The 2011 (ISC)2 Security Congress

More documents

Recommendations

Info

Selecting the Right RecoveRy tool Selecting the best tool is often the result of conducting sufficient research and asking the appropriate questions. With this in mind, ThreatGRID’s CEO Dov Yoran suggests the following list of questions: 3 What type of data does the organization need to recover? 3 What types of hardware are involved? 3 Will we be recovering virtual machines? 3 How often will we be recovering data? 3 What is the average size of datasets we will be recovering? 3 How do we incorporate the recovery solution into a unified incident response process? 10 InfoSecurIty ProfeSSIonal ISSUE NUMBER 16 Legal must-dos There are also legal concerns of key consideration as organizations embark on a data forensics project, explains Peter laberee of laberee law Pc. “When confidential information is kept on the cloud, it is crucial to know, where are the servers? This matters because the laws of the locality where the servers are located may control your right to access the data, even to recover lost information,” he says. laberee notes that people ask where their data is partly because of the inherent diffuseness of the cloud, plus the fact that legal and marketplace remedies vary from country to country. “Despite the global feel of the cloud, some countries’ laws will be involved when it’s time to sue to get back data or to demonstrate compliance with privacy rules.” The obligation to provide secure data goes beyond just good business. “enterprises have express legal duties relating to data security financial information and protected health information under HIPaa [the Health Insurance Portability and accountability act of 1996], for example. and, we hear much about Sarbanes-oxley [the Sarbanes-oxley act of 2002, or SoX] in the corporate finance world,” laberee says. “under
Section 404 [of SoX], reporting companies are required to assess their internal process and controls, and data security and recovery are part of this. Privacy laws are also implicated in data security concerns including Gramm-leach-Bliley [the financial Services Modernization act of 1999, or GlB], the fair and accurate credit transactions act [facta], and eu [european union] rules.” If the primary goal is to use the results in court, yoran stresses the significance of forensically sound data recovery software, including sandboxing solutions. “understanding the fundamentals of the attack and how it affected one’s system is at the core of every investigation,” he says. “Having the Is the Data Gone? Is the data really gone? In most instances, the answer is a resounding no. When a user drags and drops a file or directory into the recycle bin, or right-clicks and selects “Move to Trash” or “Delete,” that data is usually recoverable, explains Forensic Risk Alliance’s Boisclair. “Even if the user empties the trash, it may still be possible to access and view that deleted data. However, data can be securely deleted without having to physically destroy the device or media so as to render it unusable,” he says. “There are a number of software-based solutions that feature the ability to sanitize or wipe media by erasing the data based on recognized government and industry standards.” Many data-wiping software applications developed in the U.S. adhere to the standard outlined in Department of Defense (DoD) 5220.22-M. At a high level, secure erasure involves overwriting the location on the disk where the data resided a number of times by filling the media with zeros, random bytes, or a known overwrite pattern. It is then possible to verify that the data has been permanently erased by viewing the data location on the media in an application that enables the user to access and view the ones and zeros on the physical disk—ensuring that the overwrite pattern exists and the original data does not. A primary factor in meeting industry standards is the number of times the data is overwritten. It’s important to note when using data wiping tools, care must also be taken that any such actions are performed in accordance with a company’s documented data retention/destruction policies and schedule, explains Integreon’s Fehrman. “Failure to do so could pose issues during litigation, even if performed prior to a lawsuit being filed. Enforcing data destruction policies is particularly important if a legal hold has been put in place at the start of an investigation or lawsuit,” he says. “The deliberate destruction of potential evidence can lead to serious legal sanctions.” right tools on hand to do a deep analysis can not only aid in this effort, but it’s also a requirement when considering the myriad of potential attacks and large volumes of data each organization owns. clearly these tools are most effective when used by a skilled resource on the project, so in the end a successful investigation is really the marriage between people and technology.” Seeking professional help In some instances, it makes more sense for organizations to turn to specialized partners capable of providing an array of professional services including litigation consulting, compliance and risk management, e-discovery, forensic data collection as well as forensic examination and recovery exist to assist with eSI. one reason to do so is that for digital evidence to be valid— and defensible in court—it must be preserved in either its original form or a forensically defensible representation thereof, explains Gerard Boisclair, senior manager at Providence, rI (u.S.)-based forensic risk alliance. “In accordance with the national Institute of Justice, examination is best conducted on a copy of the original evidence,” he says. “Proper forensic collection involves highly trained and certified professionals using specialized tools such as hardware and software writeblockers and forensic imaging tools. They also provide documentation to prove data integrity and security via chain of custody, media acquisition and access control, and a series of detailed collection logs.” according to fehrman, data forensic and recovery services often vary based on the type of media or environment involved, including hard drives, backup tapes, uSB pen drives, network file shares, e-mail servers, mobile phones, Web sites, social media networks, and cloud-based environments. “related services include recovery of passwordprotected, encrypted, corrupted, or deleted information,” he says. “expert analysis or witness services are also available to ensure the defensibility of the methods used, should they ever be challenged during legal proceedings. This is why training and certification through reputable providers is so important, and when there is doubt, there is always the option to utilize forensic experts that can provide strategic advice and provide recommended best practices and methods.” regardless of the preferred route, it’s crucial to select a reputable company that practices and promotes industry standards, explains Boisclair. “Whether recovering data at a logical or physical level, it is likely that the data may be private, sensitive or confidential and may even be subject to jurisdictional requirements governing data protection,” he says. “using a reputable tool or provider may prevent the media from further, irreparable damage, and may also prevent the data from being exposed to identity theft, unauthorized download or use of confidential files as well as improper storage or disposal of media.” Peter Fretty is a freelance business and technology journalist based in Michigan. ISSUE NUMBER 16 InfoSecurIty ProfeSSIonal 11
Page 1 and 2: ISSUE NUMBER 16 An (ISC) 2 Digital
Page 3 and 4: COVER PHOTO BY CHRISTOPHER J. MORRI
Page 5 and 6: executive letter from the deSk of (
Page 7 and 8: cloud security. can you see beyond
Page 9 and 10: eighth annual GISla recipients (ISC
Page 11: ISSUE NUMBER 16 INFOSECURITY PROFES
Page 15 and 16: When was the last time your organiz
Page 17 and 18: Get recognized — our members do.
Page 19 and 20: she explains, ranging “from lack
Page 21 and 22: How to Set up Safe and Secure Onlin
Page 23 and 24: chapter passport MEMBERS CONNECT AN
Page 25 and 26: Korean Linux Documentation Project
Page 27 and 28: Department of Defense www.defenseli
Page 29 and 30: Communications and Networking www.i
Page 31 and 32: Slam the door on would-be attackers

The 2011 (ISC)2 Security Congress

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?