Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)

 < Day Day Up > 


The rate of technological change, the spread of computer literacy, and the growth of e-commerce[ii ]collaboration, such as alliances and marketplaces, make the challenge of restricting cyber crime damage daunting. With legislation lagging behind technology, businesses have had no choice but to absorb the responsibility for the security of their most valuable asset—their information. Risks range from expensive downtime; sales and productivity losses to corrupted data; damage to reputation and consumer confidence and loyalty; and hefty compensation payments or lawsuits for breaches of client information.

The best approach for organizations wanting to counter cyber crime is to apply risk-management techniques. The basic steps for minimizing cyber crime damage are creating well-communicated IT and staff policies; applying effective detection tools; ensuring procedures are in place to deal with incidents; and having a forensic response capability.

Effective IT and Staff Policies

Well-communicated and ‘plain English’ information technology policies educate staff about their rights and obligations in the workplace. The goal of these policies is to create a security solution that is owned by all staff, not only by those in the IT division.

To be effective, IT policies should make plain what an individual employee can and cannot do on the organization’s systems, and the legal implications of misuse. It is also vital to make a continuing investment in policies, which must keep evolving and be supported by ongoing training initiatives.

Effective policies diminish the risk of internal attack, particularly unintentional attack. In addition, where attack does occur, these policies clearly define what constitutes a breach of security, making it easier to prosecute or seek compensation from the perpetrator.

Vendor Tools of The Trade

Although internal policies will not dissuade external cyber criminals, the right vendor tools will detect an external attack and alert the organization to the threat. These tools are programs that either analyze a computer system to detect anomalies, which may form the basis of an attack, or locate data that can be used as evidence supporting a crime or network intrusion.

Choosing the right cyber crime detection tools is essential for risk management in all organizations, but like most applications associated with an organization, the question is—what is the right tool? The right tools are those that deliver appropriate information that the forensic expert can interpret to achieve the best outcome. Ultimately, the evidence must withstand the rigors of legal proceedings. To deliver the information needed, software tools should be probing (without compromising the target of interrogation), concise, able to report findings fully, supported, and easy to use. Such tools will save forensic experts valuable time and allow them to concentrate on data interpretation.

The 2000 CSI/FBI Computer Crime and Security Survey shows a significant increase in companies using intrusion detection systems from 50% in 2000 to 58% in 2001 (see sidebar, “The Difficulties Of High-Speed Intrusion Detection”). Although some attacks will not be prevented, damage such as financial loss or negative publicity can be contained with early warning.

The Difficulties Of High-Speed Intrusion Detection

There’s a persistent problem with today’s new breed of gigabit-speed intrusion-detection systems (IDS): They simply cannot plow through IP traffic fast enough to provide blanket protection on networks running at gigabit speed, according to industry experts and at least three vendors who make such products.

When an IDS reaches its maximum processing capacity, it begins to drop large numbers of packets, thereby increasing the possibility of missing attacks. The newer gigabit-speed IDS products, delivered as an appliance or software customers load onto their own boxes, fall down on the job, according to lab tests conducted by Miercom, a network consultancy. Although IDS equipment can achieve near-gigabit throughput, in lab tests, they missed half the attacks thrown at them.

Miercom tested Intrusion’s SecureNet Gig™ appliance to see how it stands up to a blitz of Web exploits, buffer overflows, port scanners, and the like. The test found the box could detect only 44% of the attacks when incoming traffic reached near-gigabit speed of 986.94M bit/sec.

Was it missing 60%? Yes! Like other IDS tools, SecureNet Gig recognizes suspicious activity based on attack signatures, and the challenge is finding a way to perform rigorous signature-based analysis at high speeds.

It’s like sitting on a highway overpass trying to find autos with expired decals. It’s much harder to do on a 10-lane highway than a country road. And gigabit speed is 10 lanes wide.

There is also a limit to the number of simultaneous connections an IDS can tolerate: 50,000 connections for HTTP, e-mail, or file transfer traffic—a number that should be higher. Intrusion benchmarked this 50,000 limit by beta-testing Secure-Net Gig at a large hosting facility for Web pornography sites in Colorado, chosen because of the large files, lengthy HTTP connections, and a lot of attempted hacker exploits.

In Miercom’s lab tests, Secure-Net Gig recognized 88% of attacks thrown its way at 789.6M bit/sec and 98% at rates up to 690.86M bit/sec. According to Intrusion, it will release an upgrade of its gigabit IDS designed to overcome the first version’s shortcomings.

