Write a 6–8-page recommendation for the changes that are necessary to prepare th

Question

Write a 6–8-page recommendation for the changes that are necessary to prepare the organization for an effective incident response and computer forensics investigation. Recommend the following:

Physical security changes necessary to support forensics investigations.

An appropriate internal incident response team.

An appropriate external forensics partner. Justify your choice.

Technical and procedural changes necessary to ensure that proper controls are in place that support a forensics investigation.

Explanation / Answer

A Computer Forensic Investigation generally investigates the data which could be taken from computer hard disks or any other storage devices with adherence to standard policies and procedures to determine if those devices have been compromised by unauthorised access or not. Computer Forensics Investigators work as a team to investigate the incident and conduct the forensic analysis by using various methodologies and tools to ensure the computer network system is secure in an organization. A successful Computer Forensic Investigator must be familiar with various laws and regulations related to computer crimes in their country and various computer operating systems (e.g. Windows, Linux, Solaris,HP-UX) and network operating systems (e.g. Win NT). According to Nelson, B., et al., (2008), Public Investigations and Private or Corporate Investigations are the two distinctive categories that fall under Computer Forensics Investigations. Public investigations will be conducted by government agencies, and private investigations will be conducted by private computer forensic team.

As there is increased competition in the hi-tech domain, the company should be anxious to ensure that their systems are not being compromised, and they have employed a digital forensic investigator to determine whether any malicious activity has taken place, and to ensure that there is no malware within their systems.

Your task is to investigate the team’s suspicions and to suggest to the team how they may be able to disinfect any machines affected with malware, and to ensure that no other machines in their premises or across the network have been infected. The team also wants you to carry out a digital forensics investigation to see whether you can trace the cause of the problems, and if necessary, to prepare a case against the perpetrators.

This involves the principles

Principle 1: Data stored in a computer or storage media must not be altered or changed, as those data may be later presented in the court.

Principle 2: A person must be competent enough in handling the original data held on a computer or storage media if it is necessary, and he/she also shall be able to give the evidence explaining the relevance and course of their actions.

Principle 3: An audit trail or other documentation of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Principle 4: A person who is responsible for the investigation must have overall responsibility for accounting that the law and the principles are adhered to.

Incident response:

At its core, an IR team should consist of:

Incident Response Manager: The incident response manager oversees and prioritizes actions during the detection, analysis, and containment of an incident. They are also responsible for conveying the special requirements of high severity incidents to the rest of the company.

Security Analysts: The manager is supported by a team of security analysts that work directly with the affected network to research the time, location, and details of an incident. There are two types of analysts:

Triage Analysts: Filter out false positives and watch for potential intrusions.

Forensic Analysts: Recover key artifacts and maintain integrity of evidence to ensure a forensically sound investigation.

Threat Researchers: Threat researchers complement security analysts by providing threat intelligence and context for an incident. They are constantly combing the internet and identifying intelligence that may have been reported externally. Combining this information with company records of previous incidents, they build and maintain a database of internal intelligence.

The incident response team should not be exclusively responsible for addressing security threats. All business representatives and employees must fully understand and advocate for the incident response plan in order to ensure that emergency procedures run smoothly. Each area of the company has unique responsibilities during an incident:

Management: Management buy-in is necessary for provision of resources, funding, staff, and time commitment for incident response planning and execution.

Human Resources: HR is called upon when an employee is discovered to be involved with an incident.

Audit and Risk Management Specialists: These specialists help to develop threat metrics and vulnerability assessments while encouraging best practices across the organization.

General Council: An attorney ensures that any evidence collected maintains its forensic value in the event that the company chooses to take legal action. They can also provide advice regarding liability issues when an incident affects customers, vendors, and/or the general public.

Public Relations: PR will communicate with team leaders, ensuring an accurate account of any issues is communicated to stockholders and the press.

Communication within cross functional team is important.

PLANNING AN INCIDENT RESPONSE PROCESS

This step can seem daunting if you’ve never been involved with Incident Response or you’re trying to decide where a process like this might fit in to your particular environment. How can we go about organizing all the related business groups, technical areas and how can we find out if we’re missing anything? The good news is that in the majority of cases, there is already some type of set process that is followed whenever incidents occur. Some problems that come up, however, could be that the process may not be documented and since it’s an informal process, there is a great chance that core response components are missing or have been overlooked. The benefit to identifying any existing process that your organization may have is that it is much easier to train employees using a foundation with which they are already accustomed to. It may also be much easier to gain upper management’s support and buy-in for a process that is actively being followed albeit – informally. This support is necessary because management’s support will be needed for any funding that is required and for the allocation of time for the individuals that will be forming part of the official team. Without this support, it’s possible that your project will never get off its feet or after all the hard work, The process could be scrapped or drastically changed and then it’s back to the proverbial drawing board. This can be extremely frustrating so be sure to do your homework, identify any area that may already be built and if appropriate, incorporate this into your draft IR process. This way you’ll have a deep understanding of how the process should flow when having discussions with upper management and be able to defend any modifications, enhancements or complete overhauls.

Keep in mind that when speaking with management, your initial draft is just that – a draft. Be prepared to have a detailed conversation so you can understand what their expectations are and that you properly define what your incident process is providing. It’s possible that in these initial conversations you will identify areas that need to be modified or added. If this step is not accomplished correctly, It’s possible that the functions of your future IR team will not be understood or properly recognized. This could result in your process not being properly advertised to the enterprise, in which case it simply becomes just another “informal process”. Be sure to gain managements approval, communicate and advertise your new structure so that when an incident does occur, your new framework will be used. This will eliminate any overlap and ensure that the authority of the members of your future IR team remains fully recognized.

Some other questions that you may ponder along the way:

The first question relating to the reach of the IR process speaks to cases where critical services and applications are provided by external third parties. In these cases, you will have to decide on how far the IR process will flow and if a “hand-off” needs to occur. This needs to be explored at length since this will make your resolution process dependent on the efforts of an outside entity.

Questions like these are highly important because in the case of many enterprise environments, there are multiple areas that are critical to business operations. This brings us to the second question regarding the IR client base. This refers to subsidiaries or operating companies that, although separate, may fall under the auspices of the parent organization. You need to understand the relationship to these companies and if they provide critical applications, services and other related business functions. More than likely, these entities will also have to fall under the scope of your IR process and it will be necessary to identify key stakeholders at those locations to support your IR

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.