The document summarizes the presentation "Creating cyber forensic readiness within your organisation" given at the 2nd African Mine Security Summit. The presentation covered defining cyber crime, the current state of cyber crime in South Africa, why organizations are vulnerable, and what cyber forensic readiness planning entails. It discussed why organizations need to be prepared for cyber incidents, how to approach digital evidence, and provided steps to implement cyber forensic readiness plans, including defining scenarios requiring evidence, identifying evidence sources, and training staff on evidence handling procedures.
Creating cyber forensic readiness in your organisation
1. Creating cyber forensic
readiness within your
organisation
2nd African Mine Security Summit
Hilton Hotel, Sandton
16 April 2015
Adv Jacqueline Fick
Executive: Cell C Forensic Services
2. 2 2ND AFRICAN MINE SECURITY SUMMIT 2015
AGENDA
• Cyber crime defined
• Current state of cyber crime in South Africa
• Why are we vulnerable?
• What is cyber forensic readiness planning
Why do organisations need to be ‘cyber incident ready’?
What happens to the potential evidence prior to the decision to undertake an
investigation?
Approach to digital evidence
Business approach
Managing the risks: Why digital evidence and related disputes are important
Implementing cyber forensic readiness planning
• Closing remarks
3. 3 2ND AFRICAN MINE SECURITY SUMMIT 2015
CYBER CRIME DEFINED
• Cyber crime does not have a precise or universal definition and varies
between jurisdictions based on the perceptions of those involved:
- Norton Symantec: Any crime that is committed using a computer or
network, or hardware device. The computer or device may be the agent of
the crime, the facilitator of the crime, or the target of the crime
- Oxford Dictionaries: Crime conducted via the Internet or some other
computer network
- Wikipedia: Computer crime, or cybercrime, refers to any crime that
involves a computer and a network. The computer may have been used in
the commission of a crime, or it may be the target
- Electronic Communications and Transactions (ECT) Act, No. 25 of 2002
contains no definition
- ECT Amendment Bill: "cyber crime" means any criminal or other offence
that is facilitated by or involves the use of electronic communications or
information systems, including any device or the Internet or any one or
more of them..”
4. 4 2ND AFRICAN MINE SECURITY SUMMIT 2015
CURRENT STATE OF CYBER
CRIME IN
SOUTH AFRICA
5. 5 2ND AFRICAN MINE SECURITY SUMMIT 2015
CURRENT STATE OF CYBER CRIME IN SOUTH
AFRICA
• According to Symantec’s 2013 Norton Report, cyber crime in South Africa
has collectively cost victims over R3.42 billion rand over the past 12 months.
It was also found that South Africa has the third-highest number of cyber
crime victims after Russia and China
• Areas of concern are mobile data and handling private information online. It
has been noted that cyber crime activity has made a large move towards
mobile platforms, but security and mobile security "IQ" has been left behind
and consumers are more vulnerable in these areas
• The US Federal Bureau of Investigations has flagged South Africa as the
sixth-most active cyber crime country
• Traditionally leaders have pigeonholed cyber security as an IT problem. But
that is a risk approach that could leave them open to attack
6. 6 2ND AFRICAN MINE SECURITY SUMMIT 2015
CURRENT STATE OF CYBER CRIME IN SOUTH
AFRICA
• South Africa is the second most targeted country globally when it comes to
phishing attacks (Drew van Vuuren, CEO of information security and privacy
practice, 4Di Privaca)
• Compare this statement to:
- How many law enforcement officials have received basic cyber training?
- How many cyber specialists are there in law enforcement?
• Honeynet Project
- Research shows that the average time spent in a cyber investigation was
approximately 34 hours per person to investigate an incident that took an
intruder about half an hour to complete. That's about a 60:1 ratio!
(http://www.honeynet.org/challenge/results/)
7. 7 2ND AFRICAN MINE SECURITY SUMMIT 2015
WHY ARE WE VULNERABLE?
The common top cyber vulnerabilities are:
• Inadequate maintenance, monitoring and analysis of
security audit logs
• Weak application software security
• Poor control of administrator privileges
• Inadequate account monitoring and control
• Inadequate hardware/software configurations
• The internal monitoring of suspicious transactions
and the general use of internal and 3rd party fraud
detection mechanisms are still the most effective
means of detecting cyber crime
(2012/2013 The South African Cyber Threat Barometer)
• This applies to computers and handheld devices
The cybercrime world
is like an arms race:
cybercriminals pursue
a course of action until
the defenders work
out how to combat it,
at which point the
cybercriminals change
tack.
(The current state of
cybercrime 2014: Global
Malware Outlook April
2014)
8. 8 2ND AFRICAN MINE SECURITY SUMMIT 2015
WHAT IS CYBER FORENSIC
READINESS PLANNING?
9. 9 2ND AFRICAN MINE SECURITY SUMMIT 2015
CYBER FORENSIC READINESS PLANNING
• Cyber forensic readiness is the
organisations’ potential to maximise
the use of digital evidence to aid in
an investigation, with the intent of:
• Reducing the time taken to
respond to an incident.
• Maximising the ability to collect
credible and meaningful evidence.
• Minimising the length/cost of a
cyber incident investigation.
• Reducing the incident recovery
time.
• Preventing further losses.
Its not just about IT. Its about HR
making sure employees understand
the security policies, and recruiting
people with the specialist skills to
protect the organisation from cyber
attacks. Its about legal and
compliance making sure laws and
regulations are respected. It is about
physical security protecting sites and
IT equipment. Its about marketing
thinking about cyber security when
they launch new products. If
organisations don’t look at cyber
security from all angles they are
missing a trick.”