IDS equipment from other vendors hasn’t fared much better in lab tests. The higher the bandwidth, the more the IDS starts dumping packets.

However, two other Gigabit IDS vendors (Internet Security Systems [ISS] and Enterasys Networks), indicate their products have similar shortcomings. Although most vendors don’t like to highlight the limitations of gigabit IDS in their marketing materials, they’re straightforward about it if you ask.

According to Enterasys Networks, the company’s gigabit IDS product, Dragon Sensor™, will not achieve optimum performance over 250M bit/sec. Enterasys added support for gigabit speed to Dragon so it could accept traffic over 100M bit/sec.

IDS works by copying IP traffic to analyze packet and packet flows in depth, so the more packets it needs to look at, the harder it is to perform that job. When an IDS pushes the limit, it just cannot look at the packets.

ISS, who sells BlackIce Sentry Gigabit™, indicates its IDS can perform attack monitoring at speeds up to 600M bit/sec. High performance has been a challenge to IDS for some time. The challenge is the packets per second. On a gigabit link, we could easily cover up to the full pipe. But if the packets are on the small side, ISS tends to drop packets because there are too many packets per second—1500-byte packets are easy, but 64-byte packets are hard. ISS is also working on a new high-speed sensor for release next year that is aimed at overcoming these limitations.

The lower-speed IDS product from ISS, RealSecure Network Sensor™, is designed to monitor 100M bit/sec segments. Some organizations, such as Johns Hopkins University, are harnessing multiple RealSecure sensors using load-balancing equipment (Top Layer Networks’ AppSafe™) to achieve gigabit bandwidth coverage as their nets get faster. If you’re dropping 50% or 60% of the packets in a full-gigabit network, you have to add more probes.

Load balancing is certainly a decent idea. It’s a technique you can throw at the problem. Historically, you normally cannot handle more than 600M bit/sec with an IDS. Although Top Layer pushes its load-balancing equipment as specialized for IDS, balancing the load of IDS can be performed with switches from Arrow-Point Communications (now Cisco), F5 Networks, and other vendors. However, costs rise when multiple IDS have to be used with load-balancing gear in lieu of gigabit IDS that cannot reliably handle the traffic stress. Load balancing is a crutch.

Gigabit ManHunt™ does not falter at high speeds, a claim backed by a Miercom lab test. But the product is designed differently from the signature-based offerings from ISS, Enterasys, and Intrusion. ManHunt spots anomalies or unusual traffic, but it doesn’t provide nearly the level of detail about applications under attack as its competitor’s products do.

Faster networks aren’t the only challenge IDS vendors face. Their biggest fear may be new hacker tools with names such as Stick, Snot, and Whisker that generate bogus TCP traffic with the goal of interfering with routers and IDSs.

If you can plug tools such as these into the same hub as the IDS, you can deceive any network IDS. These hacker tools generate so many suspicious events that they can overwhelm any IDS sensor and let hackers sneak through in the process, or they can even cause an IDS to buckle completely.

These hacker tools work over T-3 or DSL connections to overwhelm IDS, although less effectively. For network managers who want to test how well their IDS is performing, professional engineering tools can generate a variety of attacks that might occur during Web sessions.

As with all of today’s technology, detection tools date quickly as new threats emerge. Effective detection tools need to constantly evolve to counter these threats and must be engineered around best-practice risk management associated with vulnerabilities, system configurations, and viruses. Some on-line products and services currently in the market provide efficient, cost effective solutions by accessing computer vulnerabilities, specific to an organization’s IT environment.

Effective Procedures

Even in an organization that has implemented the hardware, installed the software, produced the policies, and employed competent staff to run an effective IT environment, it is not possible to prevent an incident from occurring. However, the attack itself does not have the greatest impact on a company. How the business responds to that attack does have the greatest impact on a company. Without the appropriate procedures in place to counter detected attacks, an organization is exposed to the risks of lost data, financial loss, network damage, and loss of reputation.

Although many different types of attacks may occur, the majority requires the same basic steps of response. For example, the simple process of ensuring that the right people know about the incident when it happens enhances an organization’s response, both in time and effective handling procedures.

Forensic Response Capability

When an incident occurs, an organization needs an appropriate forensic response in place. By appointing a forensic expert to manage the response to an incident, organizations ensure all avenues are canvassed, all evidence located and handled correctly, and all those involved are treated impartially (see sidebar, “Computer Forensic Incident Response Procedures [CFIRP]”).

