tema meseca VAROVANJE KONČNIH TOČK (ENDPOINT SECURITY)

Saša Aksentijević spent his entire educational

and professional life in ICT area. First he
worked several years as an independent ICT
consultant, an owner of a start-up company
and a specialist for mass storage
technologies.
During the past seven years he has been
working in one the world’s biggest
multinational companies in the oil and gas
sector which performs off shore and
onshore turnkey projects. Holds B.Sc title
in business informatics, Master title in
ICT Management and ICT Security and
ISO 27001:2005 Lead Auditor
certificate. On top of that, he works as
business strategy consultant
specialized in safety at work and
human resource management and
he is certified ICT forensics court
expert at Commercial and
Municipal Courts. Recently, he
started his ph.d. studies in
Business economy.

WHAT TO DO IN CASE OF SECURITY BREACH AND

HOW TO PREVENT THEM?
SAŠA AKSENTIJEVIĆ 1. Approach the issue calmly and without
panic and avoid any form of written and
electronic communication including
phone calls. In most cases, the damage is
already done when the information about
the security breach or incident has be-
come apparent. Even though quick re-

T
here are several typical cases when cor-
porate clients ask for services of foren-
sic analysis of computer systems and
analysis of front-end perimeter breaches,
the most common ones being litigations
and proceedings towards current or ex-em-
ployees. In this article I will try to give some
advice to those responsible for responding
to security breaches and what to do in order
to resolve the situation. It is important to
underline what to do, and even more im-
portantly, what NOT TO DO when re-
sponsding to security incidents. In most
cases, doing nothing is better than doing
just anything, so I will start with a list of ac-
tions not to be done, and that are usually
prevalent in most organizations that do not
have well established incident response pro-
cedures, or when they are entrusted ran-
domly, either by hierarchy or by placement
of the incident within organization, thus
“avoiding hot potato in their own lap“.
< VI/MAREC 2010 >
sponse is of high importance, it is even
5 more important to approach the issue
calmly and in analytical manner avoid-
4 ing an „emotional“ response. If there is a
reasonable doubt that there has been
3 damage incurred to the company’s re-
sources, computer and network systems,
company’s image and reputation, or the
2
computer systems and information have
been used in a way that is contrary to the
business policy and strategy or that the
1 local laws have been violated, it is impor-
tant to discuss the hard facts in complete
confidentiality with the highest decision
levels within organization while mini-
1 – Avoid emotional response mizing the number of involved people.
2 – Do not confront suspects and avoid
evidence contamination
The reasoning is simple: security and in-
3 – Do not avoid authorities formation breaches are often initiated by
4 – Ensure consistent state of hardware people who are either highly positioned
5 – Do not conduct internal investigation with- within organizations or have direct
out professionals hands-on knowledge of the information
Fig 1: five petals of ICT forensic investigation system maintenance, therefore widening
“don’ts” the number of people involved in inci-
11
 dent response might easily backfire and
render such attempts unsuccessful. At
this stage it is important to avoid doubts
in those who are subject of the investiga-
tion, as it could result in further compro-
mising the integrity of the information
systems or data deletion.
2. A common error made by most manag-
ers is immediately confronting the sus-
pects personally after suspicion of a se-
curity breach, even before the forensic
investigator has securely analyzed the
available data, ensured the chain of evi-
dence and secured the evidence data
avoiding contamination. This step is very
important because at this stage, evidence
is secured for possible future proceed-
ings in court processes
3. Contact with the police should not be
avoided. This is true for information se-
curity breaches. Being honest and
straightforward towards public and
stakeholders is a staple in successful cri-
sis and PR management. If the law has
been violated in any way, after consensus
with responsible within organization,
police and other authorities have to be
involved.
4. Never turn off computers and computer
systems that could be compromised. This
is also one of the most common mistakes
– managers usually want to turn off com-
puters in order to preserve evidence,
however, sometimes it can be deleted by
powering down systems. On the contra-
ry, if possible, try to ensure uninterrupt-
ed power supply until the forensic inves-
tigators arrive, but do not use those sys-
tems, to ensure that no changes are made
to data and file systems.
5. Reversal of the previous point is also val-
id – do not turn on the computer systems
that are turned off, if they could have
been tools used in computer crime or
system breaches, and it could also com-
