This document discusses internal investigations and how to effectively conduct them. It covers:
1. The definition of an internal investigation and why companies conduct them.
2. The risks of flawed investigations, such as obstruction of justice charges or damage to reputation.
3. Factors to consider in determining if an investigation is appropriate, like the nature and scope of wrongdoing.
4. How traditional investigation techniques may focus only on known issues and new technologies are needed to address evolving threats, both internal and external.
The Base Rate Fallacy - Source Boston 2013Patrick Florer
A base rate is the prevalence of an item of interest in a population. In medicine, it would be the prevalence of a disease in a group of people. In information security, it might be the prevalence of sql injection flaws in web applications or the prevalence of malware in the population of downloaded *.exe files. Without an estimate of the base rate, it isn’t possible to talk meaningfully about detection rates (true positives) or false positives. Those who do so commit the “base rate fallacy. If the base rate is known, then a Fourfold table, also called a 2 x 2 table or matrix, is a mechanism that helps us understand the correct probabilities of True Positive, False Positive, True Negative, and False Negative events and avoid the base rate fallacy. Understanding these probabilities enables us to evaluate the claims of many types of security technologies, including the effectiveness of antivirus software, web application scanners, and IDS/IPS systems.
• The base rate fallacy will be explained and demonstrated.
• Gigerenzer’s Natural Frequencies Technique for Avoiding the Base Rate Fallacy
• Examples of why base rates apply to information risk management:
Common Vulnerability Scoring System (CVSS)
The Distinction between Inherent Risk vs. Residual Risk
Intrusion Detection Systems
Vendor Management, Hosting Providers, and SOC 2 (formerly SAS70) Audit Reports
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory RealmShawn Tuma
The #CyberAvengers' Paul Ferrillo (a/k/a Director Fury) and Shawn Tuma (a/k/a Hulk) presented at the Practical Cybersecurity Risk Management Strategies program of the New Jersey State Bar Association (NJSBA) Cybersecurity Institute on November 17, 2017. In this presentation, Fury and Hulk focused the core #CyberAvengers message of the real-life cybersecurity issues facing most companies -- the basics of good cyber hygiene -- and explained how artificial intelligence and machine learning will help companies do a better job at getting these right, along with how and why AI/ML play a critical role in the future of cybersecurity.
Technology can help attorneys do much more than just review and produce documents. It helps attorneys understand their case, test theories and develop litigation strategies—as soon as data is collected. By utilizing technology to its best advantage, attorneys zero in on the information they need early on, even before a review has begun.
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
Open Source Intelligence Gathering (OSINT) is growing in popularity among attackers and defenders alike. When an attacker comes knocking on your network's front door, the warning lights go off in multiple systems (IDS, IPS, SIEM, WAF). More sophisticated attackers, however, spend considerable time gathering information using tools and techniques that never touch any of your systems. As a result, these attackers are able to execute their attacks and make off with proprietary data before you even know they are there. This presentation provides an introduction to many OSINT tools and techniques, as well as methods you can use to minimize your exposure.
Managing a security program (when you are not a security expert)jikbal
If you do not have an IT or Information Security background
But are tasked with running an information security program, or, You are responsible for a critical piece of information security or audit in your organization then this will provide you with an introduction and roadmap
The Base Rate Fallacy - Source Boston 2013Patrick Florer
A base rate is the prevalence of an item of interest in a population. In medicine, it would be the prevalence of a disease in a group of people. In information security, it might be the prevalence of sql injection flaws in web applications or the prevalence of malware in the population of downloaded *.exe files. Without an estimate of the base rate, it isn’t possible to talk meaningfully about detection rates (true positives) or false positives. Those who do so commit the “base rate fallacy. If the base rate is known, then a Fourfold table, also called a 2 x 2 table or matrix, is a mechanism that helps us understand the correct probabilities of True Positive, False Positive, True Negative, and False Negative events and avoid the base rate fallacy. Understanding these probabilities enables us to evaluate the claims of many types of security technologies, including the effectiveness of antivirus software, web application scanners, and IDS/IPS systems.
• The base rate fallacy will be explained and demonstrated.
• Gigerenzer’s Natural Frequencies Technique for Avoiding the Base Rate Fallacy
• Examples of why base rates apply to information risk management:
Common Vulnerability Scoring System (CVSS)
The Distinction between Inherent Risk vs. Residual Risk
Intrusion Detection Systems
Vendor Management, Hosting Providers, and SOC 2 (formerly SAS70) Audit Reports
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory RealmShawn Tuma
The #CyberAvengers' Paul Ferrillo (a/k/a Director Fury) and Shawn Tuma (a/k/a Hulk) presented at the Practical Cybersecurity Risk Management Strategies program of the New Jersey State Bar Association (NJSBA) Cybersecurity Institute on November 17, 2017. In this presentation, Fury and Hulk focused the core #CyberAvengers message of the real-life cybersecurity issues facing most companies -- the basics of good cyber hygiene -- and explained how artificial intelligence and machine learning will help companies do a better job at getting these right, along with how and why AI/ML play a critical role in the future of cybersecurity.
Technology can help attorneys do much more than just review and produce documents. It helps attorneys understand their case, test theories and develop litigation strategies—as soon as data is collected. By utilizing technology to its best advantage, attorneys zero in on the information they need early on, even before a review has begun.
