SlideShare a Scribd company logo

Unit VI Case StudyHeadnoteIn addition to knowing how to fo.docx

Download as DOCX, PDF
D
dickonsondorris

Unit VI Case Study Headnote In addition to knowing how to follow the bits of evidence, forensic detectives must know how to work with law enforcement. IN SPRING OF 2003, several credit card associations and major credit card issuers began to notice increasing instances of fraud over a three-or four-month stretch. By looking at the patterns and types of fraud and tying that information back to common points, they believed they had identified one company (we'll call them Company A) as the source of the fraud. While the patterns of evidence pointed to Company A, it was still too circumstantial to call in law enforcement. Hard evidence was needed. So the associations and credit card issuers joined forces and contacted Ubizen (the author's company), which conducts cybercrime investigations. They also contacted Company A and asked them to cooperate with forensic examiners from Ubizen who would be sent to their site to investigate the possibility that a security breach had occurred within their production network environment. Company A officials said that they were not aware of any security breach, but they agreed to work with the investigators. Company A is a software company that provides electronic payment software to numerous retail outlets, including restaurants, retail stores, and Internet companies. Company A's core business is its payment gateway service that processes credit card and check transactions. While the majority of Company A's transactions come from the Internet, wireless transactions are also common. The two different types of transactions are routed through two separate payment gateways, and together they often account for more than 200,000 electronic payment transactions daily. The primary objective of the forensic investigations "was to determine the source and full extent of the breach. If sufficient evidence was found to prove that a crime had been committed, another objective would be to assist law enforcement in gathering additional evidence for prosecution. Discovery. Before arriving at the company's site, the forensic team conducted an exhaustive discovery process. This advance work would enable the forensic team to hit the ground running when they went on to the company site. Stolen data. The team conducted an in-depth analysis of the fraud patterns and found that the fraud resulted from duplicated credit cards used in "card-present transactions." These are seenarios where legitimate account numbers are fraudulently reproduced on unauthorized duplicate cards and used by criminals to purchase goods or services in person, often using matching falsified information. For a criminal to duplicate a credit card with account information that will pass muster, he or she must have gotten access to the data contained in the magnetic stripe on the back of a card. A credit card magnetic stripe contains two separate tracks of information. Track 1 data contains information printed on the card, such as the cardholder's name, bu ...

