Embed Size (px)
Citation preview
1
Introduction: CIS8630Business Computer
Forensics and IncidentResponseRichard Baskerville
Georgia StateUniversity
2
PPolicy Enforcement
P Information Security
PLegal Protection andPreparedness
PPrivacy Protection
PPerformance Assurance
Motivation: Why this topic matters
3
Interaction of Left & Right Paradigms
Threat
Information SystemResource
Detect
Contain, Recover, HardenPrevent
Deter
Respond
Left of Incident Right of Incident
Adapted from Denning, D. E. (1999). Information Warfare andSecurity. Reading Mass: Addison-Wesley.
Refine
Indications &Warnings
Incident
Legislate &Policy Setting
Investigate, Notify,Sue, Prosecute,
Retaliate
4
PPrevention
P Indications and Warnings
PDeterrence
PCrime or Policy Violation
Left of incident
5
PDetection
PResponse< Contain/recover/harden< Legislate/Policy< Investigate, Notify, Sue, Prosecute, Retaliate
Right of incident
6
Left vs. Right Paradigms
Assumptions
Adapted from Baskerville, R. (2005). Information Warfare: A Comparative Framework forBusiness Information Security. Journal of Information Systems Security, 1(1), 23-50.
7
Left vs. Right Paradigms
Logical Structure
Adapted from Baskerville, R. (2005). Information Warfare: A Comparative Framework forBusiness Information Security. Journal of Information Systems Security, 1(1), 23-50.
8
Left vs. Right Paradigms
Organizing Principles
Adapted from Baskerville, R. (2005). Information Warfare: A Comparative Framework forBusiness Information Security. Journal of Information Systems Security, 1(1), 23-50.
Left of Incident Right of Incident
9
PAny information-related activity with negativesecurity implications. < Usually means that the activity violates an explicit
or implicit information security policy.
Information Security IncidentAdapted from Mitropoulos, S., Patsos, D., & Douligeris, C. (2006). On Incident Handling and Response: A
state-of-the-art approach. Computers & Security, 25(5), 351-370
10
PA security incident is a change ofstate in a bounded informationsystem from the desired state toan undesired state, where thestate change is caused by theapplication of a stimulus externalto the system.
Information Security IncidentAdapted from Stephenson, P. (2004). Managing digital incidents - a background. Computer Fraud & Security,
2004(12), 17-19.
11
PPenetration
PFraud
PDenial-of-service
PVirus/worm infection
Basic types of InformationSecurity Incident:
Adapted from Stephenson, P. (2004). Managing digital incidents - a background. Computer Fraud & Security,2004(12), 17-19.
12
P Incident response:procedures that mitigatethe immediate impact ofthe threat, eliminate anypossible consequentialloss and prevent anypossible futurerecurrence
Business Computer IncidentResponse
from Abimbola, A. (2007). Information security incident response. Network Security, 2007(12), 10-13.
13
P Interdiction: Stopping orinterrupting the incident
PContainment: Isolating damageand preventing it from spreading
PRecovery: Returning the businessto the pre-incident state
PAnalysis: Post-incident root causeanalysis (post-mortem)
Incident Response Methodologye.g. Stephenson, P. (2004). Managing digital incidents - a background. Computer Fraud & Security,
2004(12), 17-19.
14
P Analysis of security vulnerabilities and new threat research,and dissemination of countermeasures information
P Coordination of response to all information securityincidents, such as malicious code (worms, viruses, trojanhorses, etc.),
P Investigation of security incidents involving companycomputing resources (including abuse, harassment,blackmail, sabotage, and theft)
P Resolution (both hands-on and on a coordination level) ofgeneral threats to confidentiality, availability and integrity ofthe company’s data and systems
P Education of the users and the engineering and supportorganization about security issues and trends
Computer Security Incident Response Team(CSIRT)
e.g. Salomon, J. M., & Elsa, P. (2004). Computer security incident response grows up. Computer Fraud &Security, 2004(11), 5-7.
15
The application of forensicscience techniques tocomputer-based material, theprocess of identifying,preserving, analyzing, andpresenting digital evidence in amanner that is acceptable tolegal proceedings.
Business Computer ForensicsSolomon, M. G., Barrett, D., & Broom, N. (2005). Computer Forensics Jump Start. San Francisco: Sybex.p. 2
16
Computer forensics is the process ofmethodically examining computer media (harddisks, diskettes, tapes, etc.) for evidence. Computer forensics is also referred to ascomputer forensic analysis, electronicdiscovery, electronic evidence discovery,digital discovery, data recovery, datadiscovery, computer analysis, and computerexamination.
Business Computer ForensicsVacca, J. R. (2002). Computer Forensics: Computer Crime Scene Investigation. Hingham, Massachusetts:
Charles River Media. P. 4
17
Digital forensics is the use of scientificallyderived and proven methods toward thepreservation, collection, validation,identification, analysis, interpretation,documentation, and presentation of digitalevidence derived from digital sources forthe purpose of facilitation or furthering thereconstruction of events found to becriminal, or helping to anticipateunauthorized actions shown to be disruptiveto planned operations.
Business Computer ForensicsDigital Forensics Research Workshop. "A Road Map for Digital Forensics Research" 2001. www.dfrws.org
18
Computer Forensics Stakeholders
Crime & lawEnforcement
Forensic productmarketplace
Certifications andeducation
Business
Investigations
Civil lawsuitE-discovery
IncidentResponse
19
PFrequent visiting experts< Business forensics experts< Legal technical experts< Law enforcement
Forensics Community of Practice
20
Introduction: CIS8630Business Computer
Forensics and IncidentResponseRichard Baskerville
Georgia StateUniversity
21
