• cyktn_insider_threat_sommer.ppt

The Malicious Exploitation of Information Systems:
Preventing the Rise of the Insider Threat
6-7 November 2008, UCL
Issues in the Technologies of
Digital Investigation
Peter Sommer
London School of Economics, Open University
peter@pmsommer.com
p.m.sommer@2008 .ac.uk
© Peter Sommer, lse
 Incidents
• Frauds by employees and 3rd parties
• Contractual disputes
• Allegations of failure of duty of care
• E-mail and Internet abuse
• Breach of confidentiality
• Online defamation
• Employee / HR disputes
• Sexual harassment
• Acquisition and storage of child abuse images
• Datatheft / Industrial Espionage
• Software piracy
• Theft of source code
© Peter Sommer, 2008
 Incidents
• Unauthorised access by employees
• Unauthorised access by 3rd parties – “hacking”
• Unauthorised data modification – incl viruses and trojans
• Abuse of corporate IT resources for private gain
• Use of corporate IT resources as one stage in a complex
criminal act and where a 3rd party is victimised
• Use of corporate IT resources for illegal file-sharing
• DoS and DdoS attacks
• “Phishing” and “Pharming” attempts
• Etc etc
• Requirements of disclosure in civil litigation
© Peter Sommer, 2008
 Incidents
• Rare, Spectacular Events
• Events that occur everywhere to
everyone… but still cause panic, distress,
loss
• High Impact / Low Frequency
• High Frequency / Individually, Medium-to-
Low Impact
© Peter Sommer, 2008
 Something suspicious is
happening in and around your
computer systems…
• What do you do?
• Where do you find help?
• How do you assess the investigator
market?
• Is the person you want available?
• What are you really asking them to
do?
• Is it going to be enough?
© Peter Sommer, 2008
 The Insider Threat:
The Investigator’s Perspective
• What are the suspicions?
• How likely is it that the client has
mis-interpreted the situation?
• What powers do I have?
I start out with no powers, I need to
acquire them from the client
• Now to try and locate evidence …
© Peter Sommer, 2008
The Investigator’s Perspective
• Now to try and locate evidence …
• How does the client’s organisation work?
What functions does it perform?
How do I relate business functions to bits of
hardware, software, computer records?
• Given the suspicions, what should I go
for?
Transaction records
Emails
Web usage
Contents of PC, laptop, mobile phone, PDA,
© Peter Sommer, 2008
memory sticks, etc
The Investigator’s Perspective
• Are there any restrictions on my access?
Client authorisation as employer
Limits on employer’s powers
• Human Rights Act 1998
• Data Protection Act,
• Protection from Harassment Act, 1997
• Regulation of Investigatory Powers Act 2000
Telecommunications (Lawful Business Practice)
(Interception of Communications) Regulations 2000
Computer Misuse Act 1990
• as amended
© Peter Sommer, 2008
The Investigator’s Perspective
• Are there any restrictions on my access?
• Penalties for breach of powers:
Criminal
Abuse of Process
Admissibility
Harassment
Etc etc
© Peter Sommer, 2008
The Investigator’s Perspective:
Technologies
• PCs
Make reliable complete copy (“forensic
image”) and analyse
• Obvious, visible records, emails, Internet activity
• Recovery of deleted date
• Chronologies of activities
Now standard procedures, products, training
Imaging can be done covertly over night
© Peter Sommer, 2008
© Peter Sommer, 2008
© Peter Sommer, 2008
© Peter Sommer, 2008
© Peter Sommer, 2008
© Peter Sommer, 2008
© Peter Sommer, 2008
© Peter Sommer, 2008
© Peter Sommer, 2008
The Investigator’s Perspective
• Main systems
Full imaging likely to be technically difficult
Imaging is easier on a system taken off-line
• But then the business is no longer functioning
Partial copying runs risk that it shows an
incomplete picture of events
How far do existing back-up/archiving systems
assist?
How do I limit my examination so as not
compromise the rights of third parties?
• Employees, customers, clients
© Peter Sommer, 2008
The Investigator’s Perspective
• Subsidiary systems
Eg small specialist sub-systems
PDAs, laptops, cellphones, memory
sticks, media players etc
Can we identify?