Education
1 of 10
Unit VI Case Study Headnote In addition to knowing how to follow the bits of evidence, forensic detectives must know how to work with law enforcement. IN SPRING OF 2003, several credit card associations and major credit card issuers began to notice increasing instances of fraud over a three-or four-month stretch. By looking at the patterns and types of fraud and tying that information back to common points, they believed they had identified one company (we'll call them Company A) as the source of the fraud. While the patterns of evidence pointed to Company A, it was still too circumstantial to call in law enforcement. Hard evidence was needed. So the associations and credit card issuers joined forces and contacted Ubizen (the author's company), which conducts cybercrime investigations. They also contacted Company A and asked them to cooperate with forensic examiners from Ubizen who would be sent to their site to investigate the possibility that a security breach had occurred within their production network environment. Company A officials said that they were not aware of any security breach, but they agreed to work with the investigators. Company A is a software company that provides electronic payment software to numerous retail outlets, including restaurants, retail stores, and Internet companies. Company A's core business is its payment gateway service that processes credit card and check transactions. While the majority of Company A's transactions come from the Internet, wireless transactions are also common. The two different types of transactions are routed through two separate payment gateways, and together they often account for more than 200,000 electronic payment transactions daily.
The primary objective of the forensic investigations "was to determine the source and full extent of the breach. If sufficient evidence was found to prove that a crime had been committed, another objective would be to assist law enforcement in gathering additional evidence for prosecution. Discovery. Before arriving at the company's site, the forensic team conducted an exhaustive discovery process. This advance work would enable the forensic team to hit the ground running when they went on to the company site. Stolen data. The team conducted an in-depth analysis of the fraud patterns and found that the fraud resulted from duplicated credit cards used in "card-present transactions." These are seenarios where legitimate account numbers are fraudulently reproduced on unauthorized duplicate cards and used by criminals to purchase goods or services in person, often using matching falsified information. For a criminal to duplicate a credit card with account information that will pass muster, he or she must have gotten access to the data contained in the magnetic stripe on the back of a card. A credit card magnetic stripe contains two separate tracks of information. Track 1 data contains information printed on the card, such as the cardholder's name, but this data is not a component of the transaction authorization-it merely verifies that the name on the card has not been changed. Track 2 contains more sensitive information, including the CVV code (the card verification value, a number string that is printed, not embossed, on a card), which helps verify that a transaction is authorized. Sophisticated fraud could be perpetrated by skimming this information from individual cards. But the fraud pattern in this case made it likely that theft of data in large batches had occurred. In fact, the investigation revealed that full mag-stripe information had been taken from Company A's network. Because mag-stripe information allows criminals to duplicate a credit card, the payment service industry stipulates that this type of information not be stored subsequent to authorization.
The finding of theft at Company A raised questions about whether the mag-stripe information was being handled properly, according to the payment service industry's commonly accepted security standards. The fact that mag-stripe information was involved in this breach meant that the information was likely stored despite the standard against doing so. Investigators needed to locate where on the customer's network this type of information resided. They could then identify the most likely avenues of intrusion through the network. Lay of the land. To accomplish this, the forensic experts studied diagrams to learn the layout of Company A's computer network and determine whether it was vulnerable and which parts of the network were most likely to be exposed if a hacker had been able to penetrate the system. Frequently, the most likely targets are Internet-visible systems, such as Web servers and FTP servers, or weakly configured wireless network access points. The team found that, indeed, Company A's network -was not sufficiently hardened against an attack, making it likely that hackers could have penetrated the system and stolen the account information. FBI assistance. Given these findings, the forensic team recognized that it was time for law enforcement to be brought into the process. This was a point sometimes overlooked by private firms: It was vital that the appropriate government agents be on the scene to help in the assembling of evidence that could lead to the capture and eventual prosecution of the attacker. In this case, because of the nature of the crime and the magnitude of the fraud, FBI agents were contacted. In early June, FBI agents from the Atlanta field office -were the first to visit the site, although they were soon replaced by agents from the Chicago field office, who had much more extensive experience investigating cybercrimes. These agents had in fact worked with Ubizen investigators on previous investigations. Ubizen s forensic experts also visited the FBI field office to hold discussions over the specifics of the investigation, such as what forensic tools would be used to
ensure the integrity of any data taken and how chain of custody would be maintained. At the scene with the FBI agents, Ubizeris investigators began data collection; they first collected mirror images of Company A's payment gateway, which they shared with the FBI investigators. Together the two teams then interviewed Company A's staff for additional information on how the breach could have occurred, determining, for example, who in the organization had access to particular servers. Track 2 information had been compromised, so it was important to understand where in the network such data sat, which would indicate to the team what systems must have been touched by the attacker. This information could also help answer other questions, such as whether it could have been an inside job or whether the Internet was the avenue of attack. After interviewing the staff and examining the organizations network diagram, several systems were identified that seemed likely avenues of attack based on their proximity to the Internet and lack of suitable security controls. The team investigated several servers where they suspected a significant point of exposure and found on one of the systems a number of files that had not been installed by Company A's administrators. These files included keystroke loggers and a common backdoor program called HackerDefender. This made it clear that the system had indeed been compromised, leading the team to rule out an inside job. Footprints. FBI agents and the Ubizen team looked at files and audit logs to find the hacker's footprint and attack signature-that is, how the hacker broke in and what the hacker did once he or she had access. Without more in-depth analysis it would be impossible to determine how the intruder was first able to gain access to the systems. However, based on the immediately visible footprint left behind by the intruder, it became clear that the server had become the staging point through which the intruder could continually gain access into other components of Company A's production
network environment. Once the intruder had gained a foothold into the environment from the outside, he or she placed hacking tools and utilities within the systems, effectively exploiting the breach. Live prey. When tracing the hacker's steps, the investigators looked closely at dates and time stamps to determine when the hacker last penetrated the company's network. They found files created by the hacker the day before the investigation began, proving that there was an ongoing breach, an important development since it could help the investigators to catch the attacker in the act. Sewing up the breaches. The team first needed to repair the breach. Since the incidents of fraud associated with Company A were rapidly escalating-as many as hundreds per day-it was imperative to immediately lock out the hacker's access to private information. The team began by purging from the organization's systems sensitive cardholder data that, under industry standards, should never have been stored on the systems. With that data removed, the exposure created by any future unauthorized access would be much less severe. The team also took several of Company A's servers offline, replacing many of the compromised systems. They then enabled and configured logging and auditing functions to ensure that if unauthorized access were attempted again, the organization would be able to detect and respond to the unwanted activity. All of the information collected on site was preserved, including hard drives from the compromised systems and logs from the intrusion detection system, the firewall, and the routers. The information was shipped back to Ubizeris labs for in-depth analysis and preservation for evidentiary purposes. A number of different open-source tools were used to identify and salvage any other traces left behind by the intruder that might shed more light on the timeline of the attack or other systems that might be involved. The tools used included both Ubizen-proprietary and over-the-counter forensic tools such as
Encase. Because these tools had been tested extensively in court, the FBI team could be sure that any evidence (such as copies of drives) provided by Ubizen would be admissible. Setting the trap. With the loss of data stanched, investigators were ready to catch the hacker in the act. To accomplish this, the Ubizen team and the FBI set a trap with three components. The first part was a packet sniffer, a laptop with a software program called EtherPeek that would watch traffic in and out of the affected servers. It allowed investigators to monitor any data the hacker was sending, such as individual keystrokes, the machines the intruder was attempting to access, and how he or she was attempting to do so. Also, the sniffer would capture firsthand evidence of files removed from the network that would, under normal circumstances, contain sensitive information or data that could be used for fraud. Next, the files on those servers were loaded with dummy credit- card information to prevent additional fraud from occurring and to keep the hacker unaware that he or she had been noticed. The third part of the trap was the use of Tripwire, a program that monitors the integrity of files, which was configured to set off an alarm the moment any of the date and time-stamps of the files under observation were changed. That would allow the investigators to know exactly when the attacker hit so that they could catch the intruder in the act. Underlying the trap was the fact that the investigators had determined precisely how the hacker would attack. The investigation had shown the particular backdoor the attacker was using and what port would be used in the compromise. But with a huge amount of traffic flowing back and forth across the network (this company also conducts e-commerce business), waiting for a Tripwire alarm was not necessarily going to allow the investigators to see the compromise as it happened. So, a Ubizen technician worked with the FBI's Quantico-based Data Analysis Team to create a signature that they could look for on the sniffer to see exactly when and where the hacker was attacking.
Hooked. The trap worked perfectly. When the hacker snuck in to begin copying what looked like credit-card information that Company A had backed up, he fell right into the ambush and was caught red handed. From this point, FBI agents took the evidence collected by the Ubizen and FBI teams and began the hunt for the suspect. They contacted a law enforcement computer-crime liaison group in the Eastern European country where it was determined that the hacker was located. Ultimately, the hacker-a college-age male-was arrested and extradited, and the evidence gathered against him will be used when the case comes to trial. Aftermath. While Company A breathed a sigh of relief when the hacker was caught, the work of the Ubizen investigative team wasn't over yet. Their mission was not only to help identify the hacker but also to determine the full extent of the breach and figure out precisely how many credit cards had been compromised, and when. Targets. The complete analysis showed that there were in fact several intruders who took advantage of the backdoor the original hacker left, and they seemed to be unaware of each other's presence. Altogether these attackers maintained some level of access into Company A for more than six months, two months longer than the previously recognized fraud dates. The team was also able to identify other machines on the network that had been compromised. These included the organizations two database servers, the mail server, two file and print servers, and each of the Internet-visible systems. Recommendations. The final step was to provide recommendations to Company A on how to bolster its security against future attacks. These included the obvious suggestion of adapting to industry best practices. MasterCard and VISA have led the industry in establishing guidelines to secure customer credit card data. MasterCard's Site Data Protection Service (SDP) and Visas Cardholder Information Security Program (CISP) are industry mandates with serious financial penalties for noncompliance. These
programs define a standard of due care for deploying security compliance programs, ensuring that online merchants and payment service providers are adequately protected against hacker intrusions and account data compromises. The investigative team determined that Company A was far from fulfilling these requirements and outlined exactly what measures the company needed to take to be fully compliant. A key suggestion was for Company A to conduct regular vulnerability scanning internally or to outsource the scans to an expert. This inexpensive automated process proactively identifies vulnerabilities to find out if and where a computer system can be exploited or is vulnerable. Finally, the team provided a set of recommendations above and beyond the established credit card industry standards. The team advised Company A to either add an internal IT team dedicated solely to security or to consider outsourcing key elements of its security program to a managed security services provider. The amount of data generated by security devices is overwhelming, and it can only be properly monitored by a dedicated team whose sole function is to oversee the network data. Since the attackers had access to stored credit card data, the team also urged Company A not to retain credit card data longer than needed. As this case made clear, storing this type of sensitive information opens up a high risk of exposure. This case illustrates how private cybercrime investigators and law enforcement can collaborate to both protect the bottom line and stem crime. That's good news for long-beleaguered online businesses, and bad news for online fraudsters. Sidebar Forensic detectives can often quickly identify the most likely targets of a hacker attack on a given network. Sidebar Two Teams are Better Than One Cybercrime investigations are Often initiated by the victimized company not through a call to the police, but through a call to a private firm that specializes in computer forensics
examinations. These private-sector teams will then call law enforcement into the process as soon as they confirm that illegal activity is occurring. Cooperation between law enforcement and private-sector investigators is still a fairly new idea, however. Several years ago, when the author's company first started conducting forensics investigations, it was often met with distrust by both their private sector clients, who feared bad publicity or losing control of company data, and law enforcement agents, who were reluctant to share information with third-party vendors. However, this reluctance is diminishing as law enforcement becomes more accustomed to working with third-party cyberforensics experts and as clients see that the process can work. Companies like Ubizen work under strict conditions and with detailed nondisclosure agreements, which protects clients and helps allay fears. Although they need to work together, it is important to understand that ultimately the two groups of investigators have different goals. The private-sector team has the ultimate goal of understanding the full extent of the compromise and helping the client find and close the vulnerability that led to the breach-in other words, to protect its reputation and profits. Law enforcement is focused on the illegal activity and in collecting any evidence that will lead to the attacker and help in a prosecution. The two groups also work differently due to the nature of their responsibilities. A private forensic firm is doing paid work for a client and will devote a team to getting the work done in a short time frame. For example, this case took Ubizen two days on site and another two weeks to complete the analysis and write a report. By contrast, law enforcement agents typically are juggling multiple cases or responsibilities and may take longer to complete an investigation or may have difficulty devoting sufficient resources to a specific case. While the goals are different, the groundwork serves both objectives. For that reason, the analysis completed by the
private-sector team is often useful to law enforcement, saving them time and giving them a head start in understanding all the technical details of an investigation so that they can make a case for protection. AuthorAffiliation Bryan Sartin is director of technology for Ubizen, where he is responsible for all customer-facing issues regarding the technology of its managed security solution offerings. Unit VI Case Study What problem was identified? What steps were taken to solve the problem? d on different goals. Briefly list and describe what these were as the investigation progressed and what strategies were employed. purpose for this investigation—what else needed to be done, and how was it to be accomplished? Does the identified offender fit the characteristics for this type of cybercrime?