promise and delete traces needed for in-
vestigation.
6. The biggest damage that can be done by
„do-gooders“ from ICT departments is
usually done when trying to do an inter-
nal investigation. Area of computer fo-
rensics is very complex and people who
have high levels of computer education
are not necessarily people who can run
computer crime and information securi-
ty breaches investigations. Unless the
personnel is authorized, has all the ade-
quate forensic tools, and understands le-
gal implications of collected evidence
contained within computers and compu-
ter systems, it is quite possible that evi-
dence could be corrupted, destroyed, or
rendered not accepted in possible future
legal proceedings.
Once that we have established what not
to do, let us put some emphasis on what to
12
Create reponse plan Widen the scope
Create list of hardware Secure the equipment
resources to be analyzed and service from changes
Create list of services Segregate identified
to be analyzed hardware
Prepare for it, but do not Change access
execute data restore credentials
Identify and secure logs Ensure chain of evidence
Fig 2: Two pillars of ICT forensic investigation
“do’s”
do in case there is a suspicion that organiza-
tion’s computer and network systems were
abused, or that there is external security pe-
rimeter breach. The same applies for possi-
ble misuse of computers, notebooks, palm-
tops, external memories and ports, mobile
telephones and other computer and tele-
communication equipment. Let us outline
what should be done in order to ensure ad-
equate response and analysis to forensic in-
vestigators and court experts once they are
involved in the process.
“IT IS IMPORTANT TO UNDERLINE
WHAT TO DO, AND EVEN MORE
IMPORTANTLY, WHAT NOT TO DO
WHEN RESPONSDING TO SECURITY
INCIDENTS. IN MOST CASES, DOING
NOTHING IS BETTER THAN DOING
JUST ANYTHING.”
1. In most cases, there should be a fine bal-
ance between sense of urgency and pre-
serving the evidence. Computer systems
usually preserve evidence on them for a
longer period of time, at least long
enough to create an action plan. Key
questions are the following:
a) who should be informed within organi-
zation about the information security
breaches
b) is the law broken
c) is it necessary to contact the police
d) is it necessary to contact the lawyers
e) is it possible to conduct internal investi-
gation
2. It is advisable to make a list of used soft-
ware and hardware and all compromised
computer and other assets. This will
speed up the forensic process as such list
can be readily submitted to those in
charge of investigation. This refers to all
media like floppy disks, CD and DVD
media, hard drives, USB hard drives, pen
drives, memory cards and digital photo
cameras.
3. The list from previous item should be
widened by further answering to the fol-
lowing questions – is it possible that oth-
er computers other than those immedi-
ately identified have been misused, for
example, common terminals or worksta-
tions, computers of coworkers from the
office or company, mobile phones, palm-
top computer, electronic organizers?
Then the list should be updated while
evaluating not only affected hardware
but also the informational infrastructure
of the organization. Which services and
databases are maybe compromised and
where are they located, are they internal
or external (distributed)?
4. In the case that part of the security breach
is also data loss due to corruption and
deletion, tapes and other media contain-
ing last functional backup should not be
immediately restored. Instead, forensic
investigator should first look for evi-
dence, and only after evidence has been
secured, the service should be restored.
5. All access and activity logs stored on
computers, network equipment, server
systems, telephone exchange systems and
fax systems should be identified and se-
cured. They can be of great interest to the
breach investigation and help forensic in-
vestigators to reach certain conclusions.
“IF THERE IS A REASONABLE DOUBT
THAT THERE HAS BEEN DAMAGE
INCURRED TO THE COMPANY’S
RESOURCES, COMPUTER AND
NETWORK SYSTEMS, COMPANY’S
IMAGE AND REPUTATION, OR THE
COMPUTER SYSTEMS AND
INFORMATION HAVE BEEN USED IN
A WAY THAT IS CONTRARY TO THE
BUSINESS POLICY AND STRATEGY
OR THAT THE LOCAL LAWS HAVE
BEEN VIOLATED, IT IS IMPORTANT
TO DISCUSS THE HARD FACTS IN
COMPLETE CONFIDENTIALITY WITH
THE HIGHEST DECISION LEVELS
WITHIN ORGANIZATION WHILE
MINIMIZING THE NUMBER OF
INVOLVED PEOPLE.”
6. The scope of investigation should be wid-
ened outside of the organization’s perim-
eter, in case it is so indicated. Is it possi-
ble that certain parts of misuse were done
to remote computers outside of the com-
pany’s perimeter, for example, using
notebook or home personal computer?
What is the current location of such
equipment and is their investigation go-
ing to be of interest for the forensic inves-
tigator? What should be done in order to
gain access to that remote information
processing equipment?
7. In any case, the most important thing in
initial investigation of any perimeter breach
VARNOSTNI FORUM

