'Dust for prints' after a security crisis, warn experts

Businesses have been told they must gain an understanding of computer forensics if they are to keep pace with the growing level of threat from within the enterprise.

Bruce Nikkel, head of the IT investigation and forensics department at UBS, said areas such as the military or law enforcement have been using forensics for some time but he urged big business to get up to speed and understand the challenges.

And Nikkel's advice, offered at Gartner's London security summit this week, coincides with a strong warning from the analyst house about the growing threat from within organisations.

Tom Scholtz, research VP at Gartner, said: "We are going to see a dramatic increase in the number of information security breaches where insider collaboration or involvement was a major factor, whether intentional or accidental."

Scholtz said a relative increase may in part be down to successful efforts to keep the "bad guys" from getting through a company's security perimeter of their own accord but said an increase will also be due in part to those self-same bad guys using social engineering techniques to dupe insiders into betraying information or breaching security.

Earlier this year the FBI reported that 44 per cent of all computer-related crimes are carried out by people within organisations.

One of the most common mistakes made by companies in the wake of an incident is to get affected systems up and running again without giving thought to the forensic work required, said Nikkel. In layman's terms it's the equivalent of cleaning up a crime scene before evidence has been taken.

Nikkel said it's very easy to destroy digital evidence, especially on live systems. "All the information may be stored in memory so even if you power down that machine you may lose that information," he added.

Similarly, any number of activities, such as plugging in a suspect USB key or rebooting a PC, can destroy the time line of events and should be left to experienced investigators.

Other challenges faced in establishing forensics best practice include understanding the scale of the task. It isn't just collecting evidence but also preserving it, analysing it and being able to present it in a format that is admissible in court, if necessary. That means a thorough understanding of regional regulatory requirements as well as local data protection laws.

Nikkel said board level buy-in is also essential and the message that forensics doesn't just represent a cost centre should go some way to convincing those holding the purse strings.

Password recovery, data recovery and even the proving of corporate disk-wiping policies are all tasks that could be performed by a forensics team and can all deliver a non-cashable return on investment.

Similarly HR and legal departments could benefit greatly from working closely with forensics teams if digital evidence needs to be gathered and analysed. The same is also true of companies bound by tightening regulation.

Nikkel added: "Preventing even one high cost court case could justify the costs of that forensics team."