Recommended

1112015 search.proquest.comcriminaljusticeperiodicalsprint.docx
1112015 search.proquest.comcriminaljusticeperiodicalsprint.docx1112015 search.proquest.comcriminaljusticeperiodicalsprint.docx
1112015 search.proquest.comcriminaljusticeperiodicalsprint.docx
hyacinthshackley2629
 
Data Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsData Sheet_What Darktrace Finds
Data Sheet_What Darktrace Finds
Melissa Lim
 
Data leakage detbxhbbhhbsbssusbgsgsbshsbsection.pdf
Data leakage detbxhbbhhbsbssusbgsgsbshsbsection.pdfData leakage detbxhbbhhbsbssusbgsgsbshsbsection.pdf
Data leakage detbxhbbhhbsbssusbgsgsbshsbsection.pdf
naresh2004s
 
dataleakagedetection-1811210400vgjcd01.pptx
dataleakagedetection-1811210400vgjcd01.pptxdataleakagedetection-1811210400vgjcd01.pptx
dataleakagedetection-1811210400vgjcd01.pptx
naresh2004s
 
Data leakage detection
Data leakage detectionData leakage detection
Data leakage detection
gaurav kumar
 
FCL-Introduction.pptx
FCL-Introduction.pptxFCL-Introduction.pptx
FCL-Introduction.pptx
aratibhavsar
 
Case in PointInaction Caused Costly Hacking At Large Retailer.docx
Case in PointInaction Caused Costly Hacking At Large Retailer.docxCase in PointInaction Caused Costly Hacking At Large Retailer.docx
Case in PointInaction Caused Costly Hacking At Large Retailer.docx
cowinhelen
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Stanford GSB Corporate Governance Research Initiative
 

Recommended

1112015 search.proquest.comcriminaljusticeperiodicalsprint.docx
1112015 search.proquest.comcriminaljusticeperiodicalsprint.docx1112015 search.proquest.comcriminaljusticeperiodicalsprint.docx
1112015 search.proquest.comcriminaljusticeperiodicalsprint.docx
hyacinthshackley2629
 
Data Sheet_What Darktrace Finds
Data Sheet_What Darktrace FindsData Sheet_What Darktrace Finds
Data Sheet_What Darktrace Finds
Melissa Lim
 
Data leakage detbxhbbhhbsbssusbgsgsbshsbsection.pdf
Data leakage detbxhbbhhbsbssusbgsgsbshsbsection.pdfData leakage detbxhbbhhbsbssusbgsgsbshsbsection.pdf
Data leakage detbxhbbhhbsbssusbgsgsbshsbsection.pdf
naresh2004s
 
dataleakagedetection-1811210400vgjcd01.pptx
dataleakagedetection-1811210400vgjcd01.pptxdataleakagedetection-1811210400vgjcd01.pptx
dataleakagedetection-1811210400vgjcd01.pptx
naresh2004s
 
Data leakage detection
Data leakage detectionData leakage detection
Data leakage detection
gaurav kumar
 
FCL-Introduction.pptx
FCL-Introduction.pptxFCL-Introduction.pptx
FCL-Introduction.pptx
aratibhavsar
 
Case in PointInaction Caused Costly Hacking At Large Retailer.docx
Case in PointInaction Caused Costly Hacking At Large Retailer.docxCase in PointInaction Caused Costly Hacking At Large Retailer.docx
Case in PointInaction Caused Costly Hacking At Large Retailer.docx
cowinhelen
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Stanford GSB Corporate Governance Research Initiative
 
8. cyber51-case-studies
8. cyber51-case-studies8. cyber51-case-studies
8. cyber51-case-studies
Doree Garcia, CCNA, OSWP
 
A Case Study Analysis Of The Equifax Data Breach
A Case Study Analysis Of The Equifax Data BreachA Case Study Analysis Of The Equifax Data Breach
A Case Study Analysis Of The Equifax Data Breach
Andrea Porter
 
Incident Response
Incident ResponseIncident Response
Incident Response
Divya Kothari
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
Affine Analytics
 
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
ERPScan
 
DarkNet_article_wn17
DarkNet_article_wn17DarkNet_article_wn17
DarkNet_article_wn17
Ed Alcantara
 
DarkNet_article_wn17
DarkNet_article_wn17DarkNet_article_wn17
DarkNet_article_wn17
Ed Alcantara
 
Case 11. What exactly occurred Twitter is one of popular soci.docx
Case 11. What exactly occurred Twitter is one of popular soci.docxCase 11. What exactly occurred Twitter is one of popular soci.docx
Case 11. What exactly occurred Twitter is one of popular soci.docx
tidwellveronique
 
Top Law Firm Cyber Attacks Throughout History
Top Law Firm Cyber Attacks Throughout HistoryTop Law Firm Cyber Attacks Throughout History
Top Law Firm Cyber Attacks Throughout History
Protected Harbor
 
NCSO
NCSONCSO
NCSO
Avraham Lerner
 
The Department of Homeland Security is interested in using computers t.pdf
The Department of Homeland Security is interested in using computers t.pdfThe Department of Homeland Security is interested in using computers t.pdf
The Department of Homeland Security is interested in using computers t.pdf
arjunarasso
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Binit Kumar
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
North Texas Chapter of the ISSA
 
Graphs in Government
Graphs in GovernmentGraphs in Government
Graphs in Government
Neo4j
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response Planning
PECB
 
Project_Paper_ISSC455_Intindolo
Project_Paper_ISSC455_IntindoloProject_Paper_ISSC455_Intindolo
Project_Paper_ISSC455_Intindolo
John Intindolo
 
