Digital forensics as a discipline is not particularly new however, in the past it was usually associated with law enforcement investigations of computer-related crimes. More recently, it is becoming increasingly common for high profile corporations, especially financial services companies, to have fulltime resources dedicated to battling the onslaught of cybercrime and malware keying in on these profitable institutions. In today’s changed landscape, digital forensics is considered a subset of the incident response genre and an important aspect of a company’s overall security initiative.Often the distinction between forensic investigation and incident response is blurred, but in principle not every security incident will require a forensic response. For instance, a virus outbreak among several user workstations may require an incident response team to engage in order to contain the spread of the virus and clean the infected systems. In this case, it may be evident that the source of the outbreak was an infected email sent to a user, and uncaught by perimeter email scanning, perhaps because it was a brand new variant with no existing signatures. Typically, this type of incident would not require further investigation. However, a digital forensics investigation would be necessary if the source of the virus was unknown; if efforts to eradicate it were continually unsuccessful; if the impact on the infected systems was unclear; and if the scope of the infected systems was unknown. This scenario would require specialized personnel who were skilled at system compromise analysis and malware reverse engineering. While this is just one potential incident that would require a forensic investigation, there are a number of others that would necessitate a similar investigation including financial fraud, internal security policy violations, system vulnerability exploits, e-discovery, and sensitive data leakage investigations.
As high profile security breaches continue to make headlines, companies can no longer afford to be in the dark regarding incident response and investigative capabilities. It is important for all organizations to be proactive about possible incidents. Organizations should develop a strategy for approaching a forensic investigation, identify the appropriate partners to leverage during an incident and ensure a thorough understanding of the total security framework and how it would stand up to a digital investigation. Forward-thinking risk managers and security professionals are focusing not just on implementing specific compensating controls to mitigate traditional technical weaknesses, but they are also spending time and resources planning for various incident handling scenarios similar to a disaster recovery exercise. This planning inevitably involves strong incident response policies, procedures, training, and communication, but also will require digital forensics.
No comments:
Post a Comment