is to preserve the computer systems
from any kind of change. If the compu-
ter system is turned off, leave it in such
state because turning it back on might
erase important evidence. If the compu-
ter system is turned on, leave it turned
on but do not use it until it is accessed
by the forensic investigator, and ensure
constant power supply. In case of pe-
ripheral equipment powered by batter-
ies like notebooks, mobile phones, land-
line phones or palmtops, they should
not be used, but should be connected to
external power source to ensure that in
the case of deep battery drainage the
contained data does not get erased.
8. In most cases, it is safe and advisable to
disconnect the affected computer or
computer system from the computer
and telephone network by physical re-
moval of network and telephone cables,
in order to preserve the evidence and
prevent remote access to computers and
distributed removal of evidence by the
perpetrator.
9. Only after joint decision of decision
makers in the organization, those re-
sponsible for information systems, law
enforcement and forensic investigators,
the passwords and logins for system uti-
lization should be changed, and e-mail
rights and other privileges should be re-
voked from those that are suspects in
the investigation in case of internal em-
ployee or internal third-party security
breaches. This decision could signal
them that they are under investigation
so it should be carefully made after
broad consensus.
10. All identified evidence should be ade-
quately stored under lock and key or in
a safe, the list of taken steps should be
detailed with signatures of those re-
sponsible for different steps. It is possi-
ble to include also external authorities
in this process to ensure evidence valid-
ity and integrity, like public notaries,
lawyers, forensic investigators, police
officers and other various trustworthy
witnesses.
11. Finally, the best advice to all corporate
organizations and even mid-sized or-
ganizations is to have either umbrella
frame agreements, or at least established
contacts with computer forensics ex-
perts or consultants, in order to ensure
right perimeter breach and incident re-
sponse.
Technical and organizational measures
that can be undertaken in order to prevent
or mitigate the risk of perimeter breaches to
any part of ISMS can either be proactive or
reactive. Forensic response described above
is a part of the reactive process that not only
establishes back endangered services, but
also manages the incurred damage and con-
< VI/MAREC 2010 >
sequentially discloses the perpetrator. How-
ever, in most cases, the key is in the preven-
tion or the proactive behavior. There are
five basic groups of measures that can be
implemented in advance, in order to miti-
gate these risks:
1. Procedures of purchase and procurement
of hardware equipment should be aligned
with basic policies of internal and exter-
nal perimeter security to ensure both
service availability and data and systems
confidentiality and integrity.
“SOCIAL ENGINEERING AWARENESS
IS USUALLY IMPORTANT FOR THE
ORGANIZATION, BECAUSE ALONG
WITH THE TECHNICAL,
ORGANIZATIONAL AND FORENSIC
RESPONSE, IT SOMETIMES NEEDED
TO ADDRESS THE ISSUES OF SOCIAL
ENGINEERING WITHIN THE
ORGANIZATION THAT MIGHT HAVE
GRANTED UNAUTHORIZED ACCESS
TO THOSE ENTERING THE SECURITY
PERIMETER.”
2. Hardware and software systems that pre-
vent misuse of peripheral, exposed
equipment should be in place and aligned
with real business needs. These systems
should be implemented in order to en-
sure encryption, rights management on
certain services and document classes,
impose service denial or limitation to
certain groups of users, set priorities and
use heuristics to identify possible breach-
es and none granted attempts of access.
These systems in fact heavily rely on or-
ganizational component of ISMS and
they are only as effective as is internally
established ISMS. Therefore, investing
in intrusion prevention software and
hardware without investment in proce-
dures and human resources can be some-
times expenditure that is not justified by
obtained results, and that should be
higher level of integral security of the
system or organization as a whole.
3. As already described, clear policies of
ISMS implementation, detailed analysis
of procedures and contingency proce-
dures, communication channels and
hardware resources, disaster recovery
and business continuity and clear SLA
with consultants that are specialists for
security incident response are both basic
and clear prerequisites for effective man-
agement of security breaches in the or-
ganization. These consultants typically
offer services of incident management
on a technical level and they are special-
ized to stop any attack or mitigate already
done damage.
4. Social engineering awareness is usually
VAROVANJE KONČNIH TOČK (ENDPOINT SECURITY)
important for the organization, because
along with the technical, organizational
and forensic response, it sometimes
needed to address the issues of social en-
gineering within the organization that
might have granted unauthorized access
to those entering the security perimeter.
Sometimes, the organizations want to
identify a “single culprit” for certain se-
curity incident, yet it is clear that multi-
ple points-of-failure are often the cause
of a security breach. Therefore, the goal
of every organization should be in pre-
vention and not reactive behavior. The
only way to mitigate social engineering
risk is to educate those that are in charge
of technical maintenance of information
system components, and also to educate
their users.
“THE BEST ADVICE TO ALL
CORPORATE ORGANIZATIONS AND
EVEN MID-SIZED ORGANIZATIONS IS
TO HAVE EITHER UMBRELLA FRAME
AGREEMENTS, OR AT LEAST
ESTABLISHED CONTACTS WITH
COMPUTER FORENSICS EXPERTS OR
CONSULTANTS, IN ORDER TO
ENSURE RIGHT PERIMETER BREACH
AND INCIDENT RESPONSE.”
5. Alignment of incident response with
goals of the organization. Very often the
risk of information security or secure pe-
rimeter breach is simply accepted, even
when it is very high, because the organi-
zations silently accept their exposure by
trying to minimize the costs related to
contracts, services, hardware and soft-
ware that should be purchased or ob-
tained to mitigate the real risk. It is up to
every organization to carefully leverage
the cost of possible data theft, corrup-
tion, deletion or security breach against
yearly investments and costs related to
mitigation measures and possible con-
tracts with third parties related to foren-
sic and incident response and even pre-
vention. Most corporations still have rel-
atively modest numbers of in-house au-
thorized forensic staff, so they should be
very careful not to fall in the trap of cost-
cutting where it is not exactly advisable.
Proven fact is that return of investment
on ICT forensics is clearly qualitative and
not quantitative – this is something that
stakeholders usually do not value highly.
It is even worse when ICT systems are
not a part of overall business strategy but
merely support functions. In such sce-
narios, it is clear that there will be more
security breaches and also the forensic
and incident response will be difficult,
delayed and maybe inadequate.
13