Crimea Russia or Ukraine An International Law Perspective.docx
Crimea Russia or Ukraine An International Law Perspective.docxCrimea Russia or Ukraine An International Law Perspective.docx
Crimea Russia or Ukraine An International Law Perspective.docx
willcoxjanay
 
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
Aviva Spectrum™
 
CORMA-FW REPRINT-APR2015
CORMA-FW REPRINT-APR2015CORMA-FW REPRINT-APR2015
CORMA-FW REPRINT-APR2015
Jörn Weber
 
Protecting Your Law Office Against Data Breaches and Other Cyber Threats
Protecting Your Law Office Against Data Breaches and Other Cyber ThreatsProtecting Your Law Office Against Data Breaches and Other Cyber Threats
Protecting Your Law Office Against Data Breaches and Other Cyber Threats
Blake A. Klinkner
 
Copyright © eContent Management Pty Ltd. Health Sociology Revi.docx
Copyright © eContent Management Pty Ltd. Health Sociology Revi.docxCopyright © eContent Management Pty Ltd. Health Sociology Revi.docx
Copyright © eContent Management Pty Ltd. Health Sociology Revi.docx
dickonsondorris
 
Copyright © Pearson Education 2010 Digital Tools in Toda.docx
Copyright © Pearson Education 2010 Digital Tools in Toda.docxCopyright © Pearson Education 2010 Digital Tools in Toda.docx
Copyright © Pearson Education 2010 Digital Tools in Toda.docx
dickonsondorris
 

More Related Content

Similar to Unit VI Case StudyHeadnoteIn addition to knowing how to fo.docx

DarkNet_article_wn17
DarkNet_article_wn17DarkNet_article_wn17
DarkNet_article_wn17
Ed Alcantara
 
DarkNet_article_wn17
DarkNet_article_wn17DarkNet_article_wn17
DarkNet_article_wn17
Ed Alcantara
 
Case 11. What exactly occurred Twitter is one of popular soci.docx
Case 11. What exactly occurred Twitter is one of popular soci.docxCase 11. What exactly occurred Twitter is one of popular soci.docx
Case 11. What exactly occurred Twitter is one of popular soci.docx
tidwellveronique
 
The Department of Homeland Security is interested in using computers t.pdf
The Department of Homeland Security is interested in using computers t.pdfThe Department of Homeland Security is interested in using computers t.pdf
The Department of Homeland Security is interested in using computers t.pdf
arjunarasso
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
North Texas Chapter of the ISSA
 
Project_Paper_ISSC455_Intindolo
Project_Paper_ISSC455_IntindoloProject_Paper_ISSC455_Intindolo
Project_Paper_ISSC455_Intindolo
John Intindolo
 
Crimea Russia or Ukraine An International Law Perspective.docx
Crimea Russia or Ukraine An International Law Perspective.docxCrimea Russia or Ukraine An International Law Perspective.docx
Crimea Russia or Ukraine An International Law Perspective.docx
willcoxjanay
 
CORMA-FW REPRINT-APR2015
CORMA-FW REPRINT-APR2015CORMA-FW REPRINT-APR2015
CORMA-FW REPRINT-APR2015
Jörn Weber
 
Protecting Your Law Office Against Data Breaches and Other Cyber Threats
Protecting Your Law Office Against Data Breaches and Other Cyber ThreatsProtecting Your Law Office Against Data Breaches and Other Cyber Threats
Protecting Your Law Office Against Data Breaches and Other Cyber Threats
Blake A. Klinkner
 

Similar to Unit VI Case StudyHeadnoteIn addition to knowing how to fo.docx (20)

8. cyber51-case-studies
8. cyber51-case-studies8. cyber51-case-studies
8. cyber51-case-studies
 
A Case Study Analysis Of The Equifax Data Breach
A Case Study Analysis Of The Equifax Data BreachA Case Study Analysis Of The Equifax Data Breach
A Case Study Analysis Of The Equifax Data Breach
 
Incident Response
Incident ResponseIncident Response
Incident Response
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
Chinese attack on USIS exploiting SAP vulnerability. Detailed review and comm...
 
DarkNet_article_wn17
DarkNet_article_wn17DarkNet_article_wn17
DarkNet_article_wn17
 
DarkNet_article_wn17
DarkNet_article_wn17DarkNet_article_wn17
DarkNet_article_wn17
 
Case 11. What exactly occurred Twitter is one of popular soci.docx
Case 11. What exactly occurred Twitter is one of popular soci.docxCase 11. What exactly occurred Twitter is one of popular soci.docx
Case 11. What exactly occurred Twitter is one of popular soci.docx
 
Top Law Firm Cyber Attacks Throughout History
Top Law Firm Cyber Attacks Throughout HistoryTop Law Firm Cyber Attacks Throughout History
Top Law Firm Cyber Attacks Throughout History
 
NCSO
NCSONCSO
NCSO
 
The Department of Homeland Security is interested in using computers t.pdf
The Department of Homeland Security is interested in using computers t.pdfThe Department of Homeland Security is interested in using computers t.pdf
The Department of Homeland Security is interested in using computers t.pdf
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green
 
Graphs in Government
Graphs in GovernmentGraphs in Government
Graphs in Government
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response Planning
 
Project_Paper_ISSC455_Intindolo
Project_Paper_ISSC455_IntindoloProject_Paper_ISSC455_Intindolo
Project_Paper_ISSC455_Intindolo
 
Crimea Russia or Ukraine An International Law Perspective.docx
Crimea Russia or Ukraine An International Law Perspective.docxCrimea Russia or Ukraine An International Law Perspective.docx
Crimea Russia or Ukraine An International Law Perspective.docx
 
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
2014 GRC Conference in West Palm Beach-Moderated by Sonia Luna
 
CORMA-FW REPRINT-APR2015
CORMA-FW REPRINT-APR2015CORMA-FW REPRINT-APR2015
CORMA-FW REPRINT-APR2015
 
Protecting Your Law Office Against Data Breaches and Other Cyber Threats
Protecting Your Law Office Against Data Breaches and Other Cyber ThreatsProtecting Your Law Office Against Data Breaches and Other Cyber Threats
Protecting Your Law Office Against Data Breaches and Other Cyber Threats
 

More from dickonsondorris

Copyright © eContent Management Pty Ltd. Health Sociology Revi.docx
Copyright © eContent Management Pty Ltd. Health Sociology Revi.docxCopyright © eContent Management Pty Ltd. Health Sociology Revi.docx
Copyright © eContent Management Pty Ltd. Health Sociology Revi.docx
dickonsondorris
 
Copyright © Pearson Education 2010 Digital Tools in Toda.docx
Copyright © Pearson Education 2010 Digital Tools in Toda.docxCopyright © Pearson Education 2010 Digital Tools in Toda.docx
Copyright © Pearson Education 2010 Digital Tools in Toda.docx
dickonsondorris
 
Copyright © Jen-Wen Lin 2018 1 STA457 Time series .docx
Copyright © Jen-Wen Lin 2018 1 STA457 Time series .docxCopyright © Jen-Wen Lin 2018 1 STA457 Time series .docx
Copyright © Jen-Wen Lin 2018 1 STA457 Time series .docx
dickonsondorris
 