May be disputes over ownership,
expectations of privacy
Some devices may be technically
difficult to examine
© Peter Sommer, 2008
The Investigator’s Perspective
• On-going suspicions: “live”
investigations:
Keyloggers
Servlets
Network monitoring
CCTV
Human surveillance
Background investigations
Physical searches
© Peter Sommer, 2008
 Technical Support
• Keyloggers
hardware
© Peter Sommer, 2008
 Technical Support
• Keyloggers
software
© Peter Sommer, 2008
© Peter Sommer, 2008
 Technical Support
• Servlets
Eg EnCase Enterprise
Applied on all, or selected PCs: remote
forensic examination
© Peter Sommer, 2008
Network Surveillance
© Peter Sommer, 2008
 External Logs
• System Logs
• Web Logs
• Intrusion Detection System Logs
• Anti-Virus Logs
• ISP Logs
RADIUS Subject to
DPA/ RIPA
Web-Logs
authorisation
and/or
© Peter Sommer, 2008
consent!
Squid Logs
© Peter Sommer, 2008
 Forensic Readiness Plan
Why have plan?
• To reduce costs and panic
• External consultants will have to “learn” the
business
• Lawyers will have to identify admissibility and
privilege issues on the spot
• Can also be used for other legal situations, eg
internal disciplinary disputes, routine transaction
disputes, to aid law enforcement
© Peter Sommer, 2008
Forensic Readiness Programs
Essentially:
Based on threat analysis / scenario
development
Requires identification of potential
evidence / disclosure requirements – and
plan for their formal production
Results in a proper Contingency Plan –
which is tested and kept up-to-date
© Peter Sommer, 2008
 7-step Forensic Readiness Plan
Identify:
the main likely threats/ legal challenges faced by
your organisation
what sorts of evidence / disclosure you are likely to
need if you have to proceed to civil or criminal
litigation
what you will need to do to meet various regulatory
and compliance requirements
how far you may have that material already
what you will need to do to secure additional
essential material
© Peter Sommer, 2008
 7-step Forensic Readiness Plan
the management, skills and resources implications
for your organisation
turn the results into an action plan – which will
need regular revision as the organisation and its
ICT infrastructure develops.
© Peter Sommer, 2008
 7-step Forensic Readiness Plan
The Good News:
quite a bit of the work may already have been
carried out elsewhere in the organisation….
…….Disaster Recovery / Business
Contingency Plans
© Peter Sommer, 2008
 Business Contingency Plans
• Preparation against disaster:
Fire
Flood
Terrorism
Denial of access
Computer failure
Etc etc
© Peter Sommer, 2008
 Business Contingency Plans
• Tells organisation what to do:
Emergency Priorities
Team that will act / Reporting
Responsibilities
Migrated offices, locations
Migrated people
Migrated ICT
PR for customers, clients, investors,
bankers, public-at-large etc
© Peter Sommer, 2008
 Business Contingency Plans
Research, Design
• Business Analysis
to determine priorities (it’s too expensive to restore
everything instantly)
• Relation of business processes to specific ICT
resources, hardware, software, communications
links; availability of back-up
• Detailed plan for who does what when
• Emergency Response Team
• Internally published Plan
• Frequent Testing and Revision
© Peter Sommer, 2008
 Forensic Readiness Plan:
Additional Requirements
• Legal / Regulatory requirements
• Analysis of back-up plans
Incremental / complete
• Specific Data Retention / Destruction
requirements
• Decisions about mode of disclosure
Electronic, print-out, extents, etc
• Witness to explain systems, material
produced, testify to reliability and
completeness
© Peter Sommer, 2008
Guide to Digital Investigations and
Evidence
First published
2005; new edition
due
www.iaac.org
© Peter Sommer, 2008
 Life-cycle of incidents
Detection
Reporting
Diagnosis -
Initial
Initial
Management
Actions
Evidence
Collection
Diagnosis -
Mature
Mature
Management
Actions
Business
Recovery
Activity
Legal Activity
Remedial
Activity
Time
Computer Incident Management
© Peter Sommer, 2008
Life Cycle
© Peter Sommer, 2008
 Remedial Activity
• The final “prize” from having a FRP:
• Closing the Loop / Learning the Lessons
• Although the FRP is aimed at legal
outcomes, after any event you will
have a detailed explanation of what
went wrong
• Should lead to precise remedial
actions
© Peter Sommer, 2008
 The Malicious Exploitation of Information Systems:
Preventing the Rise of the Insider Threat
6-7 November 2008, UCL
Issues in the Technologies of
Digital Investigation
Peter Sommer
London School of Economics, Open University
peter@pmsommer.com
p.m.sommer@2008 .ac.uk
© Peter Sommer, lse