Search
Advertisement

Business

Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Threat Intelligence / Preparedness

Crime Scene Investigation for the CIO

By Jodi Mardesich

The use of forensics isn't just for detectives. As digital crimes perpetuate, CIOs may need to investigate crimes, preserve evidence, and reconstruct such events as security breaches perpetrated by outside hackers, or the theft of customer or company data by employees on the inside.

CIOs have been advocates for improving security to fight cyber crime. They have stressed the importance of educating employees to follow security policy, including not divulging personal information about customers. They have likely instituted acceptable use policies for email to ensure that sensitive company information doesn't end up in the wrong hands.

But CIOs are increasingly being asked to take on a new role when a cyber crime has been committed. They need to become digital detectives, using computer forensics to crack down on the culprits, both to prevent similar attacks in the future, and to show accountability in the face of new legislation.

Some laws require companies to respond to attacks. For instance, the state of California requires the disclosure of certain breaches of private customer data. When a company discloses a breach, customers naturally ask questions, and want to know how they will be protected in the future, says Forrester Research analyst Michael Gavin.

"You'll need a digital investigation to answer," Gavin says. While existing laws don't require investigations, Gavin says, performing an investigation helps document the steps taken and the evidence found, two things the company will need if the incident develops into a court case.

"And you may limit your liability by conducting a timely investigation and acting on the results," he says. "The possibility that corporate officers will be held accountable, facing fines and/or prison for not complying with future regulations, will drive new investigative capabilities."

Computer forensics and digital investigations involve the search of computers and other electronic devices for evidence. There are five types of digital investigations that organizations can undertake, according to Gavin:

Incident Response  Investigating attacks on computers and networks.

Internal Investigation  Employees are investigated for inappropriate behavior.

Criminal Investigations  These involve searching for evidence pertaining to a crime.

Electronic Discovery  An organization needs to search its electronic records, files, and systems for court-ordered evidence.

Data Recovery   This involves searching for and recovering lost data.

Most CIOs should assume that they will have to do the first three types of investigations because they are the most common, Gavin says. By familiarizing themselves with the types of investigations that might be necessary, CIOs can prepare themselves for and improve the quality of investigations.

Learning how to perform digital forensics is not easy, partially due to today's corporate culture of secrecy and fear of disclosure. In the 2005 Computer Security Institute/FBI Computer Crime and Security Survey, only 20 % of those surveyed who admitted their organization had experienced one or more security breaches actually took the step of reporting any of those breaches to law enforcement. Still fewer -- only 12 % -- reported those breaches to their own attorneys. Most organizations tend to keep breaches and crime to themselves; however, experts say owning up to being the victim of computer crime by reporting crimes to law enforcement officials is essential.

As computer crimes become more common, organizations can take steps to prepare themselves for digital sleuthing in the following ways:

  • Create policies specifically for investigations
  • Identify a team to participate in investigations
  • Investing in computer forensics products
  • Share information about computer crime
  • Form partnerships with law enforcement officials

Create policies. When an attack or crime occurs, how should IT staff respond?  Create specific policies for investigations, and train IT staff what to look for, who to report the incident to, and how to respond, especially how to preserve and collect evidence.

Identify a team.  Determine who should be involved in digital investigations: security experts? members of the legal staff?  IT staff capable of preserving evidence? By creating a team and a plan beforehand, a company will be poised to immediately launch an investigation should the need arise. The first 24 hours of an attack are the most critical, says Amrit Williams, a Gartner analyst.

"The most important step takes place before an incident occurs," Williams says. "Put the proper mix of technologies and processes in place so that the necessary people know exactly what to do, and they have the tools they need and the pre-approved support of their management."

Invest in computer forensics products.  There are a growing number of products designed for digital investigations. Products can't take the place of experienced forensics experts, but business tools have been developed recently to help in routine cases, Gavin says.

 "People adequately trained on existing tools can successfully perform many routine investigations without needing to call in those specialists," he says.

Some tools are focused on incident response, while others focus on forensic acquisition and analysis and security monitoring. Forensic tools work to gather evidence, but no one tool addresses all investigative needs.

Share information. Rather than keeping crimes secret, share information with other groups to help prevent similar attacks from happening or spreading.  Groups exist for networking and sharing information. In the U.S., several Information Sharing and Analysis Centers focus on specific industries. For instance, the IT-ISAC Web site shares information for IT professionals. Another group, Infragard, is a good place to develop contacts with law enforcement.

Form partnerships with law enforcement officials. In the course of an investigation, IT departments may need to interact with law enforcement officials, so familiarize yourself with your rights and responsibilities beforehand.

"Establish a relationship before the fact, learn what each other will need in different circumstances, and identify ways to work together that will minimize disruption to your business," Gavin says.

Not every organization is going to have a digital investigations team on staff. But IT executives need to know what to do in the event an offense is committed so they can prevent it from occurring again. 

Jodi Mardesich writes about business and technology. Her writing has appeared in The New York Times, Fortune, San Jose Mercury News, The Advocate, Salon, Slate, and Yoga Journal.

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Spam and Viruses
Preparedness
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"The possibility that corporate officers will be held accountable, facing fines and/or prison for not complying with future regulations, will drive new investigative capabilities."

-- Michael Gavin, Forrester Research analyst
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Preparing for a Disaster
Playtime: 8 min 07 sec



Download | Subscribe

Copyright © 2009 Studio One Networks. All rights reserved.

© MMIX, CBS Broadcasting Inc. All Rights Reserved.