Computer Forensic Incident Response Procedures (CFIRP)

Let’s look at an incident that occurred at a well-known technical university that clearly shows the need to have an enforceable and workable CFIRP:

Picture this; it is 1 a.m. and e-mail comes into the security mailing list from an outside source informing you that this sites server has been compromised and from the logs two of the machines in your domain look to also have been compromised. The only people on the mailing list that are up and awake and reading their mail are the Operations staff, but, they know that sometimes in the wee hour, one of the more nocturnal network staff come in. They take a chance and call his office. To their delight he is in his office, so they forward him the security e-mail and consider their part of this incident finished.

The nocturnal network person reads the e-mail, looks at the time, and decides to block those two hosts at the router from the Internet. He then sends an e-mail to security stating that the hosts are blocked and considers his part in this incident finished.

The next morning the rest of the security team trickles in and reads the security mail along with about 500 other e-mails of various severities. One-hundred percent (100%) of the team makes the assumption that the nocturnal network person notified the owner of the machines of the problem and action has been taken. You all get on with other business and of course the nocturnal network person being nocturnal is not around in the daylight hours to correct your assumptions.

Outcome

The two servers that were blocked were two major servers for the math department. They both had off-site collaborative projects going on of a high-profile nature. The math department has their own system administrators who were not on the security mailing list.

The SYS administrators spent all of that day and part of the next troubleshooting their server and network trying to figure out why they could not get to the Internet. No one informed the owners of the alleged compromised hosts of the network block or the alleged compromise until the problem was elevated to the Director of Networking and the Chair of the Math Department!

Where to start is the first question that comes to mind. You should first start with an outline of the key elements for a successful CFIRP, but also include forms that can be used to identify the Incident Contact Personnel as well as forms for Incident Handling, Containment, and Eradication.

Not having an incident response policy in place can lead to serious liabilities for your company or university, as well as for the system administrator who is working on the incident. There may be times when local law enforcement will pay you a visit. And it is a very good idea to know what information can be given out without a search warrant; and, in the case of a warrant, who in your organization should receive the warrant. Knowing someone in your local computer crimes lab is a good idea. Having good communications with them before you are responding to a critical incident will make life much easier.

The FBI has developed a collaborative effort, named InfraGuard. This a description of the organization taken from their Web page: “InfraGard is a cooperative undertaking between the Federal Bureau of Investigation and an association of businesses, academic institutions, state and local law enforcement agencies, and other participants, that is dedicated to increasing the security of the critical infrastructures of the United States of America.”

It is also critical to have someone assigned to notifying and reporting incidences to CERT. This can be called out in your CFIRP clearly so everyone knows what they are responsible for and you can cut down on redundant reporting.

And last but certainly not least, let’s not forget that an ounce of prevention is worth a pound of cure. Educating your user community will help decrease the amount of security incidents you will have. It’s been proven time and time again that most security problems originate from inside your organization.

Having a clear and concise Conditions of Use policy as well as a policy for departmental computers on your network will prove invaluable resolving internal security violations. When developing your policy, a lot will depend on what type of organization you work at. Government policies differ drastically from private sector policies[iii] and university policies are also in their own category, being even more specific, depending on whether they are public or private institutions.

If you don’t think you need a CFIR policy, try the following exercise: Do a mock incident (with the permission of your management), but don’t let your security people know it is an exercise.

The difficult part of creating a CFIRP is that it has to be tailored for your site. You will need to take into consideration all the nuances of your particular site and get support and buy-in from upper management. Best of luck to you, it will be well worth the work.[iv]

Now, let’s take a quick look at computer forensics investigative services. There are some underlying problems.

[ii ]John R. Vacca, Electronic Commerce: Online Ordering and Digital Money with Cdrom, Charles River Media, 2001.

[iii]John R. Vacca, Net Privacy: A Guide to Developing and Implementing an Ironclad ebusiness Privacy Plan, McGraw-Hill Professional, 2001.

[iv]Katherine Bursese, “Computer Security Incident Response Procedures: Do You Need One? You Bet You Do!” Global Computer Operations, General Electric Company, 2690 Balltown Road, Bldg. 610, Schenectady, NY 12345 (SANS Institute, 5401 Westbard Ave. Suite 1501, Bethesda, MD 20816), 2002.


 < Day Day Up > 

Категории