Copyright © John Wiley & Sons, Inc. All rights reserved..docx
Copyright © John Wiley & Sons, Inc. All rights reserved..docxCopyright © John Wiley & Sons, Inc. All rights reserved..docx
Copyright © John Wiley & Sons, Inc. All rights reserved..docx
dickonsondorris
 
Copyright © by The McGraw-Hill Companies, Inc. The Aztec Accou.docx
Copyright © by The McGraw-Hill Companies, Inc. The Aztec Accou.docxCopyright © by The McGraw-Hill Companies, Inc. The Aztec Accou.docx
Copyright © by The McGraw-Hill Companies, Inc. The Aztec Accou.docx
dickonsondorris
 
Copyright © Cengage Learning. All rights reserved. CHAPTE.docx
Copyright © Cengage Learning. All rights reserved. CHAPTE.docxCopyright © Cengage Learning. All rights reserved. CHAPTE.docx
Copyright © Cengage Learning. All rights reserved. CHAPTE.docx
dickonsondorris
 
Copyright © by Holt, Rinehart and Winston. All rights reserved.docx
Copyright © by Holt, Rinehart and Winston. All rights reserved.docxCopyright © by Holt, Rinehart and Winston. All rights reserved.docx
Copyright © by Holt, Rinehart and Winston. All rights reserved.docx
dickonsondorris
 
Copyright © 2020 by Jones & Bartlett Learning, LLC, an Ascend .docx
Copyright © 2020 by Jones & Bartlett Learning, LLC, an Ascend .docxCopyright © 2020 by Jones & Bartlett Learning, LLC, an Ascend .docx
Copyright © 2020 by Jones & Bartlett Learning, LLC, an Ascend .docx
dickonsondorris
 
Copyright © 2019, American Institute of Certified Public Accou.docx
Copyright © 2019, American Institute of Certified Public Accou.docxCopyright © 2019, American Institute of Certified Public Accou.docx
Copyright © 2019, American Institute of Certified Public Accou.docx
dickonsondorris
 
Copyright © 2018 Pearson Education, Inc. All Rights ReservedChild .docx
Copyright © 2018 Pearson Education, Inc. All Rights ReservedChild .docxCopyright © 2018 Pearson Education, Inc. All Rights ReservedChild .docx
Copyright © 2018 Pearson Education, Inc. All Rights ReservedChild .docx
dickonsondorris
 
Copyright © 2018 Pearson Education, Inc. C H A P T E R 6.docx
Copyright © 2018 Pearson Education, Inc. C H A P T E R 6.docxCopyright © 2018 Pearson Education, Inc. C H A P T E R 6.docx
Copyright © 2018 Pearson Education, Inc. C H A P T E R 6.docx
dickonsondorris
 
Copyright © 2018 Capella University. Copy and distribution o.docx
Copyright © 2018 Capella University. Copy and distribution o.docxCopyright © 2018 Capella University. Copy and distribution o.docx
Copyright © 2018 Capella University. Copy and distribution o.docx
dickonsondorris
 
Copyright © 2018 Pearson Education, Inc.C H A P T E R 3.docx
Copyright © 2018 Pearson Education, Inc.C H A P T E R 3.docxCopyright © 2018 Pearson Education, Inc.C H A P T E R 3.docx
Copyright © 2018 Pearson Education, Inc.C H A P T E R 3.docx
dickonsondorris
 
Copyright © 2018 by Steven Levitsky and Daniel.docx
Copyright © 2018 by Steven Levitsky and Daniel.docxCopyright © 2018 by Steven Levitsky and Daniel.docx
Copyright © 2018 by Steven Levitsky and Daniel.docx
dickonsondorris
 
Copyright © 2017, 2014, 2011 Pearson Education, Inc. All Right.docx
Copyright © 2017, 2014, 2011 Pearson Education, Inc. All Right.docxCopyright © 2017, 2014, 2011 Pearson Education, Inc. All Right.docx
Copyright © 2017, 2014, 2011 Pearson Education, Inc. All Right.docx
dickonsondorris
 
Copyright © 2017 Wolters Kluwer Health Lippincott Williams.docx
Copyright © 2017 Wolters Kluwer Health Lippincott Williams.docxCopyright © 2017 Wolters Kluwer Health Lippincott Williams.docx
Copyright © 2017 Wolters Kluwer Health Lippincott Williams.docx
dickonsondorris
 
Copyright © 2016, 2013, 2010 Pearson Education, Inc. All Right.docx
Copyright © 2016, 2013, 2010 Pearson Education, Inc. All Right.docxCopyright © 2016, 2013, 2010 Pearson Education, Inc. All Right.docx
Copyright © 2016, 2013, 2010 Pearson Education, Inc. All Right.docx
dickonsondorris
 
Copyright © 2017 by University of Phoenix. All rights rese.docx
Copyright © 2017 by University of Phoenix. All rights rese.docxCopyright © 2017 by University of Phoenix. All rights rese.docx
Copyright © 2017 by University of Phoenix. All rights rese.docx
dickonsondorris
 
Copyright © 2016 John Wiley & Sons, Inc.Copyright © 20.docx
Copyright © 2016 John Wiley & Sons, Inc.Copyright © 20.docxCopyright © 2016 John Wiley & Sons, Inc.Copyright © 20.docx
Copyright © 2016 John Wiley & Sons, Inc.Copyright © 20.docx
dickonsondorris
 
Copyright © 2016 Pearson Education, Inc. .docx
Copyright © 2016 Pearson Education, Inc. .docxCopyright © 2016 Pearson Education, Inc. .docx
Copyright © 2016 Pearson Education, Inc. .docx
dickonsondorris
 

More from dickonsondorris (20)

Copyright © eContent Management Pty Ltd. Health Sociology Revi.docx
Copyright © eContent Management Pty Ltd. Health Sociology Revi.docxCopyright © eContent Management Pty Ltd. Health Sociology Revi.docx
Copyright © eContent Management Pty Ltd. Health Sociology Revi.docx
 
Copyright © Pearson Education 2010 Digital Tools in Toda.docx
Copyright © Pearson Education 2010 Digital Tools in Toda.docxCopyright © Pearson Education 2010 Digital Tools in Toda.docx
Copyright © Pearson Education 2010 Digital Tools in Toda.docx
 
Copyright © Jen-Wen Lin 2018 1 STA457 Time series .docx
Copyright © Jen-Wen Lin 2018 1 STA457 Time series .docxCopyright © Jen-Wen Lin 2018 1 STA457 Time series .docx
Copyright © Jen-Wen Lin 2018 1 STA457 Time series .docx
 
Copyright © John Wiley & Sons, Inc. All rights reserved..docx
Copyright © John Wiley & Sons, Inc. All rights reserved..docxCopyright © John Wiley & Sons, Inc. All rights reserved..docx
Copyright © John Wiley & Sons, Inc. All rights reserved..docx
 
Copyright © by The McGraw-Hill Companies, Inc. The Aztec Accou.docx
Copyright © by The McGraw-Hill Companies, Inc. The Aztec Accou.docxCopyright © by The McGraw-Hill Companies, Inc. The Aztec Accou.docx
Copyright © by The McGraw-Hill Companies, Inc. The Aztec Accou.docx
 
