Emerging Technologies Committee - 6/17/02 1 EMERGING TECHNOLOGIES COMMITTEE JUNE 17, 2002 EMERGING TECHNOLOGIES COMMITTEE JUNE 17, 2002 Frank DeCandido, CPA, Vice President Prudential Financial Thomas Doughty, First Vice President, Manager – Information Security Prudential Financial
Emerging Technologies Committee - 6/17/02 2 Table of Contents Content Page # Evolution of Fraud 3-5 2002 FBI/Computer Security Institute Annual Survey 6-8 Incident Response 9-42 Congressional Statutes43-45 What’s Next 46 Computer Crime Organizations 47 Other Websites 48 Website of the Month for June 2002 49 Presenters 50 Bibliography51-52
Emerging Technologies Committee - 6/17/02 3 Evolution of Fraud CPE Classes used to concentrate on Corporate Fraud Check Kiting Check Fraud Credit Card Fraud Advise: do not write checks with Felt Pen
Emerging Technologies Committee - 6/17/02 4 Evolution of Fraud Over the years Computer Fraud became more prevalent Hackers Viruses Firewalls
Emerging Technologies Committee - 6/17/02 5 Evolution of Fraud Evolution of the Internet has opened up the flood gates in the way of access to personal and business information.
Emerging Technologies Committee - 6/17/02 6 2002 FBI/Computer Security Institute Annual Survey 7 Computer Security Institute--Computer Security Institute (CSI) http://www.gocsi.com/ is the world's leading membership organization specifically dedicated to serving and training the information, computer and network security professional. –Started Survey in 1995 –On April 7, 2002 issued the results of its Seventh Annual “Computer Crime and Security Survey” –Heaviest concentration in High Tech (19%) and Financial Services (19%)
Emerging Technologies Committee - 6/17/02 7 2002 FBI/Computer Security Institute Annual Survey 7 Results: –90% of respondents detected computer security breaches with the last 12 months; –80% acknowledged financial losses due to computer breaches; –44% were willing to and/or able to quantify their losses ($445 million); –Most serious financial losses occurred through the theft of proprietary information and financial fraud; –For the 5 th year in a row, more respondents cited their Internet connection as a frequent point of attack than cited their internet systems as a frequent point of attack; –34% - reported the intrusions to law enforcement (1996-16%); –44% - systems penetration from the outside; –44% - denial of service attacks; –78% - employee abuse of Internet access privileges (downloading); –85% - detected computer viruses
Emerging Technologies Committee - 6/17/02 8 2002 FBI/Computer Security Institute Annual Survey 7 If your Organization Has Experienced Computer Intrusion(s) Within the Last Twelve Months, Which of the Following Actions Did You Take: 77%Patched Holes 40%Did Not Report 34%Reported to Law Enforcement 19%Reported to Legal Counsel
Emerging Technologies Committee - 6/17/02 10 Computer Forensics fo·ren·sics 6 Pronunciation Key (f -r n s ks, -z ks) n. (used with a sing. verb) Pronunciation Key 1.The art or study of formal debate; argumentation. 2.The use of science and technology to investigate and establish facts in criminal or civil courts of law. _____________________________________________________________________ Computer Forensic Service deals with preservation, identification, extraction and documentation of computer related evidence on computer storage media. 5 Process of unearthing data of probative value from computer and information systems. 1 Computer Forensics is the collection, preservation, analysis and court presentation of computer related evidence. 12
