5.1 Incident Response and Attack

Reusing Flash Drives: After the Trojan horse incident in Section 4.4.3, Bob decided to store working files on small, removable USB flash drives. At first he used the first drives he could find, and gave one copy to Tina. A few days later, he purchased two distinctive-looking drives. He carefully marked them to avoid confusing the confidential USB drives with others in the office.

After he copied all files to the new drives, he deleted the files from the old drives and “emptied the trash.”

A few days later, Eve visited Bob’s office. She asked Tina to lend her a spare USB drive. Should Tina give Eve one of the erased drives?

When we write information to a file, the file system copies that information onto blocks of storage on our hard drive or flash drive. The system then saves information about the blocks’ locations in the file’s folder.

When we delete a file, most operating systems move it to a special folder called “trash” or “recycle.” If we want to recover the file, we simply move it back to a permanent folder. After emptying the trash, the file system deletes the file from the folder, and then frees its data blocks to be reused the next time we write to the drive. Once we write new data over the old file’s data blocks, it becomes almost impossible to recover the file.

However, drives often have a lot of free space. Recently freed blocks might not be reused for hours or even weeks. An undelete program tries to reconstruct a file by locating the freed data blocks before they are reused. This act also is called file scavenging. Even though Bob and Tina “emptied the trash” each time they deleted the file, they didn’t really remove the information from the hard drive.

Incidents and Damage Although security problems might feel like “attacks” personally, many don’t actually cause damage. Without a loss, some might argue that there really hasn’t been an “attack,” per se. For that reason, it’s often better to refer to these events as incidents, not attacks. For example, a “bicycle incident” might unhook a bicycle lock from a fence. The bicycle itself isn’t damaged nor is the lock, but now it’s vulnerable to theft. We can still ride, but we now have a security problem.

Is it a “security incident” if Tina lends a USB drive to Eve? Yes: We make it a security incident when we ask the question. Bob is the proprietor of Bob’s Bookkeeping, and ultimately it’s his responsibility if a client’s data leaks. He decides whether deleting a file is sufficient security for his customers. If the leak occurs and an investigator traces it back to Bob, he could argue that he made a reasonable effort to protect the data. Most people assume that deletion is as much as they need to do.

If Bob wants to prevent this potential leak, he should never lend, share, or throw away a drive, whether a hard drive or a USB drive. Some people try to erase a drive by “formatting” it (see Section 5.3), but this does not necessarily erase the data, either. Overwriting is probably effective on hard drives, especially modern, high-density models. Rewriting does not work on modern flash drives. A flash drive generally writes data to new, unused segments even when rewriting previously written storage locations. Section 7.4 examines this process of overwriting data further. Overwriting makes data recovery impractical in most cases. A very few high-security applications demand that drives be physically destroyed to protect their contents from leaking.

Compromised Systems Just as a bicycle incident may render a bike vulnerable without damaging it, an incident might render Bob’s computer more vulnerable to attack. For example, a suitemate might disable access permissions on system files. Bob’s computer now has been compromised. In Victorian times, people spoke of “compromising one’s reputation.” This indicated that an incident had rendered the reputation suspect, even without proof of misbehavior. The “compromise” indicates that the computer is no longer trustworthy, because it may have been subverted.

We recover from attacks, incidents, and compromises, by taking steps to recover. The recovery process often is called remediation.

5.1.1 The Aftermath of an Incident

Different incidents demand different forms of recovery. The aftermath may include one or more of the following tasks:

  • ■   Identify shortcomings in our risk assessment, security requirements, or implementation to reduce the impact of future incidents.

  • ■   Fix software and system components to block the attack vectors used.

  • ■   Repair any problems caused by the attack. If a Trojan program infests your computer, the repair includes removal of the Trojan.

  • ■   If the incident is caused by someone’s malicious act and we can hold that person accountable, then we need to collect evidence that clearly ties the person to the incident.

  • ■   If someone is using our computer to violate laws, then we need to preserve the evidence so that a prosecutor may use it as evidence in a trial.

Digital Forensics

We apply digital forensics when we need to collect evidence from computers and other digital storage devices. Forensic techniques recover, preserve, and analyze information from a computer system to show what its users were doing.