Copyright © Cengage Learning. All rights reserved. CHAPTE.docx
Copyright © Cengage Learning. All rights reserved. CHAPTE.docxCopyright © Cengage Learning. All rights reserved. CHAPTE.docx
Copyright © Cengage Learning. All rights reserved. CHAPTE.docx
 
Copyright © by Holt, Rinehart and Winston. All rights reserved.docx
Copyright © by Holt, Rinehart and Winston. All rights reserved.docxCopyright © by Holt, Rinehart and Winston. All rights reserved.docx
Copyright © by Holt, Rinehart and Winston. All rights reserved.docx
 
Copyright © 2020 by Jones & Bartlett Learning, LLC, an Ascend .docx
Copyright © 2020 by Jones & Bartlett Learning, LLC, an Ascend .docxCopyright © 2020 by Jones & Bartlett Learning, LLC, an Ascend .docx
Copyright © 2020 by Jones & Bartlett Learning, LLC, an Ascend .docx
 
Copyright © 2019, American Institute of Certified Public Accou.docx
Copyright © 2019, American Institute of Certified Public Accou.docxCopyright © 2019, American Institute of Certified Public Accou.docx
Copyright © 2019, American Institute of Certified Public Accou.docx
 
Copyright © 2018 Pearson Education, Inc. All Rights ReservedChild .docx
Copyright © 2018 Pearson Education, Inc. All Rights ReservedChild .docxCopyright © 2018 Pearson Education, Inc. All Rights ReservedChild .docx
Copyright © 2018 Pearson Education, Inc. All Rights ReservedChild .docx
 
Copyright © 2018 Pearson Education, Inc. C H A P T E R 6.docx
Copyright © 2018 Pearson Education, Inc. C H A P T E R 6.docxCopyright © 2018 Pearson Education, Inc. C H A P T E R 6.docx
Copyright © 2018 Pearson Education, Inc. C H A P T E R 6.docx
 
Copyright © 2018 Capella University. Copy and distribution o.docx
Copyright © 2018 Capella University. Copy and distribution o.docxCopyright © 2018 Capella University. Copy and distribution o.docx
Copyright © 2018 Capella University. Copy and distribution o.docx
 
Copyright © 2018 Pearson Education, Inc.C H A P T E R 3.docx
Copyright © 2018 Pearson Education, Inc.C H A P T E R 3.docxCopyright © 2018 Pearson Education, Inc.C H A P T E R 3.docx
Copyright © 2018 Pearson Education, Inc.C H A P T E R 3.docx
 
Copyright © 2018 by Steven Levitsky and Daniel.docx
Copyright © 2018 by Steven Levitsky and Daniel.docxCopyright © 2018 by Steven Levitsky and Daniel.docx
Copyright © 2018 by Steven Levitsky and Daniel.docx
 
Copyright © 2017, 2014, 2011 Pearson Education, Inc. All Right.docx
Copyright © 2017, 2014, 2011 Pearson Education, Inc. All Right.docxCopyright © 2017, 2014, 2011 Pearson Education, Inc. All Right.docx
Copyright © 2017, 2014, 2011 Pearson Education, Inc. All Right.docx
 
Copyright © 2017 Wolters Kluwer Health Lippincott Williams.docx
Copyright © 2017 Wolters Kluwer Health Lippincott Williams.docxCopyright © 2017 Wolters Kluwer Health Lippincott Williams.docx
Copyright © 2017 Wolters Kluwer Health Lippincott Williams.docx
 
Copyright © 2016, 2013, 2010 Pearson Education, Inc. All Right.docx
Copyright © 2016, 2013, 2010 Pearson Education, Inc. All Right.docxCopyright © 2016, 2013, 2010 Pearson Education, Inc. All Right.docx
Copyright © 2016, 2013, 2010 Pearson Education, Inc. All Right.docx
 
Copyright © 2017 by University of Phoenix. All rights rese.docx
Copyright © 2017 by University of Phoenix. All rights rese.docxCopyright © 2017 by University of Phoenix. All rights rese.docx
Copyright © 2017 by University of Phoenix. All rights rese.docx
 
Copyright © 2016 John Wiley & Sons, Inc.Copyright © 20.docx
Copyright © 2016 John Wiley & Sons, Inc.Copyright © 20.docxCopyright © 2016 John Wiley & Sons, Inc.Copyright © 20.docx
Copyright © 2016 John Wiley & Sons, Inc.Copyright © 20.docx
 
Copyright © 2016 Pearson Education, Inc. .docx
Copyright © 2016 Pearson Education, Inc. .docxCopyright © 2016 Pearson Education, Inc. .docx
Copyright © 2016 Pearson Education, Inc. .docx
 

Recently uploaded

Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPSSpellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
AnaAcapella
 
Including Mental Health Support in Project Delivery, 14 May.pdf
Including Mental Health Support in Project Delivery, 14 May.pdfIncluding Mental Health Support in Project Delivery, 14 May.pdf
Including Mental Health Support in Project Delivery, 14 May.pdf
Association for Project Management
 
Orientation Canvas Course Presentation.pdf
Orientation Canvas Course Presentation.pdfOrientation Canvas Course Presentation.pdf
Orientation Canvas Course Presentation.pdf
Elizabeth Walsh
 
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
EADTU
 

Recently uploaded (20)

Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPSSpellings Wk 4 and Wk 5 for Grade 4 at CAPS
Spellings Wk 4 and Wk 5 for Grade 4 at CAPS
 
Including Mental Health Support in Project Delivery, 14 May.pdf
Including Mental Health Support in Project Delivery, 14 May.pdfIncluding Mental Health Support in Project Delivery, 14 May.pdf
Including Mental Health Support in Project Delivery, 14 May.pdf
 
Orientation Canvas Course Presentation.pdf
Orientation Canvas Course Presentation.pdfOrientation Canvas Course Presentation.pdf
Orientation Canvas Course Presentation.pdf
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
What is 3 Way Matching Process in Odoo 17.pptx
What is 3 Way Matching Process in Odoo 17.pptxWhat is 3 Way Matching Process in Odoo 17.pptx
What is 3 Way Matching Process in Odoo 17.pptx
 
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
 
dusjagr & nano talk on open tools for agriculture research and learning
dusjagr & nano talk on open tools for agriculture research and learningdusjagr & nano talk on open tools for agriculture research and learning
dusjagr & nano talk on open tools for agriculture research and learning
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Play hard learn harder: The Serious Business of Play
Play hard learn harder: The Serious Business of PlayPlay hard learn harder: The Serious Business of Play
Play hard learn harder: The Serious Business of Play
 
OSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & SystemsOSCM Unit 2_Operations Processes & Systems
OSCM Unit 2_Operations Processes & Systems
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...Andreas Schleicher presents at the launch of What does child empowerment mean...
Andreas Schleicher presents at the launch of What does child empowerment mean...
 