Emerging Technologies Committee - 6/17/02 11 Incident Response Pre-Incident Preparation 1- Why is it important?-Common Themes –Preparation of a computer related incident will help create an infrastructure that provides quick resolutions after an incident occurs; (Computer Data is easily altered, erased) help in the preservation of the evidence; provide thorough, complete documentation needed to verify integrity of files; help provide technical and procedural measures that need to be in place so some of the basic but vital questions can be answered quickly to expedite the collection of evidence; Preserve Chain of Custody; prevent poor performance; –University studies have found that more than 90% of all information is now created in digital form (University of Berkley – 93%)
Emerging Technologies Committee - 6/17/02 12 Incident Response Pre-Incident Preparation 1 (con’t): –Establish Computer Incident Response Team : Point of Contact? –During business hours, after business hours, holidays and weekends –24/7 Availability Establish Team’s Mission Members of the Team: –Systems –Human Resources –Corporate Security –Legal (Internal) –Accounting (Financial Fraud) –Outside Consultants (Incident by Incident) –Law Enforcement (Incident by Incident) –Senior Management (Incident by Incident)
Emerging Technologies Committee - 6/17/02 13 Incident Response Pre-Incident Preparation 1 (con’t): –Preparation steps to take to verify integrity of files: Response Tool Kit: –Hardware (see page 14) –Software (Safeback, EnCase, or other Forensic software packages)(see page 15) –Network Monitoring Platform Create a “known-good” copy of the system on a regular basis. Allows the comparability of the known-good files to the corrupted files. Cryptographic Checksums/Fingerprint –Created by applying an algorithm to a file; –Unique to that file; –Create Checksums for critical files BEFORE an incident occurs and compare to the file after the incident occurs –Most commonly used is the MD5 Algorithm (SAVE OFFLINE)
Emerging Technologies Committee - 6/17/02 14 Incident Response Pre-Incident Preparation 1 (con’t): –Hardware Needed: High-end Processor A minimum of 256MB of RAM Large-capacity IDE Drives Large-capacity SCSI drives SCSI card and controller A fast CD-RW drive 8mm extabyte tape drive (20GB native, 40GB compressed), or a drive for DDS3 tapes (4mm) if you have less funding Portable Memory Devices Other Items: Extra power extenders for peripherals such as drives and any gear that goes in your forensic tower Extra power-extension cords Numerous SCSI cables and active terminators Parallel-to-SCSI adapters Plenty of Category 5 cabling and hubs Power Strips CDs, 100 or more Jaz or zip media A digital camera
Emerging Technologies Committee - 6/17/02 15 Incident Response Pre-Incident Preparation 1 (con’t): –Software Needed Two to three native operating systems on the machine, such Windows 98, Windows NT, Windows 2000 and Linux, all bootable via LILO (the Linux Operating system loder that can load Linux and other operating systems) Safeback, EnCase, DiskPro, or another forensics software package, used to re-create exact images of computer media for forensic-processing purposes All the drivers for all of the hardware on your forensic machine Quickview Plus, HandyVue, or some other software that allows you to view all types of files. Disk-write blocking utilities
Emerging Technologies Committee - 6/17/02 16 Incident Response Pre-Incident Preparation 1 (con’t): –Preparation steps to take to verify integrity of files: Increase or Enable Secure Audit Logging-Configuring log files can make them more complete and less likely to be corrupted. –UNIX: Controlling Logging, Remote Logging and Process Accounting –WINDOWS: Security Auditing, Auditing File and Directory Actions, Remote Logging Topology/Architecture Maps –The arrangement in which the nodes of a LAN are connected to each other Enhance Host and Network Logging to make sure that backups are performed on a regular basis.
Emerging Technologies Committee - 6/17/02 17 Incident Response Pre-Incident Preparation 1 (con’t): –What are the threats to your organization? Types of Damage: Loss of Business? Reputation? Concerned about loss of Intellectual Property? Destruction of Databases? Who poses a threat? Do you fear an outside intrusion?