When we take a serious action, like firing an employee or pursuing legal measures against an attacker, we must take special care in collecting evidence. If the evidence must support legal action, then it must be admissible in court.

Questions of gathering evidence are fundamental to forensics:

  • ■   What data should we try to collect before a security incident that we can use as evidence after one occurs?

  • ■   What data are we allowed to collect and use as evidence from an individual’s computer?

  • ■   What data can we retrieve from persistent computer memories, like hard drives and USB flash drives?

The answers depend heavily on the legal system that applies to the computers, their owners, and the perpetrators of the attack.

Fault and Due Diligence

If harm comes from an incident, there is often a legal or moral obligation to hold someone responsible. The attacker obviously should be held responsible and, if appropriate, should repair the damage or provide restitution. However, if the attack took advantage of carelessness, then the careless parties also may be responsible. This is an established legal concept in many communities.

If someone retrieved their files regardless of the protections they used, are Bob and Tina somehow responsible? The question revolves around whether they exercised due diligence; in other words, they must have taken reasonable steps to protect the files. If they could have used stronger measures and failed to, then perhaps they bear responsibility for the failure. If, on the other hand, they used the customary security measures and the community accepts those measures as adequate, then they showed due diligence. The instructor could justifiably hold them responsible if they failed to use the same security measures as others.

5.1.2 Legal Disputes

A security incident may be part of a legal dispute. If it is part of a legal dispute, then it is subject to the local legal system. If the dispute is being resolved in the United States or under a similar legal system, then we may need evidence to show what happened and, ideally, identify the people responsible.

When we present the matter to an official, whether a police officer, prosecutor, or judge, our evidence must meet local legal requirements. First, the evidence must be relevant and convincing. Second, those who review the evidence must be confident that it actually illustrates the incident under investigation. The evidence must be unchanged since the incident occurred.

Finally, we may only use information that we have legally obtained. The specific requirements vary under different legal theories and traditions. Here, we will focus on U.S. legal requirements. However, even the U.S. rules are subject to change, because this is a new area of law.

Legal Systems

Worldwide, legal experts classify legal systems into three categories:

  1. Civil law—based on legislative enactments. Roman and Napoleonic laws are examples of this.

  2. Common law—based on judicial decisions. English Common Law and the U.S. legal system follow this tradition.

  3. Religious law—based on religious systems or documents. Jewish, Islamic, and Christian canon law systems are examples of this.

In practice, legal systems often reflect a blend of these systems. Traditionally, people speak of the U.S. and English legal systems as arising from common law, but today both are heavily influenced by new laws passed by legislatures.

Resolving a Legal Dispute

Not all incidents rise to the level of legal dispute. In the United States and in countries with similar systems, problems arising from an incident may be resolved in several ways:

  • ■   Private action, in which one party acts against another, based on a shared relationship. For example, an employer might discipline an employee, or a school might discipline a student, based on informal evidence that might not be admissible in court.

  • ■   Mediation, in which the parties rely on a third party, a mediator, to help negotiate a settlement. The mediator is not bound by particular rules of evidence and may consider evidence that is not admissible by a court.

  • ■   Civil complaint, in which one party files a lawsuit against another. Such matters still may be resolved privately, possibly through negotiation. If the parties go to court, then legal requirements for digital evidence must be followed precisely.

  • ■   Criminal complaint, in which a person is charged with breaking particular laws. The complaint sets out the facts of the matter and presents probable cause for accusing a particular person for the crime. A criminal complaint may be made by the police, a district attorney, or any interested party. If there is no plea bargain, the trial goes to court, at which point the digital evidence must fulfill all legal requirements.

Although a dispute may begin as a private action, it could escalate to mediation or to a civil case. In some cases, the incident could become a criminal complaint. The safest strategy, if legal action seems likely, is to collect evidence in a manner that preserves its admissibility in a civil or criminal court action.

A typical forensics investigator does not focus on computer or information evidence alone. The investigator will look for all kinds of evidence related to the incident under investigation: related equipment, papers, articles of clothing, latent fingerprints, and DNA, that may associate suspects with the incident. A typical investigator will follow rules outlined later to collect and secure computer data for later analysis. Investigators do not usually try to perform detailed investigations on site. Such an investigation poses the real risk of disturbing the evidence and making it impossible to distinguish between the suspect’s actions and the investigator’s actions.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset