Despite new security threats, such as smarter malware, compliance and proof of best endeavour requirements, the desire for a holistic security strategy that covers everything from policy to prevention is currently not being met by the security industry.

Computer forensics – a definition

Digital forensics is the process of using the scientific method to examine digital media in order to establish facts for legal purposes, especially judicial review. It involves the systematic inspection of IT systems, especially data-storage devices, for evidence of a civil wrongdoing or criminal act. Because of its focus on facts and scientific method, computer forensics processes must adhere to courtroom standards of admissible evidence, which severely complicates some of the otherwise simple data analysis tasks such as looking at logs to determine who connected to the system.

Source: Dr Anton Chuvakin, security expert and author of Security Warrior

What someone who sells IT security products can offer in terms of a comprehensive computer security strategy is a list of reasons their feature-rich products are better than those of their rivals.

Whether secure sockets layer (SSL), virtual private network (VPN) appliances; the latest audio-visual software or intelligent networks, point solutions are the only things available in the marketplace. If you ask about computer forensics, the usual answer is “we don’t do that”.

The reason is that forensics is not yet a mainstream field and descriptions and definitions vary. Yet how do organisations integrate incident response, breach handling and forensic examination into a security strategy? That security strategy should be defined by policies and procedures to minimise security risk at the lowest cost and least disruption. It is a major challenge facing many CIOs.

The response strategy could increasingly dictate the success or failure of the entire security approach. Examples are diverse. Recent cases where computer forensics have played a major part have included breaking a fake pharmaceuticals ring in which the UK’s Medicines and Healthcare products Regulatory Agency (MHRA) used computer forensics to prove that individuals had set up an entire manufacturing and distribution business for fake Viagra, Cialis and baldness cure Propecia.

Another case led to the discovery and successful prosecution of an NHS manager who paid himself over £600,000 through phantom employees. Similar scams could be happening in your organisation.

The big sleep

So has the industry been sleeping on the job? Have the security firms had it their own way for too long? The House of Lords science and technology select committee slammed the IT security industry last year for having failed in its duty to protect businesses by putting the burden of blame onto the user. In a damning report it declared that: “a lack of vendor liability for security breaches has created a commercial environment in which software providers have no incentive to produce high quality, robust products.” Those in the security product game were quick to point out that users are often complicit in the shortcomings of the products bought as they are happy to think in the short term.

Tim Hyman, IT director at legal firm Taylor Wessing, says: “There are some excellent solutions. There is not a single area not catered for but you pay a premium for the good solutions. What you don’t get is one solution for everything you want to do. You are forced to go best of breed. With each you tend to get a diluted solution. What doesn’t exist is one contract, one set of supports, one system to work with and update regularly.

Email forensics

Tim Hyman, IT Director for Taylor Wessing describes why his firm invested in an email storage system which stores everything ever sent and keeps permanent copies of all his companies correspondence.

“Keeping track of every email ever sent or received is more than a case of storing it on an exchange server and is fast becoming standard practice in the legal world.

"Where email is the medium for transmitting legal advice every email needs to be captured forensically. This is done primarily because if a member of staff from a client has been communicating with us – their lawyers – then clients need confidence that if any people leave, or for whatever reason they lose an employee, they need to see every communication ever sent. So we invested in such a system to stop situations arising like emails being deleted prior to back-up.

"This has many advantages for internal use, for client data management and in the event that email needs to be presented before a court. A printed email is useless and a CD can be faked. It is impossible to say yes, it will definitely be admissible, as that depends on the case, the judge and its importance as evidence. [But] having a full audit trail with full traffic information, showing that you’ve gone out of your way to invest in a system which will tell you when it arrived at an ISP and the time it bounced around servers, there’s a higher chance of it being accepted.”

You have a different firewall for the VPN, to the one for web access, to forensic back-up – all from different vendors. This adds hugely to the support effort and costs. Vendors are doing a pretty good job but they are always playing catch-up.”

Double indemnity

But in reality not all blame can be laid at the feet of the vendors. How complicated can it be to conceive and deploy a complete security strategy? Very, as it turns out. A fragmented industry meets a complicated corporate structure with many stakeholders leading to potentially calamitous consequences. This best of breed point solution market means that by some reports the average enterprise has 36 different security vendors and spends a huge amount of resources managing, patching and updating.