(William Beer, Director, Cyber
Security Services, PwC UK)
10. 10 2ND AFRICAN MINE SECURITY SUMMIT 2015
• A reactive or tactical approach to Information Security may introduce
significant costs and opportunity loss
11. 11 2ND AFRICAN MINE SECURITY SUMMIT 2015
WHY DO ORGANISATIONS NEED TO BE ‘CYBER
INCIDENT READY’?
• Digital forensic investigations (DFIs) are commonly employed as a post-
event response to a serious information security or criminal incident.
• The examination is conducted in a systematic, formalised and legal manner
to ensure the admissibility of the evidence and subject to considerable
scrutiny of both the integrity of the evidence and that of the investigation
process.
• There is a broad organisational role in the forensic readiness process. This
role can be equated to a business continuity process.
12. 12 2ND AFRICAN MINE SECURITY SUMMIT 2015
WHAT HAPPENS TO THE POTENTIAL EVIDENCE
PRIOR TO THE DECISION TO UNDERTAKE AN
INVESTIGATION?
• The scenario of a DFI tends to ignore what happens to potential
evidence prior to the decision to undertake an investigation.
• The necessary evidence either exists, and hopefully is found by the
DFI, or it does not exist and a suspect cannot be charged and
prosecuted.
• When a digital incident occurs there are generally three courses of
action that can be taken, generally dependant on the type of
organisation within which the incident occurs, or which is responding
the event:
13. 13 2ND AFRICAN MINE SECURITY SUMMIT 2015
APPROACH TO DIGITAL EVIDENCE
Law Enforcement
• Secure the crime scene, identify evidentiary sources
and dispatch to a specialist laboratory for analysis.
Military Infrastructure
• Primary goal is one of risk identification and
elimination, followed by recovery and possible
offensive measures.
Commercial Organisations
• Where financial impact is caused by an incident, and
revenue earning potential is adversely affected, root
cause analysis and system remediation is of primary
concern, with in-depth analysis of the how and why
left until systems have been restored.
14. 14 2ND AFRICAN MINE SECURITY SUMMIT 2015
BUSINESS APPROACH
• The business environment lends itself to an approach similar to that of the
military, namely to be able to identify the incident, patch the necessary
system(s) and continue earning revenue.
• In the generic (law enforcement) investigative model, there is little leeway
for a business’s incident responders to satisfy the need to return the
systems to operational status as quickly as possible whilst preserving the
necessary evidence and being able to mount a successful prosecution.
• These two goals can be mutually exclusive as a thorough investigation
needs time and during this time the business will lose revenue by not
having its system(s) live
• Being prepared to gather and use evidence can also act as a deterrent.
Staff will know what the organisation’s attitude is toward the policing of
corporate systems – how incidents are dealt with and how the
organisation deals with offenders.
• This also highlights the need for internal policies and procedures that are
communicated via effective awareness and training programmes
throughout the organisation.
15. 15 2ND AFRICAN MINE SECURITY SUMMIT 2015
BUSINESS APPROACH
• Staff need to know:
Who the perpetrator could be and what to look out for?
What can be done?
Who to call?
• For most organisations the foremost objective is not to secure evidence. It
is more important to find the offender, locate the intruder, and more
importantly secure the infrastructure by minimising, or if possible,
eliminating vulnerabilities.
• To ensure that the organisation maintains a pro-active approach it is of
great value to conduct simulated cyber incident exercises. This would also
facilitate a process of continuous learning and awareness.
16. 16 2ND AFRICAN MINE SECURITY SUMMIT 2015
MANAGING THE RISKS: WHY DIGITAL EVIDENCE
AND RELATED DISPUTES ARE IMPORTANT
Recourse to litigation is generally a last resort for most organisations, but digital
evidence could help manage the impact of some important business risks:
Lend
support to
internal
disciplinary
actions
Support a
legal
defence
Support
good IT
governance
practices
and
reporting
Show
that due
care (or
due
diligence)
was
taken in a
particular
process
Support a
claim to
intellectual
property
rights
Verify the
terms of a
commercial
transaction
18. 18 2ND AFRICAN MINE SECURITY SUMMIT 2015
IMPLEMENTING CYBER FORENSIC READINESS
PLANNING
Define the business
scenarios that will
require digital evidence.
When it will be
appropriate to gather
evidence and when is it
not?
Identify sources of
evidence and what
type of evidence it is,
and ensure that you
have the resources
available to look for it.
Establish a clear
view of what
circumstances
need to be in
place to trigger a
full investigation.
Provide training for
key staff to ensure
that evidence
handling procedures
are adhered to.
Provide guidance in the
preparation of an example that
everyone can run through in
advance. Ensure that all
parties, including legal, are
confident that the correct
processes are in place.
Develop
policies and
procedures to
ensure
compliance.
Create learning organisations. Assess the
adequacy of the investigation and the utility
of the evidence gathered to support it.
Incorporate in cross-departmental training
initiatives to create and maintain staff
awareness across the organisation.
20. 20 2ND AFRICAN MINE SECURITY SUMMIT 2015
CLOSING REMARKS
• Being ready for a forensic investigation should form part of any information
security strategy.
• It is also closely related to incident response and business continuity,
ensuring that evidence found in an investigation is preserved and the
continuity of evidence is maintained.
• Get in the experts: take a detailed look at the organisation's readiness to
undertake or support a digital forensics investigation, be this as part of an
internal investigation, criminal investigation or as the result of a compliance
requirement.
• Cyber forensic readiness plans should take cognisance of people,
processes, technology and governance aspects.