Dealing with security incidents requires special measures. Without a policy in place or sufficient expertise available, employees will be stuck in a bad situation.
Hackers are inside your system and your data traffic is showing signs of suspicious anomalies. Many people’s first thought is to pull the plug, although this is rarely a good idea because it makes it harder to search for evidence. The first task is to work out whether to engage IT forensic experts. Managers generally reserve the right to make this decision, meaning that the alarm bell needs to be sounded first. All of these steps should have been put in place ahead of time to ensure a swift response to an emergency. Any business that has not taken precautions will now find itself having to improvise. This is not so easy to do, because many details have to be considered. The situation can ultimately end up in court where conclusive proof is essential. Managers can also quickly find themselves out of their depth.
IT managers need to get involved
IT forensics involves complex investigations so managers’ immediate question is: how much it will cost? Forensics expert Holger Morgenstern recommends, “considering how expensive it will be if you don’t resolve an incident.” These costs are frequently underestimated, he believes. “That’s why CIOs are well advised to act at an early stage,” says Morgenstern who teaches digital forensics as part of his professorship at Albstadt-Sigmaringen University. Developing a policy – in other words, identifying strategies and methods to deal with an emergency – is key, he believes.
The policy should also detail what the company plans to do in the event of security incidents, which cases must involve forensic investigation and which cases should be reported to authorities. Criteria might include a certain level of damage or the sensitivity of the affected data. The policy should also set out the reporting chain so it is clear who has to be informed, Morgenstern advises.
Drawing on external expertise
A policy should also address who should carry out forensic investigations. The network admin is not automatically in a position to do so. “Trained employees are needed,” says Morgenstern. Yet not every company has specialists in-house. Alternatively, the company can also bring in the police. However, there is also a chance that an incident could become public knowledge if the police are called.
External experts are an option for any business looking for a different route. However, ‘expert’ is not a protected term in Germany. Morgenstern therefore recommends working with court approved and sworn experts. These people know the legal requirements as forensic investors must also avoid flouting the law. “It is important to respect employment law and data protection rules, for instance, when checking an employee’s computer,” he warns. These experts also offer advantages in the event of a subsequent court case as they have already been approved by the courts. Drawn-out discussions about suitable or unsuitable methods of preserving evidence would thus be unlikely. After all, “from a forensic perspective, it is key that data is preserved in a legally admissible manner as early as possible,” Morgenstern stresses.
You can find more information about the technical details of IT forensics here.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.