As the stakes rise in data breach litigation, more and more information security professionals will be called upon to testify on behalf of their organization. This boot camp will teach participants the basics of providing solid, credible testimony, and point out traps for the unwary first time witness.
(Source: RSA Conference USA 2017)
3. #RSAC
Framing the Discussion: Key Concepts
3
Testimony
Oral or written evidence given by a competent witness, under oath, at trial or in
an Affidavit or Deposition
Affidavit
A witness’ voluntarily sworn declaration of written facts
Deposition
Witness’ sworn out-of-court testimony (oral or written)
Used to gather information as part of the discovery process
May be used in trial, but usually hearsay
4. #RSAC
Framing the Discussion: Key Concepts
4
Stages of a Civil Trial
1) Opening statements by both sides
2) Plaintiff (P) calls witnesses and produces evidence
3) Defendant (D) may call witnesses and produce
evidence to disprove P’s case or prove D’s claims
4) P may call rebuttal witnesses
5) Closing arguments by both sides
6) Judge instructs Jury
7) Jury deliberates
8) Jury reaches its verdict
Direct v. Cross
Direct Examination
The questioning of a witness by the party
who called him/her in trial – asks for the
witness’ account
Cross-Examination
Questioning of a witness by the opposing
– evaluate the witness’ account and the
witness’ credibility
5. #RSAC
Framing the Discussion: Key Concepts
5
Lay Witness vs.
Lay Witness Testimony
More often than likely you will be a lay
(or fact) witness, even in forensic cases
Lay witness opinions are generally
inadmissible, except when:
— Rationally based on the witness’
perception,
— Helpful to a clear understanding of
his/her testimony or helpful to the
determination of a fact in issue, and
— Not based on scientific, technical, or
other specialized knowledge
Expert Witness
Expert Witness Testimony
An expert may state an opinion or conclusion, if the:
— Subject matter is one where scientific, technical, or other
specialized knowledge would assist the trier of fact;
— Witness is qualified as an expert (i.e. special knowledge,
skill, experience, training, or education);
— Expert possesses reasonable probability regarding his/her
opinion; and
— Opinion is supported by a proper factual basis. The
expert’s opinion may be based on 1 or more of the 3
possible sources of information: (i) personal observation,
(ii) facts made known to the expert at trial, or (iii) facts
not known personally, but supplied to him outside the
courtroom and of a type reasonably relied upon by
experts in the particular field
6. #RSAC
Framing the Discussion: Key Concepts
6
Evidentiary Issues in Digital Cases
Authentication
— Proponent must produce evidence sufficient to support
a finding that the item is what the proponent claims it is
— Several methods to authenticate (e.g., authentication by
reply or content)
— Chain-of-Custody issues
Hearsay
— An out of court statement (i.e. oral, written, or conduct)
offered in evidence to prove the matter asserted;
generally inadmissible, unless an exception applies
— Ex. Business Record Exception
Likely accurate since they are made for running a business vs.
for a litigation purpose
7. #RSAC
Framing the Discussion: Key Concepts
7
Purpose of Testimony
Trial Style
Preparation
Scope
Relevance
Forensic Findings
Traps
Speculation
Technical Limitations
Remember:
The underlying
technology is
NOT on trial!
8. #RSAC
Framing the Discussion: Key Concepts
8
DO…
Look Nice
Be Polite
Speak Up and Clearly
Prepare
Eye Contact
Be Truthful
Answer the Questions
DO NOT….
Volunteer
Take the Bait
Try to Win the Case
Fill Silences
Get Mad or Combative
Open the Door
Use Tech Jargon
9. #RSAC
Simulation: Data Breach Trial
9
BuyMore Industries (“BMI”) is a company of 2,000
employees which manufactures artisanal snooze
alarm back scratchers, sold primarily online through
their homegrown ecommerce site.
Last year, an intrepid reporter on the cybersecurity
breach contacted your CIO to let them know that
your data was available on the black market, shortly
thereafter the story broke.
BMI customers filed a class-action lawsuit against
BMI alleging its failure in safeguarding their data.
You are BMI’s Network Engineer, reporting directly to
the CIO. You are responsible for network security as
well as keeping the lights on.
You have been asked to testify regarding the facts of
the data breach.
10. #RSAC
Simulation: Data Breach Trial
10
In conducting your investigation, you
have prepared a report regarding
A forensic examination of BMI’s CEO’s
computer, which received a spear
phishing email with a malicious file
attachment (found in unallocated space)
How the malware attacked BMI’s
network and led to the exfiltration of 10
million customer records
The report is shared with BMI and the
plaintiffs’ attorney.
Trial commences and BMI calls you to
take the stand
11. #RSAC
Simulation: Data Breach Trial
11
Witness’ Testimony: Key Points
I. BMI’s network security was in accordance with industry best practices and norms
II. BMI’s main database of customer information was compromised
III. The database contained 10 million customer records
IV. The breach originated with a phishing attack on the CEO’s personal email
account
12. #RSAC
Simulation: Data Breach Trial
12
Spear phishing email
sent to BMI CEO
CEO downloads an
attachment laden
with malware
The malware
accesses a malicious
C&C server and
delivers a decoy .doc
file
Attacker gains access
to customer data
base containing
sensitive PII of 10M
users
Witness’ Testimony: Key Points cont.
13. #RSAC
Simulation: Data Breach Trial
13
Phishing email
recovered from
unallocated space on
CEO’s computer
Exhibit 1:
HR Manager <HR-Manager@BMI-HR.com>
BMI.CEO@gmail.com
Dear CEO,
BMI’s Human Resources Department asks that you review
your annual executive benefits elections for FY2016 in the
attached document.
BMI HR Department: Annual Benefits Elections