Archive for November, 2008

Sign Up for My SANS Forensics Course in Boston

Sunday, November 30th, 2008

I hope you will all consider signing up for the SANS Computer Forensics, Investigation, and Response course starting in Boston on January 13th which I will be mentoring. This is a great opportunity for those who are interested in conducting security investigations to learn to necessary skills at a well-paced schedule and in a low pressure environment. The mentor format allows every student the time to really absorb the material, interact with other professionals, and work on the hands-on labs at their own pace. SANS offers the best coverage of the digital forensics field and the GCFA certification provides the industry leading evaluation of your skill level.

For a limited time SANS is offering a $200 Apple gift card for registering and paying for this class prior to December 31. Looking to try the new iPhone? Here is your chance! Simply enter the word “Apple” in the comments box on the second registration screen and make payment by December 31 to receive a $200 Apple gift card.

Extending the CIA Triad

Thursday, November 20th, 2008

Everyone in the security field has had the concept of the CIA triad drilled into them. These basic assurance objectives can easily be mapped to forensics, but you soon discover an important element is missing – Accountability. In my risk management, security architecture, and digital forensics work, I have always asserted that the triad should include another ‘A’. I have heard other security professionals suggest that other security concepts such as Access Control should be added to the triad. To me, Access Control just isn’t an assurance goal, it is a means. Whereas, Accountability is the goal or the purpose of the controls, not just an action for a control to perform.

This is easily illustrated by mapping the C-I-A-A to the area of digital forensics. The most obvious mapping is that of Integrity. So much of the process, procedure, and documentation during a forensic investigation is to demonstrate that the evidence has not been modified in any way during acquisition, analysis, or storage. Hashing or digital signing is the obvious example.

Going back to Confidentiality, this aspect of an investigation doesn’t get the same level of attention as the integrity concerns, but is certainly important. During any incident response situation, a trusted a secure communication method is necessary to keep the details private. An attacker or subject of the investigation could be monitoring communications channels such as email or instant messenger. Also, the data acquisition for many investigations is performed during evenings and weekends. Discretion is an essential skill for any investigator.

Availability is the need to keep data and evidence accessible to investigators. Only copies of original data captures should be used during analysis and all instances should be stored securely. The duration of most investigations is short enough that media degradation shouldn’t be a concern, but sometimes an e-discovery case may call on information from old media. Older tapes and even DVD media can degrade over time, so if your retention policy includes keeping data that old, you should consider updating the media periodically. Availability considerations may also include providing access to analyze data to investigators across the world in high profile cases that require around the clock analysis work.

Finally, Accountability applies not only to maintaining an audit trail of how evidence was handled during the investigation, but also how data is captured before and during an incident. If the proper logging and auditing isn’t in place proactively, there may not be enough information to prove or disprove anything. Non-repudiation is just one specific case of accountability. In a wider sense, you need to be able to prove who performed an activity, what the scope of the action was, and when it was done. A simple example is a log file that is based on an IP address. This is a weak control because addresses can be easily spoofed, can’t always be tied back to a single individual, and mapping histories aren’t always maintained in dynamic environments such as those using DHCP. A better control would be to tie each log entry back to a strongly authenticated user.

Digital forensics is just one example of how the extended C-I-A-A concept can be applied to any aspect of Information Assurance. Each of the four is an independent need and will vary between applications.