys should have training on electronic discovery and digital data, and how to prop- erly present computer evidence in a court of law. Detectives should have hands-on training in working with data discovery of all types and on various operating systems. They should know how to recover data, read log files, and decrypt data. When law enforcement professionals are originally trained at the academy, they should receive some type of basic training on computer crime and how to investigate such crimes. Ideally, all criminal justice professionals would receive training in computer crimes, investigations, computer network technologies, and forensic investigations. Here are some ideas on getting the training needed to pursue a career in computer forensics:
Intense School's CCE Applied Computer Forensics Boot Camp: http://www.intenseschool.com/bootcamps/default.asp
NTI's computer forensics and security training: http://www.forensics-intl.com/training.html
WorldWide Learn's Computer Forensic Training Center Online: http://www.worldwidelearn.com/keycomputer/forensic-training.htm
Mares and Company, LLC's basic and advanced computer forensic training: http://www.dmares.com/maresware/training.htm
AccessData 's computer forensic courses: http://www.accessdata.com/ training/viewclasses.php
DIBS computer forensic training courses: http://www.dibsusa.com/ training/training.html
Many local community colleges offer classes in computer forensics. Law enforcement professionals can take advantage of them without having to pay the high cost of classes offered by private firms. An excellent resource for law enforcement is the International Association for Computer Investigative Special- ists (IACIS), which is online at http://www.cops.org/ .
New Technologies Inc. (NTI) also makes training films concerning computer evidence processing and computer security topics available to government agencies, law enforcement agencies, and businesses. The selection of training films is listed on NTI's Computer Forensics Information and Reference Page.
Frequently, security and disaster recovery projects aren't funded because they don't produce revenue. An Ernst & Young annual security survey of 1,400 organizations states that only 13 percent think that spending money on IT training is a priority. This shows that training is needed not only for IT professionals but for management as well. In the corporate world, just as in the criminal justice world, the position an individual holds in an organization dictates the type of training they need. In order for end users to buy into security, management must buy in first. Managers have a legal responsibility to police what is happening within their own computer systems, as demonstrated by the Sarbanes-Oxley Act. Management training is usually geared more toward compliance issues and the cost of putting preventative measures in place. IT professionals, on the other hand, need training that is geared more toward return on investment (ROI) in order to obtain funding for security projects and computer crime awareness, which includes new vulnerabilities. They should be trained on how laws are made, how crimes are investigated, and how crimes are prosecuted. This training could help eliminate the reluctance that organizations have about contacting law enforcement when security breaches occur or when crimes are committed.
Education for every level of practitioner can be found on the SANS (SysAdmin, Audit, Network, Security) website at http://www.sans.org . The SANS Institute was established in 1989 as a cooperative research and education organization. Its programs are designed to educate security professionals, auditors , system administrators, network administrators, chief information security officers, and chief information officers. The graphic on the following page shows the SANS Information and Computer Security Resources webpage.
Legislation such as Sarbanes-Oxley will not change behaviors simply because it is law. This is similar to speeding. Laws against driving over a certain speed do not stop some people from speeding. In fact, many speeders are repeat offenders. Why? It's because certain behaviors are difficult to change. A person's behavior is based on their principles and values. People adopt new patterns of behavior only when their old ones are no longer effective. The goal of training is to change behavior. An effective training program helps the workforce adopt the organization's principles and values. As mentioned previously, management must be trained and become an integral part of the education and training process in order for the users to buy into it.
The hardest environment to control is that of the end user. Training and education are vital parts of any organization that has computer users or Internet access.
A network is only as strong as its weakest link. We hear this phrase time and time again. Humans are considered to be the weakest link. No matter how secure the hardware and software are, the network can be jeopardized in one phone call or click of a button if users aren't taught the dangers of social engineering, e-mail scams, and malware .
Another name for malicious code. This includes viruses, logic bombs , and worms.
Social engineering plays on human nature to carry out an attack. Which is easier, getting an employee to give you a password or running password-cracking software? Obviously, getting an employee to give you the password would eliminate a lot of effort on your part. Social engineering is hard to detect because you have very little influence over lack of common sense or ignorance on the part of employees , but education should help eliminate ignorance. Most business environments are fast paced and service oriented. Human nature is trusting and often na ve.
A method of obtaining sensitive information about a company through exploitation of human nature.
Take this scenario for example. A vice president calls the help desk and states that he's in real trouble. He's trying to present a slideshow to an important client and has forgotten his password; therefore, he can't log onto the company website to run the presentation. He changed the password yesterday and can't remember what the new one is. He needs it right away because a room full of people are waiting, and he's starting to look incompetent. The client is extremely important and could bring millions of dollars in revenue to the company. However, if the help desk staff member supplies the password as requested , he could be giving it to an intruder.
When creating a security-awareness program, organizations should have these goals in mind:
Evaluate compelling issues.
Know laws and policies for protecting data.
Look at values and organizational culture.
Set baseline knowledge requirements.
Define best practices.
Make lasting cultural and behavioral changes.
Create positive approaches and methods .
If you need help putting together these policies, the National Institute of Standards and Technology (NIST) has some great information in its Computer Security Resource Center (CSRC), as shown in the following graphic.
If you can't educate your employees yourself, make sure you set up training for them either in-house or with outside vendors . Not having the time to train them yourself is no excuse for not training employees at all.
Security experts have the capability to monitor vast amounts of data. They can track Internet access, read employee e-mail messages, record phone calls, and monitor network access. All this monitoring creates a large amount of data. How much you should monitor depends on how much information you want to store. Keep in mind that your monitoring plan should be clear-cut and built around specific goals and policies. Without proper planning and policies, you can quickly fill your log files and hard drives with useless or unused information. The following are some items to consider when you are ready to implement a monitoring policy:
Identify potential resources at risk within your environment (for example, sensitive files, financial applications, and personnel files).
After the resources are identified, set up the policy. If the policy requires auditing large amounts of data, make sure that the hardware has the additional space needed, as well as processing power and memory.
Make time to view the logs. The information in the log files won't help protect against a system compromise if yodon't read it for six months.
You can monitor as much or as little as you want, but if you don't read the logs, they are not serving their purpose.
Monitoring can be as simple or complex as you want to make it. Be consistent regardless of the plan you create. Many organizations monitor an extensive amount of information, while others, especially small ones, may monitor little or nothing. Just remember that it will be quite difficult to catch an intruder if you don't monitor anything.