Michaelis Menten Equation and Estimation Of Vmax and Tmax.pptx
Michaelis Menten Equation and Estimation Of Vmax and Tmax.pptxMichaelis Menten Equation and Estimation Of Vmax and Tmax.pptx
Michaelis Menten Equation and Estimation Of Vmax and Tmax.pptx
 
Diuretic, Hypoglycemic and Limit test of Heavy metals and Arsenic.-1.pdf
Diuretic, Hypoglycemic and Limit test of Heavy metals and Arsenic.-1.pdfDiuretic, Hypoglycemic and Limit test of Heavy metals and Arsenic.-1.pdf
Diuretic, Hypoglycemic and Limit test of Heavy metals and Arsenic.-1.pdf
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx21st_Century_Skills_Framework_Final_Presentation_2.pptx
21st_Century_Skills_Framework_Final_Presentation_2.pptx
 

Unit VI Case StudyHeadnoteIn addition to knowing how to fo.docx

  • 1. Unit VI Case Study Headnote In addition to knowing how to follow the bits of evidence, forensic detectives must know how to work with law enforcement. IN SPRING OF 2003, several credit card associations and major credit card issuers began to notice increasing instances of fraud over a three-or four-month stretch. By looking at the patterns and types of fraud and tying that information back to common points, they believed they had identified one company (we'll call them Company A) as the source of the fraud. While the patterns of evidence pointed to Company A, it was still too circumstantial to call in law enforcement. Hard evidence was needed. So the associations and credit card issuers joined forces and contacted Ubizen (the author's company), which conducts cybercrime investigations. They also contacted Company A and asked them to cooperate with forensic examiners from Ubizen who would be sent to their site to investigate the possibility that a security breach had occurred within their production network environment. Company A officials said that they were not aware of any security breach, but they agreed to work with the investigators. Company A is a software company that provides electronic payment software to numerous retail outlets, including restaurants, retail stores, and Internet companies. Company A's core business is its payment gateway service that processes credit card and check transactions. While the majority of Company A's transactions come from the Internet, wireless transactions are also common. The two different types of transactions are routed through two separate payment gateways, and together they often account for more than 200,000 electronic payment transactions daily.
  • 2. The primary objective of the forensic investigations "was to determine the source and full extent of the breach. If sufficient evidence was found to prove that a crime had been committed, another objective would be to assist law enforcement in gathering additional evidence for prosecution. Discovery. Before arriving at the company's site, the forensic team conducted an exhaustive discovery process. This advance work would enable the forensic team to hit the ground running when they went on to the company site. Stolen data. The team conducted an in-depth analysis of the fraud patterns and found that the fraud resulted from duplicated credit cards used in "card-present transactions." These are seenarios where legitimate account numbers are fraudulently reproduced on unauthorized duplicate cards and used by criminals to purchase goods or services in person, often using matching falsified information. For a criminal to duplicate a credit card with account information that will pass muster, he or she must have gotten access to the data contained in the magnetic stripe on the back of a card. A credit card magnetic stripe contains two separate tracks of information. Track 1 data contains information printed on the card, such as the cardholder's name, but this data is not a component of the transaction authorization-it merely verifies that the name on the card has not been changed. Track 2 contains more sensitive information, including the CVV code (the card verification value, a number string that is printed, not embossed, on a card), which helps verify that a transaction is authorized. Sophisticated fraud could be perpetrated by skimming this information from individual cards. But the fraud pattern in this case made it likely that theft of data in large batches had occurred. In fact, the investigation revealed that full mag-stripe information had been taken from Company A's network. Because mag-stripe information allows criminals to duplicate a credit card, the payment service industry stipulates that this type of information not be stored subsequent to authorization.
  • 3. The finding of theft at Company A raised questions about whether the mag-stripe information was being handled properly, according to the payment service industry's commonly accepted security standards. The fact that mag-stripe information was involved in this breach meant that the information was likely stored despite the standard against doing so. Investigators needed to locate where on the customer's network this type of information resided. They could then identify the most likely avenues of intrusion through the network. Lay of the land. To accomplish this, the forensic experts studied diagrams to learn the layout of Company A's computer network and determine whether it was vulnerable and which parts of the network were most likely to be exposed if a hacker had been able to penetrate the system. Frequently, the most likely targets are Internet-visible systems, such as Web servers and FTP servers, or weakly configured wireless network access points. The team found that, indeed, Company A's network -was not sufficiently hardened against an attack, making it likely that hackers could have penetrated the system and stolen the account information. FBI assistance. Given these findings, the forensic team recognized that it was time for law enforcement to be brought into the process. This was a point sometimes overlooked by private firms: It was vital that the appropriate government agents be on the scene to help in the assembling of evidence that could lead to the capture and eventual prosecution of the attacker. In this case, because of the nature of the crime and the magnitude of the fraud, FBI agents were contacted. In early June, FBI agents from the Atlanta field office -were the first to visit the site, although they were soon replaced by agents from the Chicago field office, who had much more extensive experience investigating cybercrimes. These agents had in fact worked with Ubizen investigators on previous investigations. Ubizen s forensic experts also visited the FBI field office to hold discussions over the specifics of the investigation, such as what forensic tools would be used to
  • 4. ensure the integrity of any data taken and how chain of custody would be maintained. At the scene with the FBI agents, Ubizeris investigators began data collection; they first collected mirror images of Company A's payment gateway, which they shared with the FBI investigators. Together the two teams then interviewed Company A's staff for additional information on how the breach could have occurred, determining, for example, who in the organization had access to particular servers. Track 2 information had been compromised, so it was important to understand where in the network such data sat, which would indicate to the team what systems must have been touched by the attacker. This information could also help answer other questions, such as whether it could have been an inside job or whether the Internet was the avenue of attack. After interviewing the staff and examining the organizations network diagram, several systems were identified that seemed likely avenues of attack based on their proximity to the Internet and lack of suitable security controls. The team investigated several servers where they suspected a significant point of exposure and found on one of the systems a number of files that had not been installed by Company A's administrators. These files included keystroke loggers and a common backdoor program called HackerDefender. This made it clear that the system had indeed been compromised, leading the team to rule out an inside job. Footprints. FBI agents and the Ubizen team looked at files and audit logs to find the hacker's footprint and attack signature-that is, how the hacker broke in and what the hacker did once he or she had access. Without more in-depth analysis it would be impossible to determine how the intruder was first able to gain access to the systems. However, based on the immediately visible footprint left behind by the intruder, it became clear that the server had become the staging point through which the intruder could continually gain access into other components of Company A's production
  • 5. network environment. Once the intruder had gained a foothold into the environment from the outside, he or she placed hacking tools and utilities within the systems, effectively exploiting the breach. Live prey. When tracing the hacker's steps, the investigators looked closely at dates and time stamps to determine when the hacker last penetrated the company's network. They found files created by the hacker the day before the investigation began, proving that there was an ongoing breach, an important development since it could help the investigators to catch the attacker in the act. Sewing up the breaches. The team first needed to repair the breach. Since the incidents of fraud associated with Company A were rapidly escalating-as many as hundreds per day-it was imperative to immediately lock out the hacker's access to private information. The team began by purging from the organization's systems sensitive cardholder data that, under industry standards, should never have been stored on the systems. With that data removed, the exposure created by any future unauthorized access would be much less severe. The team also took several of Company A's servers offline, replacing many of the compromised systems. They then enabled and configured logging and auditing functions to ensure that if unauthorized access were attempted again, the organization would be able to detect and respond to the unwanted activity. All of the information collected on site was preserved, including hard drives from the compromised systems and logs from the intrusion detection system, the firewall, and the routers. The information was shipped back to Ubizeris labs for in-depth analysis and preservation for evidentiary purposes. A number of different open-source tools were used to identify and salvage any other traces left behind by the intruder that might shed more light on the timeline of the attack or other systems that might be involved. The tools used included both Ubizen-proprietary and over-the-counter forensic tools such as