Emerging Technologies Committee - 6/17/02 18 Incident Response Pre-Incident Preparation 1 (con’t): –Preparation steps to take to verify integrity of files: Others (Security): –Firewalls/Intrusion Detection »Ford Levy, CPA from Maxwell, Shmerler & Company will be presenting a session on Firewalls on Tuesday, July 9, 2002 @ 9am. –Perform a Trap and Trace (check legal requirements) –Monitoring at the User Level –Violation Logs –Improperly Configured Devices –Exception Processes –Monitor Internet Activity –Monitor Employee Modems
Emerging Technologies Committee - 6/17/02 19 Incident Response Pre-Incident Preparation 1 (con’t): –Preparation steps to take to verify integrity of files: Others (Security): –Scanning Network; –Back up critical data; –Access Control Lists on Routers; –Encrypt Network Traffic; –Build Up Your Hosts Defense-Use the latest release and make sure that all patches, hot fixes and updates are installed; –Educate Users »No external software
Emerging Technologies Committee - 6/17/02 20 Incident Response Detection 1 : –Alerts about suspicious activities should be made through Firewall/Intrusion Detection Systems(IDS) –Alert should be immediate; –Black Ice at the Individual level
Emerging Technologies Committee - 6/17/02 21 Incident Response Initial Response 1 : –Use of Notification Checklist to list all pertinent details: Point of Contact Assemble Response Team Which hardware/software? What time/place? Nature? Record all pertinent facts (Platform, Ports/IP Address, etc) –Immediate Actions to be taken from the standpoint of who is monitoring –Network Mapping confirming an incident has or is occurring; –Evaluation of incident (use of Cryptographic Checksums/Fingerprint); –Type of Incident and Business Impact is determined.
Emerging Technologies Committee - 6/17/02 22 Incident Response Strategies 1 : –Denial of Service: Reconfigure Routers; –Virus Outbreak: Isolate machine as soon as possible; –If a workstation in a development population is affected, segregate the network(turn off choke points); –Awareness/Communication/Documentation of Policies; –Factors: Critical Systems Affected? Sensitivity of the compromised information? Who are the perpetrators and what is their skill level? Is the incident known to the public? Dollar lose involved? Tolerance of user and system downtime?
Emerging Technologies Committee - 6/17/02 23 Incident Response Strategies 1 ( Con’t): –Host Based Intrusion Detection: Response Focused/Overhead Maintenance Intensive –Perimeter Based Intrusion Detection Easier to administer –Review Risk Assessment Policies.
Emerging Technologies Committee - 6/17/02 24 Incident Response Forensics Process 1 : –Also known as Digital Evidence Analysis or Computer Media Analysis; –Common Themes Preservation of Evidence is key; Thorough documentation; Look at the Judicial Process ; Common Mistakes in Handling Evidence Failure to Maintain Proper Documentation Failure to Control Access to Digital Evidence Failure to Report Incident on a timely basis No Incident Response Plan-Digital Evidence is altered, damaged, or hidden more easily than any other type of evidence Altering time and date stamps before recording them Writing over potential evidence by installing software on the evidence media Patching the system before investigators respond Avoid Live reviews : only if ongoing network based crime
Emerging Technologies Committee - 6/17/02 25 Incident Response Forensics Process 1 (Con’t): –Maintain Chain of Custody of evidence Create evidence tags: –Time and Date of the action –Number assigned to the case –Evidence Tag # –Was consent required? –Who the evidence belonged to? –Description of the evidence –Who received the evidence and signature? –Track any transfers of evidence »E.g. hard drives to CD-Rom
Emerging Technologies Committee - 6/17/02 26 Incident Response Forensics Process 1 (Con’t): –Maintain Chain of Custody of evidence Document Information about the Item(s): –E.g. duplication of mail servers: »Occupants of the office; »Names of employees who have access to the office; »Location of computer systems in the room; »State of systems(powered on or not); »People present in the room at the time of the forensic duplication; »Serial numbers, models and makes of the hard drives; »Peripherals attached to the systems.