What happens at a corporate level? Sheila Upton, director of risk management at Ernst & Young, says the gap between desire and action remains. “If you are responsible for security how you do it holistically is first to work closely with the business and that means educating senior managers,” she says.

“You are going to have challenging conversations. How worried are they about the value of corporate data? How can you implement appropriate security without disabling the business? Even with senior managers. the conversations will be about personal digital assistants and solid state memory sticks, all enabling unchecked data flow around the organisation which is dangerous. But as soon as you say ban them they are declared key to the business. Which moves onto using the technology, but putting controls on it. Then what are the sanctions to put in place?

Finally it is a case of going shopping among the security vendors and getting what you want. Then when you explain what it all means they will understand that you have something tangible with lots of risk registers, lots of firewalls and lots of investigative activity, which is difficult to manage. People and processes, they are the weakest link.”

Despite its provenance in legal cases, increasingly, forensic examination of data is not just needed for the courtroom, but also in areas such as staff management and protection of intellectual property. It is fast becoming standard practice for firms to image staff computers immediately after they resign or have their contract terminated.

This protects company secrets, and stores evidence in the case of disputes arising in staff treatment or accusations of wrongful dismissal. Claims often do not surface until long after staff are replaced. And these skills are increasingly being sought by large corporates, says Professor Andrew Blyth of the University of Glamorgan advanced technology faculty. “The people who take our MSC and BCS in computer forensics are being offered jobs before they finish the course,” he says.

Future forensics

A measure of difficulty in finding a proper model for computer forensics can be found in the history of the Cyber Tools Online Search for Evidence project (CTOSE). In 2003 the European Commission completed CTOSE; a research project funded by the European Commission’s Information Society Technologies (IST), which it claimed was “the first end-to-end methodology to guide investigators through the difficult task of computer forensics”. The project took two years and involved experts from such firms as QinetiQ, Alcatel and three research Institutes: the CRID at the University of Namur (Belgium), the University of St Andrews (UK), and the Fraunhofer Institute (IAO)/University of Stuttgart (Germany).

Robin Urry, who now works for the CPNI (Centre for the Protection of National Infrastructure) was involved.

Criminal activity incident response

What to do if your company is implicated in criminal activity:

Lock down data to ensure it is preserved. This is equally true for hard and soft copy information.

Image scan PCs of relevant people and other team members.

Secure back-up tapes for file/email and application server and put in a safe. Start with new back-up tapes. Test previous back-ups to ensure they have no errors.

Consider imaging servers at the earliest convenience.

Issue instructions to all staff not to delete or remove data from the office.

Consider temporarily removing remote access to systems to prevent unauthorised access to systems.

Source: Andrew Durant, Navigant Consulting Investigations and Disputes practice

He says: “We had lots of police support and input developing CTOSE, yet it never flew. We managed to get some money from Scottish Enterprise and Clydesdale Bank to set up an office in Edinburgh and built membership. However, sponsorship from big corporate supporters like Microsoft and Symantec did not materialise, so we closed it all down. It was the right thing, just ahead of its time.”

So for now forensics policies are being driven by activities the US. Several US states have passed legislation restricting the practice of computer forensics to private investigators. However, there is no sign that that will happen here. But what is clear is that knowing what to do after you‘ve been hit and knowing that you can isolate and locate vital data is the key to the safety of your systems.

When the head of M15 addressed a group of UK newspaper editors late last year this is what he had to say: "So despite the Cold War ending nearly two decades ago, my service is still expending resources to defend the UK against unreconstructed attempts by Russia, China and others, to spy on us. A number of countries continue to devote considerable time and energy trying to steal our sensitive technology on civilian and military projects, and trying to obtain political and economic intelligence at our expense. They do not only use traditional methods to collect intelligence, but increasingly deploy sophisticated technical attacks, using the internet to penetrate computer networks.”

All security is a journey not a destination and bad things will always happen either maliciously or by accident. It appears that because security encompasses so many different disciplines (policy, technical, HR, communications), the only way to identify culprits and apportion proper blame, whether it is a foreign government or someone from accounts, will be through computer forensics.