 |
||||||||||
| Email Solutions |
| How Mailborder Works |
| Mailborder FAQ |
| Mailborder Pricing |
| Security Central |
| Articles and Tutorials |
| Latest Spam News |
| Bugtraq Vulnerabilities |
| Internet Storm Center |
| Sophos Virus Alerts |
| Sophos Security News |
| Security Focus News |
| My Account |
| Control Panel Login |
| Instant Registration |
Armed Geeks: Incident Response Policy
Author: Jerry Benton
Ordeal by Fire
Crime is obviously nothing new to society. Throughout time civilizations have approached the problem with numerous methods and techniques. And the further back we look to examine crime, the more brutal the remedy seems. To the left is a medieval gibbet. People were hung and left to rot in them just outside of towns to serve as warnings against criminal activity, but this scare tactic obviously didn’t work since crime was rampant throughout most of the Dark Ages. And the idea of a trial was pretty silly by today’s standards. For example, the Ordeal by Fire required the accused to walk three paces holding a red-hot iron bar. If the wound appeared to be healing three days later, the accused was innocent. If not, the accused was guilty. And the punishments dished out were just as brutal. Those that hunted in royal parks had their ears removed and women found guilty of murder were happily burned, right after they were strangled.
Fortunately, we have adapted a better system regarding both trial and punishment for crimes, but we are having a similar problem to those in the Dark Ages. We catch criminals and punish them, but others still commit crimes regardless of the examples we set. There are numerous reasons why criminals commit crimes, but common sense dictates that if the chances of getting caught are lower, the probability that the criminal will commit a crime will be higher. More or less, it’s a simple risk versus reward scenario.
With this in mind, it seems that certain crimes like murder would have a lower rate of occurrence compared to something like computer crime if all other aspects were equal. But the reality is that they are not equal. Murder has been around as long as mankind and the methods for proving murder in today’s society are much more advanced than proving computer crime, which has been a viable crime for less than a century. Another factor to computer crime is that is a detached act where the criminal and the victim have no physical contact. When the complexity of understanding the technology is added into the equation, law enforcement officials find themselves crippled from the beginning and are even less likely to solve the crime.
Meet-a-Geek
Being thrown into complex situations outside of one’s normal environment is a recipe for failure. For example, if we were to take an average homicide detective and hand him a computer than has been hacked and then ask him to tell us who did it, we would more than likely have an unsolved crime. Granted, larger police organizations are going to have the capability and personnel trained to solve such crimes, but this is not the norm for the average police department. Most law enforcement officials are going to need help from a professional in the field of information technology. This is where an established relationship prior to a criminal act will benefit not only the police department, but also the information technology organization. And establishing this relationship is easy.
The first thing an organization should do is send one of the professionals to training for criminal incident handling. Courses are available from such organizations as SANS and often come with the option to test for some sort of certification such as the GIAC Certified Incident Handler from SANS. With this course and certification two things are gained. The first is the knowledge of the legal background and procedures for investigating a cyber crime. The second, and most important to law enforcement officials, is credibility. A certification of this type from a recognized organization makes the holder of the certification valuable not only to the individual’s organization, but also to law enforcement.
The next step is to simply make contact with a local law enforcement agency and meet with the representative charged with handling computer crime. Regardless if there is a representative or not, rest assured that the police will more than likely be happy to know a local professional certified in the technical investigation of computer crime. When I took the course mentioned above there was a representative from our local law enforcement in the class. This was extremely fortunate because I was able to get trained and meet a representative at the same time. This paid off because the next time there was an incident that involved law enforcement, we already had an established rapport. We still see other regularly in passing and are on a first name basis with one another. And each time an incident arises it’s no different than working with any other coworker in the office.
Drawing the Line
Computer crime is crime. That may sound silly, but computer professionals need to keep that in mind. The moral is simple: know your boundaries. As a computer professional you may have the skill set required to investigate what happened, but you are not law enforcement. In order to prosecute computer crimes a traditional investigative approach has to be maintained by law enforcement officials. If that approach is ignored, prosecuting a criminal will be impossible. So, if you ever find yourself the victim of a computer crime, make an immediate decision on whether or not your organization will want to prosecute. If so, stop and call the police. Any attempt to “look and see” will most likely result in tampered evidence that will more than likely be inadmissible in a US court.