Emerging Technologies Committee - 6/17/02 27 Incident Response Forensics Process 1 (Con’t): –Maintain Chain of Custody of evidence Initial Response: –Steps before Forensic Duplication 3 : »If the Computer is OFF, DO NOT TURN ON; »If the Computer is ON, (1) DO NOT POWER DOWN-items will be lost such as memory contents, state of network connections, state of running processes, contents of the storage media and contents of removable and backup media 1 (2) Photograph screen and disconnect all power sources; unplug from the back of the computer; (3) Interrupting power from the back of the computer will defeat an uninterruptible power supply;
Emerging Technologies Committee - 6/17/02 28 Incident Response Forensics Process 1 (Con’t): –Maintain Chain of Custody of evidence Initial Response: –Steps before Forensic Duplication (con’t): »For Laptops, locate and remove the battery pack if the laptop does not shutdown when the power cord is removed; »Place evidence tape over each drive slot; »Photograph/diagram and label back to computer components with existing connections; »Label all connector/cable ends to allow reassembly as needed; »If transporting is required, package components and transport/store components as fragile cargo; »Keep away from magnets, radio transmitters and other potentially damaging elements;
Emerging Technologies Committee - 6/17/02 29 Incident Response Forensics Process 1 (Con’t): –Maintain Chain of Custody of evidence Initial Response: –Steps before Forensic Duplication (con’t): »Collect all peripheral devices, cables, keyboards and monitors; »Collect all instructional manuals, documentation and notes (user notes may contain passwords) »On Networked or Business Computers – Secure the scene. Do not let anyone touch except Network trained personnel; »Pulling the plug could severely damage the system, disrupt legitimate business and create officer and department liability
Emerging Technologies Committee - 6/17/02 30 Incident Response Forensics Process 1 (Con’t): –Performing Forensic Duplication 1 : Perform all analysis on a copy restored from the duplicate image; When is Forensic duplication necessary? –Likely to be judicial action –High Profile Incident –Significant dollar loss –Will you need to undelete data or search free or slack space to unearth evidence If you said yes to any of these questions, then you would need to perform a forensic backup
Emerging Technologies Committee - 6/17/02 31 Incident Response Forensics Process 1 (Con’t): –Performing Forensic Duplication 1 : Approaches: –Remove from the suspect computer and attaching it to a forensics workstation; »Traditional; »Safeback, UNIX dd command, EnCase; –Attaching a hard drive to the suspect computer; »Just as common as the first; »Same methodology as first; »Forensics experts typically carry a forensics workstation- minimizes hardware and software problems; –Sending the disk image over a closed network to the forensics workstation as it is created. »Usually done when a UNIX system is used as the imaging platform.
Emerging Technologies Committee - 6/17/02 32 Incident Response Forensics Process 1 (Con’t): –Performing Forensic Duplication 1 : Requirements for Forensic Duplication Tools: –Must image every byte of data on the storage medium from beginning of the drive to the maintenance track; –Handle read errors in a robust manner; –Must not make changes to the original evidence; –Must be able to be held up to scientific testing and analysis; –Results must be repeatable and verifiable by a third party; –File created using a checksum or hashing algorithm; –This functionality may be performed concurrent to the creation of a the file or at the end of the imaging process
Emerging Technologies Committee - 6/17/02 33 Incident Response Forensics Process 1 (Con’t): –Performing Forensic Analysis 1 : Divided into two layers: –Physical Analysis »String Searches »Search and Extract »Extracting File Slack and Free Space –Logical Analysis Understanding Where Evidence Resides: –The Physical Layer –Data Classification Layer –Blocking Format Layer –Storage Space Allocation Layer –Information Classification and Application Storage Layers
Emerging Technologies Committee - 6/17/02 34 Incident Response Investigation: –Conducted on a forensic duplication of a relevant system; –Collecting information stage; –What was harmed? –How was if damaged? –Who was to blame? Establishing identity behind the people on a network is increasingly difficult; –How to fix the compromise. –The proper collection and analysis of computer evidence through accepted computer science protocol is a critical component to any internal investigation or audit where the results have potential to be presented in legal proceedings 12
Emerging Technologies Committee - 6/17/02 35 Incident Response Investigation: –Windows NT/2000 1 Review all pertinent logs; Perform keyword searches; Review relevant files; Identify unauthorized user accounts of groups; Identify rogue processes; Look for unusual or hidden files; Check for unauthorized access points; Examine jobs run by the scheduler service; Analyze trust relationships; Review security identifiers.
Emerging Technologies Committee - 6/17/02 36 Incident Response Investigation: –UNIX 1 Review all pertinent logs; Perform keyword searches; Review relevant files; Identify unauthorized user accounts of groups; Identify rogue processes; Check for unauthorized access points; Analyze trust relationships.
Emerging Technologies Committee - 6/17/02 37 Incident Response Security Measure Implementation 1 : –If you are accumulating evidence for potential civil, criminal, or administrative action, obtain that evidence BEFORE you implement any security measures. –Isolation and Containment; –Prevent attackers from continuing their activities; –Could be as simple as disconnecting compromised computer from the network; Problem here is that you may have to still monitor the attacker’s activities to gather evidence for criminal prosecution –Electronically isolate the computer, removing other computers from the same broadcast domain will limit the exposure of other systems; –Network filtering (“fishbowling”) will allow you to continue monitoring malicious activity while limiting further activity;
Emerging Technologies Committee - 6/17/02 38 Incident Response Network Monitoring 1 : –Should start during the initial response and continue until the recovery is complete; –It allows you to track the attacker, gaining crucial evidence; –It provides assurance that there are no recurrences of similar incidents during recovery. –Comprehensive monitoring should be used on the subnet hosting the target computer (laptop configured with a sniffer that flags packet attributes as well as record content is most appropriate); –Less comprehensive monitoring should be considered at the network boundaries; –Decide what to monitor. Log all traffic to and from the victim machine Traffic originating at the victim system
Emerging Technologies Committee - 6/17/02 39 Incident Response Recovery 1 : –Hot Backup on Critical Platforms; –Restoration of relevant systems to a secure, operational state; –Take into consideration both the level of compromise and the type and location of system compromised; If the system compromised is part of a large trust environment, an attacker is likely to have cracked passwords for accounts that are valid across the domain. In that case every system that shares that account must be investigated and recovered; –Choosing a Recovery Strategy: Rebuilding from “Known-good” media is essential;
Emerging Technologies Committee - 6/17/02 40 Incident Response Recovery 1 : –Choosing a Recovery Strategy (con’t) Securing (“hardening”) the system involves: –Turning off unused services; –Applying operating system and application patches; –Enabling strong passwords; –Continuing competent administration; –Backups can be used during recovery but only if you are sure that the incident occurred after a backup was made; Security Countermeasures: –Host based controls, packet filters, firewalls, ISD, user education, and policy and procedures.
Emerging Technologies Committee - 6/17/02 41 Incident Response Reporting 1 : –Goals: Document –Reporting should be performed at every stage of Incident Response; –Tedious, Methodical Process; –Failure to do so will lead to faulty conclusions and inadequate response; –Reports may be subject to the eyes of a judge, jury and attorneys; –Reporting activities include supporting criminal or civil prosecutions, producing final reports and suggesting process development.
Emerging Technologies Committee - 6/17/02 42 Incident Response Follow-up 1 : –Analyze the process conducted; –Record lessons learned; –Fix any problems; –Steps after an employee leaves: An employee’s hard drive is imaged to CD-ROM disks upon resignation, termination or internal transfer should an examination need to take place at a later date –Recheck Policies Training www.sans.org
Emerging Technologies Committee - 6/17/02 43 Congressional Statutes Computer Fraud and Abuse Act (CFAA) 4 –CFAA was first passed in 1984 –At its inception, the Act was directed at the protection of classified information that was maintained on federal government computers, as well as the protection of financial records and credit information on government and financial institution computers. –Broadened in 1986 when certain amendments extended protection to “federal interest computer”. –Amended in 1996, with the phrase “protected computer” replacing the previous concept of “federal interest computer”. Protection now covered all computers involved in interstate and foreign commerce, whether or not any federal government proprietary interest is implicated.
Emerging Technologies Committee - 6/17/02 44 Congressional Statutes Computer Fraud and Abuse Act (CFAA) 4 –Effects of the Shurgard Storage Centers vs. Safeguard Self Storage Case: The judge agreed: “Unless otherwise agreed, the authority of any agent terminates if, without knowledge of the principal, he acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal.” The court found that “the authority of the plaintiff’s former employees ended when they allegedly became agents of the defendant.” The employee could be subject to federal criminal sanction. Employers can now defend themselves in proprietary rights agreements. As a result, the disloyal employee was in effect treated as a hacker, from and after the time he started acting as an agent for Safeguard.