  • 6. Encase. Because these tools had been tested extensively in court, the FBI team could be sure that any evidence (such as copies of drives) provided by Ubizen would be admissible. Setting the trap. With the loss of data stanched, investigators were ready to catch the hacker in the act. To accomplish this, the Ubizen team and the FBI set a trap with three components. The first part was a packet sniffer, a laptop with a software program called EtherPeek that would watch traffic in and out of the affected servers. It allowed investigators to monitor any data the hacker was sending, such as individual keystrokes, the machines the intruder was attempting to access, and how he or she was attempting to do so. Also, the sniffer would capture firsthand evidence of files removed from the network that would, under normal circumstances, contain sensitive information or data that could be used for fraud. Next, the files on those servers were loaded with dummy credit- card information to prevent additional fraud from occurring and to keep the hacker unaware that he or she had been noticed. The third part of the trap was the use of Tripwire, a program that monitors the integrity of files, which was configured to set off an alarm the moment any of the date and time-stamps of the files under observation were changed. That would allow the investigators to know exactly when the attacker hit so that they could catch the intruder in the act. Underlying the trap was the fact that the investigators had determined precisely how the hacker would attack. The investigation had shown the particular backdoor the attacker was using and what port would be used in the compromise. But with a huge amount of traffic flowing back and forth across the network (this company also conducts e-commerce business), waiting for a Tripwire alarm was not necessarily going to allow the investigators to see the compromise as it happened. So, a Ubizen technician worked with the FBI's Quantico-based Data Analysis Team to create a signature that they could look for on the sniffer to see exactly when and where the hacker was attacking.
  • 7. Hooked. The trap worked perfectly. When the hacker snuck in to begin copying what looked like credit-card information that Company A had backed up, he fell right into the ambush and was caught red handed. From this point, FBI agents took the evidence collected by the Ubizen and FBI teams and began the hunt for the suspect. They contacted a law enforcement computer-crime liaison group in the Eastern European country where it was determined that the hacker was located. Ultimately, the hacker-a college-age male-was arrested and extradited, and the evidence gathered against him will be used when the case comes to trial. Aftermath. While Company A breathed a sigh of relief when the hacker was caught, the work of the Ubizen investigative team wasn't over yet. Their mission was not only to help identify the hacker but also to determine the full extent of the breach and figure out precisely how many credit cards had been compromised, and when. Targets. The complete analysis showed that there were in fact several intruders who took advantage of the backdoor the original hacker left, and they seemed to be unaware of each other's presence. Altogether these attackers maintained some level of access into Company A for more than six months, two months longer than the previously recognized fraud dates. The team was also able to identify other machines on the network that had been compromised. These included the organizations two database servers, the mail server, two file and print servers, and each of the Internet-visible systems. Recommendations. The final step was to provide recommendations to Company A on how to bolster its security against future attacks. These included the obvious suggestion of adapting to industry best practices. MasterCard and VISA have led the industry in establishing guidelines to secure customer credit card data. MasterCard's Site Data Protection Service (SDP) and Visas Cardholder Information Security Program (CISP) are industry mandates with serious financial penalties for noncompliance. These
  • 8. programs define a standard of due care for deploying security compliance programs, ensuring that online merchants and payment service providers are adequately protected against hacker intrusions and account data compromises. The investigative team determined that Company A was far from fulfilling these requirements and outlined exactly what measures the company needed to take to be fully compliant. A key suggestion was for Company A to conduct regular vulnerability scanning internally or to outsource the scans to an expert. This inexpensive automated process proactively identifies vulnerabilities to find out if and where a computer system can be exploited or is vulnerable. Finally, the team provided a set of recommendations above and beyond the established credit card industry standards. The team advised Company A to either add an internal IT team dedicated solely to security or to consider outsourcing key elements of its security program to a managed security services provider. The amount of data generated by security devices is overwhelming, and it can only be properly monitored by a dedicated team whose sole function is to oversee the network data. Since the attackers had access to stored credit card data, the team also urged Company A not to retain credit card data longer than needed. As this case made clear, storing this type of sensitive information opens up a high risk of exposure. This case illustrates how private cybercrime investigators and law enforcement can collaborate to both protect the bottom line and stem crime. That's good news for long-beleaguered online businesses, and bad news for online fraudsters. Sidebar Forensic detectives can often quickly identify the most likely targets of a hacker attack on a given network. Sidebar Two Teams are Better Than One Cybercrime investigations are Often initiated by the victimized company not through a call to the police, but through a call to a private firm that specializes in computer forensics
  • 9. examinations. These private-sector teams will then call law enforcement into the process as soon as they confirm that illegal activity is occurring. Cooperation between law enforcement and private-sector investigators is still a fairly new idea, however. Several years ago, when the author's company first started conducting forensics investigations, it was often met with distrust by both their private sector clients, who feared bad publicity or losing control of company data, and law enforcement agents, who were reluctant to share information with third-party vendors. However, this reluctance is diminishing as law enforcement becomes more accustomed to working with third-party cyberforensics experts and as clients see that the process can work. Companies like Ubizen work under strict conditions and with detailed nondisclosure agreements, which protects clients and helps allay fears. Although they need to work together, it is important to understand that ultimately the two groups of investigators have different goals. The private-sector team has the ultimate goal of understanding the full extent of the compromise and helping the client find and close the vulnerability that led to the breach-in other words, to protect its reputation and profits. Law enforcement is focused on the illegal activity and in collecting any evidence that will lead to the attacker and help in a prosecution. The two groups also work differently due to the nature of their responsibilities. A private forensic firm is doing paid work for a client and will devote a team to getting the work done in a short time frame. For example, this case took Ubizen two days on site and another two weeks to complete the analysis and write a report. By contrast, law enforcement agents typically are juggling multiple cases or responsibilities and may take longer to complete an investigation or may have difficulty devoting sufficient resources to a specific case. While the goals are different, the groundwork serves both objectives. For that reason, the analysis completed by the
  • 10. private-sector team is often useful to law enforcement, saving them time and giving them a head start in understanding all the technical details of an investigation so that they can make a case for protection. AuthorAffiliation Bryan Sartin is director of technology for Ubizen, where he is responsible for all customer-facing issues regarding the technology of its managed security solution offerings. Unit VI Case Study What problem was identified? What steps were taken to solve the problem? d on different goals. Briefly list and describe what these were as the investigation progressed and what strategies were employed. purpose for this investigation—what else needed to be done, and how was it to be accomplished? Does the identified offender fit the characteristics for this type of cybercrime?