Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)

This chapter introduced numerous solutions to those of you who are in the process of conducting advanced computer forensics through the use of encryption for protection and hacking back with advanced hacker trackers. As previously explained, hackers and crackers are everywhere, but you may think your company’s system is too minor for them to notice. Not true. Hackers don’t always target specific machines—they scan hundreds with special programs to find any that might be vulnerable to attack. The intruder could be a teen hoping to use your system to launch an attack on a Web site, or a bitter ex-employee looking for payback.

The Internet today is like a walk through a vineyard, with the attackers stopping here and there to pick a grape at their leisure. The feast is seemingly never-ending.

Even a secure company network can be riddled with holes such as badly configured routers that expose data in transit to snoops. Think your firewall will protect you? Not always. Attacks at Microsoft and eBay prove otherwise.

Furthermore, protecting your network against hackers need not be a full-time job. By including a few best practices as part of your organization’s daily routine, you can prevent leaks from developing—or at the very least, plug them before the dams break altogether.

Computer forensics provides the methodology for investigating and documenting cyber crimes, so they may be later tried in court. Hiring an expert is costly but necessary to preserve evidence during the legal process.

Also, tools for sifting digital media and detecting network intrusion have become easier to implement, but they still demand a sizeable time commitment and cross-discipline knowledge for most situations. Training is required to secure a crime scene and for procedural litigation.

Conclusions Drawn from Advanced Computer Forensics

• Hackers often break into computers through well-documented holes (they read security alerts, too) when users don’t install patches.

• Hackers often enter networks through old computers that are no longer in use. This can happen when administrators forget to disconnect an ex-employee’s system from the modem or network.

• An older system is less likely to have the latest security patches installed.

• A shared terminal that’s not attached to any one employee is often overlooked when security updates are done.

• Any workstation that’s left on and connected to both a modem and the network gives hackers one way to dial into the machine, bypass the firewall, and gain access to the network.

• You encrypt important data on your server, but you neglect to encrypt remote back-ups.

• Hackers can target data on a less-protected off-site machine that stores back-ups.

• Security is an ongoing task. It’s not something you install and forget about; it’s something you live with.

• Intrusion Detection Systems (IDSs) come in several forms, with the most commonly deployed called “host” and “network” systems. Some experts include the “desktop” IDS in this market, whereas others would also list so-called honeypots and honeynets.

• A host-based IDS is a piece of software that runs on a network-based computer—a Web or application server, for instance. It tracks and analyzes entries in the host system’s application and operating system event logs.

• Host-based systems are particularly valuable in monitoring insider threats because they can show when unauthorized personnel attempt to access prohibited data or resources.

• A network-based IDS, which can be software running on a stand-alone PC or on a dedicated appliance, tracks and analyzes the packets that make up network data traffic.

• Network-based IDSs are generally “promiscuous” in that they look at every packet on a network or network segment.

• Network-node IDS systems detect packets headed to a single network node.

• A desktop IDS offers file-level protection. Rather than monitoring network traffic, it examines activity on individual systems, looking for potential attacks on files or registry entries on Windows PCs.

• The desktop IDS is also very useful in Trojan Horse detection.

• A honeypot is a system designed to be attacked, with the intent of deception or alerting of intrusion activity.

• Honeypots emulate known vulnerabilities, other systems, or are modified production systems that create “caged” environments.

• A honeynet is a network of production systems, residing behind a firewall, which is designed to be compromised. Once breached, the resulting information gathered during the attack is analyzed to learn about the tools, tactics, and motives of the possible intrusion.

An Agenda for Action in Advanced Computer Forensics

The following is a provisional list of actions for advanced computer forensics. The order is not significant; however, these are the activities for which the research would want to provide a detailed description of procedures, review, and assessment for ease of use and admissibility. A number of these advanced computer forensics topics have been mentioned in passing already:

1. Install patches: Microsoft’s Critical Update Notification tells you when new patches are available. Be sure to install them on all your PCs.

2. Secure old computers: Inventory your systems, and unplug from the network any that no one uses anymore.

3. If a networked computer is shared, make sure it receives the same security updates as other systems.

4. Encrypt data every place it’s stored, including PC hard drives.

5. Do frequent security audits, including trying to gain access using easily available hacking tools.

6. Ensure that you only run the services you need and only open the ports needed by your network.

7. Your gateway to the Internet should be a system without any important company data or a hardware solution backed-up by a firewall.

8. Set up Windows Update notification for the server and have a back-up server ready when you need to run the update.

9. Always check security bulletins and consider joining ‘hacking’ mailing groups to find out what’s happening on ‘the other side’ of computer security.

10. Regularly test the security yourself, then you know what to find solutions for.

11. Make sure no one person is controlling the system front to back.

12. Require every person logging-on to use a password.

13. Assign supervisory rights to as few people as possible.

14. Back-up all systems weekly.

15. Have a strict sign-in/sign-out system for back-up tapes.

16. Always have a current copy of the back-up tape stored remotely.

17. Do back-ups of desktops and laptops as well as servers.

18. Rotate back-up tapes—don’t use the same one over and over again.

19. Change passwords every three months.

20. Keep servers in a secured area.

21. Stay up-to-date on software patches.

22. Use intrusion-detection software that alerts you when you are being hit.

23. Make sure two pairs of eyes have checked code before it is entered into the system.

24. Have an information security department (at least one person and then one other for every 1,000 users) that is separate from the IT department and reports directly to the chief information officer.

25. Spend at least 3 to 5% of the IS budget on information security.

26. Train information security personnel to be aware of any employee who shows signs of being troubled or disgruntled, particularly if that employee holds an information-critical position.

27. Beef up security during certain events, such as mergers or downsizings, that could upset workers and cause them to lash out at the company.

28. Monitor the network—set up software that will alert you if the person is working in a different part of the network or at a different time than usual.

29. Scan e-mail to see what’s going out of the company, double-check back-up tapes and have someone else do the back-ups if that person is the one in question.

30. Make sure the person in charge of the system is not the same person in charge of the back-up.

31. Have specific policies and punishments built into employee contracts.

32. Make sure critical IS workers are bonded.

33. Change everyone’s passwords so he/she can’t use them to break into the system.

34. Verify that your back-up tapes are where they should be; make sure the information has been saved correctly and the tape is functioning properly.

35. Do a new back-up.

36. Lock down every system that a terminated employee had access to on the day of termination.

37. Have a new network administrator ready to step into the open position immediately.

38. Go up on the system and check user names and passwords, looking for anything unusual.

39. Make sure every log-on has a password for it.

40. Lock down all the inside doors, such as the file servers, application servers, and mail servers.

41. Look for back-doors on the system, such as Back Orifice on Windows NT.

42. Make sure there aren’t any known vulnerabilities that haven’t been patched—the administrator could have left those holes behind so he could get back in.

43. Strengthen your intrusion-detection system.

44. Set a trip wire—software that alerts the administrator to system anomalies, such as the size of a file changing.