Emerging Technologies Committee - 6/17/02 45 Congressional Statutes State Computer Crime Laws can be found at: –http://nsi.org/Library/Compsec/computerlaw/statelaws.html Another general site for State Laws: –www.lawsource.com “Incident Response”, by Kevin Mandia and Chris Prosise
Emerging Technologies Committee - 6/17/02 46 What’s Next Smart Cards VPNs (Virtual Private Networks) Biometrics Business To Customer Digital Certificates
Emerging Technologies Committee - 6/17/02 47 Computer Crime Organizations 1 Forum of Incident Response and Security Teams (FIRST) –www.first.org Incident Response – Investigating Computer Crime –www.incidentresponsebook.com Carnegie Mellon’s CERT Coordination Center –www.cert.org Security Focus –www.securityfocus.com National Infrastructure Protection Center –www.nipc.gov Federal Computer Incident Response Center (FEDCIRC) –www.fedcirc.gov Department of Defense Computer Emergency Response Team (DOD-CERT) –www.cert.mil
Emerging Technologies Committee - 6/17/02 48 Other Web Sites Cisco Computer Security (www.ciscoisecurity.com.sg) Search Security.com (www.searchsecurity.com) Defaced Web Sites (www.attrition.org/mirror/attrition) The Information Systems Audit and Control Association Foundation (www.isaca.org) Association of Federal Fraud Examiners (www.cfenet.com) Safeback (New Technologies) (www.forensics-intl.com) EnCase (www.guidancesoftware.com) Center for Computer Forensics (www.computer-forensics.net) Computer Forensics Inc. (www.forensics.com) SANS Institute (www.sans.org) Computer Security Institute (www.gocsi.com) Infragard (www.infragard.net) Cyber Crime (www.cybercrime.gov)
Emerging Technologies Committee - 6/17/02 49 Web Site of the Month of June 2002 Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (http://www.usdoj.gov/criminal/cybercrime/searching.html) The Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations site is a part of the Department of Justice site under the Computer Crime and Intellectual Property Section (CCIPS). The mission of the Department of Justice is to enforce the law and defend the interests of the United States according to the law, to provide Federal leadership in preventing and controlling crime, to seek just punishment for those guilty of unlawful behavior, to administer and enforce the Nation's immigration laws fairly and effectively, and to ensure fair and impartial administration of justice for all Americans. CCIPS has five main sections: Federal Criminal Code Related To Searching and Seizing Computers; The Fourth Amendment and the Internet; Communications Assistance For Law Enforcement Act Implementation Section; Recognizing and Meeting Title III Concern in Computer Investigations; Computer Records and the Federal Rules of Evidence. The site is a comprehensive listing of the statutes that are in the Law pertaining to obtaining electronic evidence including links to current versions of Federal Statutes governing computer search and seizure and electronic evidence gathering as well as searchable databases of the U.S Code.
Emerging Technologies Committee - 6/17/02 50 Presenters Frank J. DeCandido, CPA, Vice President, Prudential Financial Email: firstname.lastname@example.org Phone 212-214-2037 Thomas Doughty, First Vice President, Prudential Financial email: email@example.com Phone 212-778-4610
Emerging Technologies Committee - 6/17/02 51 Bibliography 1.“Incident Response”, by Kevin Mandia and Chris Prosise 2.Cybercrime Prevention and Response: Best Practices – PWC March 22, 2002 3.Best Practices for Seizing Electronic Evidence Version 2.0 – PWC 4.www.Gigalaw.com: The Expanding Importance of the Computer Fraud and Abuse Act. 5.www.ciscoisecurity.com.sg: What is Computer Forensics? 6.www.Dictionary.com 7.www.gocsi.com: Computer Security Institute 8.www.nysscpa.org/committees/emergingtech/firewalls.htm: Emerging Technologies Committee 9.http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci802800,00.html 10.Biometrics Research (http://biometrics.cse.msu.edu/info.html) 11.BusinessWeek Article – June 10, 2002
Emerging Technologies Committee - 6/17/02 52 Bibliography 12. Article titled “Computer Forensics Emerges As An Integral Component of an Enterprise Information Assurance Program”, by Douglas Barbin, CISSP, CPA, CFE, and John Patzakis.