d igital f orensics cs4398 g uest l ecture jan kallberg, phd 11/28/2011
TRANSCRIPT
![Page 1: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/1.jpg)
DIGITAL FORENSICS CS4398
GUEST LECTUREJan Kallberg, PhD11/28/2011
![Page 2: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/2.jpg)
• A perspective on security• Systems and today’s challenges• Digital forensics’ role in security• Humans as security risks• New risks: reputation, business risks,
regulatory risks
Topics
2
![Page 3: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/3.jpg)
A perspective on security
•Ensure implementation of decisions•Accountability•Functionality •Institutional control•Maintain trust, authority, and confidence•In government - legitimacy
3
![Page 4: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/4.jpg)
The Ladder of Abstraction
4
![Page 5: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/5.jpg)
Four Steps
TheoryMethodologyToolsImplementation
5
![Page 6: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/6.jpg)
SECURITY CHARACTERISTICSINTANGIBLENOTIONPERCEPTION
6
![Page 7: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/7.jpg)
HOW DO YOU MEASURE SECURITY?
7
![Page 8: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/8.jpg)
GENERAL MISTAKES IN IT-SECURITY
8
![Page 9: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/9.jpg)
CITY WALL
9
Weakness:1.Once given access there are no effective control of actual activity. 2.All of the security processing occur at the point of entrance.
![Page 10: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/10.jpg)
CAPTURE ALL (STASI)
10
Weakness:1.Too much data is captured that no one has enough resources/time to analyze.
2.Security management is overwhelmed by indicators and suffer information overflow.
Example: Pilots in an emergency
![Page 11: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/11.jpg)
11
REFUSAL TO IDENTIFY CRITICAL ASSETS
Weakness:1.All information assets are protected equally leading to what really matters does not get relevant attention.
2.Under time pressure and with the risk that the crime is still perpetrated it is essential to understand what is important to protect and respond to.
Remedy: Business Impact Analysis (BIA).
![Page 12: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/12.jpg)
Systems and today’s challenges
12
![Page 13: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/13.jpg)
ISO 27000
13
![Page 14: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/14.jpg)
The Basic Model
14
![Page 15: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/15.jpg)
The Challenges to ISMS 1(2)• Where does the system begin and end?• Shared resources – responsibility?• Identify resources – cloud, servers, back
locations, devices?• Flat organizations / independent work groups• Remote work – working from home
15
![Page 16: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/16.jpg)
The Challenges to ISMS 2(2)• People • Big plans, mediocre implementation, entropy
over time (Bob retired…)• Stamina in upholding IT-sec policies (Hospital)• Unsafe behavior among executives and mgmt
(laptop DEA)
16
![Page 17: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/17.jpg)
Digital forensics role in IT-security
•Accountability•Regulatory compliance•Audit trail•Monitoring•Policy enforcement•Deterrent
17
![Page 18: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/18.jpg)
Regulatory and Policy Enforcement
• SEC (Securities and Exchange Commission)• SOX audit trail• Internal and external audits• Federal and state law compliance• Agency, corporate or university policies
18
![Page 19: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/19.jpg)
Routine Security Check•Captures all staff/mgmt•You don’t need an excuse to do it•Don’t trigger any concerns•Intermittent pattern
19
![Page 20: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/20.jpg)
Deterrence
• Perpetrators are more focused on the risk of being caught than the repercussions
• Insider information theft are premeditated (Example: sales manager leaving company steals a copy of the customer data base)
• Deterrence only works towards rational actors
• Visible forensic and monitoring abilities deters
• Forensic ability or monitoring structure can not be shared in detail – risk of anti-forensics
20
![Page 21: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/21.jpg)
21
Digital Forensics as a Part of Risk Analysis
![Page 22: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/22.jpg)
Monitoring – Forensics – Incident Reports (feedback loop)
Adaptive “healing” systems
22
![Page 23: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/23.jpg)
Presenting Complex Technical Evidence
23
![Page 24: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/24.jpg)
Humans as risks
•Greed•Jealousy•Vanity•Revanchist•Ideological risks•Addiction (all flavors)
24
![Page 25: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/25.jpg)
Humans vs.
Machines
25
A person works approx 2,000 hrs / year – Google report equals ≈144 years
![Page 26: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/26.jpg)
SECURITY – WORK FLOW
26
Security rules, processes, and policies that are obstacles to work flow tend to be trespassed or ignored.
Office culture prevails.
![Page 27: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/27.jpg)
Collegial bonds are strong
•Don’t disclose to mgmt that something is not right•Often signs are clearly visible•Protecting each other•A + B + C = the complete story
27
![Page 28: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/28.jpg)
• Reputational risks / leaks• Enterprise cloud computing • Facebook• Social media• Google Docs • Unauthorized information
sharing 28
Other considerations
![Page 29: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/29.jpg)
• A perspective on security• Systems and today’s challenges• Digital forensics role in security• Humans as security risks• New risks: reputation, online
clout, business risks, regulatory risks
Topics
29
![Page 30: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/30.jpg)
Discussion
How would you handle the following?
30
![Page 31: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/31.jpg)
1. HOW DO YOU MOTIVATE A BUSINESS LEADER THAT THEIR COMPANY NEEDS IN-HOUSE DIGITAL FORENSIC ABILITY?
31
![Page 32: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/32.jpg)
2. HOW CAN WE LIMIT THE DAMAGE OF CHARACTER FAILURE (UNAUTHORIZED ACTIONS) IN AN ORGANIZATION?
32
![Page 33: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/33.jpg)
3. HOW CAN A SECURITY AWARENESS CAMPAIGN IN A COMPANY PRESENT FORENSICS AS AN INDIVIDUAL DETERRENT?
33
![Page 34: D IGITAL F ORENSICS CS4398 G UEST L ECTURE Jan Kallberg, PhD 11/28/2011](https://reader036.vdocument.in/reader036/viewer/2022081800/56649ec85503460f94bd4fbf/html5/thumbnails/34.jpg)
4. TAKING IN ACCOUNT THE ADVANCES IN FORENSICS AND MONITORING. DO YOU THINK IT-SECURITY IS BECOMING EASIER OR HARDER TO EXECUTE?
34