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
Open Source Intelligence Gathering (OSINT) is growing in popularity among attackers and defenders alike. When an attacker comes knocking on your network's front door, the warning lights go off in multiple systems (IDS, IPS, SIEM, WAF). More sophisticated attackers, however, spend considerable time gathering information using tools and techniques that never touch any of your systems. As a result, these attackers are able to execute their attacks and make off with proprietary data before you even know they are there. This presentation provides an introduction to many OSINT tools and techniques, as well as methods you can use to minimize your exposure.
Managing a security program (when you are not a security expert)jikbal
If you do not have an IT or Information Security background
But are tasked with running an information security program, or, You are responsible for a critical piece of information security or audit in your organization then this will provide you with an introduction and roadmap
Building an Effective Supply Chain Security ProgramPriyanka Aash
We’ve realized that the supply chain in most organizations is a potential weak spot for security controls and awareness. The time has come to shore up our approaches to supply chain management, incorporating security best practices at all stages. This talk will break down exactly how to get started, what to look for, and how to better secure your supply chain across the board.
(Source: RSA USA 2016-San Francisco)
How to minimize threats in your information system using network segregation? PECB
We will discuss the importance of network infrastructure and how we can minimize risks of attacks in our IT by segregating and segmenting our network infrastructure.
Main points that have been covered are:
• Why it’s always a primary target for attacks?
• What are the segmented networks?
• How can it be used?
Presenter:
Our presenter for this webinar is Mohamed Tawfik, who is a qualified Technocrat, and a seasoned IT/Telecom Professional having over 20 years of solid experience with multi-national corporate organizations planning, deployment, governance, audit and enforcing policy on Information Security Practice, while having in-depth knowledge of IT/Telecom Infrastructure and with a proven record of customer satisfaction.
Link of the recorded session published on YouTube:https://youtu.be/sKhihzgElH8
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015
Relatore: Denis Cassinerio
Security Business Unit Director di Hitachi Systems CBT
How to deal with the media after a failure. Guidelines for development of a crisis management program with details for everyone in the company to understand the importance and value of the plan.
Artificial Intelligence – Time Bomb or The Promised Land?Raffael Marty
Companies have AI projects. Security products use AI to keep attackers out and insiders at bay. But what is this "AI" that everyone talks about? In this talk we will explore what artificial intelligence in cyber security is, where the limitations and dangers are, and in what areas we should invest more in AI. We will talk about some of the recent failures of AI in security and invite a conversation about how we verify artificially intelligent systems to understand how much trust we can place in them.
Alongside the AI conversation, we will discover that we need to make a shift in our traditional approach to cyber security. We need to augment our reactive approaches of studying adversary behaviors to understanding behaviors of users and machines to inform a risk-driven approach to security that prevents even zero day attacks.
Ethical Hacking And Computer ForensicsShanaAneevan
Data recovery is the process in which highly trained engineers evaluate and extract data from damaged media and return it in an intact format. Many people, even computer experts, fail to recognize data recovery as an option during a data crisis, yet it is possible to retrieve files that have been deleted and passwords that have been forgotten or to recover entire hard drives that have been physically damaged.
.
Building an Effective Supply Chain Security ProgramPriyanka Aash
We’ve realized that the supply chain in most organizations is a potential weak spot for security controls and awareness. The time has come to shore up our approaches to supply chain management, incorporating security best practices at all stages. This talk will break down exactly how to get started, what to look for, and how to better secure your supply chain across the board.
(Source: RSA USA 2016-San Francisco)
How to minimize threats in your information system using network segregation? PECB
We will discuss the importance of network infrastructure and how we can minimize risks of attacks in our IT by segregating and segmenting our network infrastructure.
Main points that have been covered are:
• Why it’s always a primary target for attacks?
• What are the segmented networks?
• How can it be used?
Presenter:
Our presenter for this webinar is Mohamed Tawfik, who is a qualified Technocrat, and a seasoned IT/Telecom Professional having over 20 years of solid experience with multi-national corporate organizations planning, deployment, governance, audit and enforcing policy on Information Security Practice, while having in-depth knowledge of IT/Telecom Infrastructure and with a proven record of customer satisfaction.
Link of the recorded session published on YouTube:https://youtu.be/sKhihzgElH8
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015
Relatore: Denis Cassinerio
Security Business Unit Director di Hitachi Systems CBT
How to deal with the media after a failure. Guidelines for development of a crisis management program with details for everyone in the company to understand the importance and value of the plan.
Artificial Intelligence – Time Bomb or The Promised Land?Raffael Marty
Companies have AI projects. Security products use AI to keep attackers out and insiders at bay. But what is this "AI" that everyone talks about? In this talk we will explore what artificial intelligence in cyber security is, where the limitations and dangers are, and in what areas we should invest more in AI. We will talk about some of the recent failures of AI in security and invite a conversation about how we verify artificially intelligent systems to understand how much trust we can place in them.
Alongside the AI conversation, we will discover that we need to make a shift in our traditional approach to cyber security. We need to augment our reactive approaches of studying adversary behaviors to understanding behaviors of users and machines to inform a risk-driven approach to security that prevents even zero day attacks.
Ethical Hacking And Computer ForensicsShanaAneevan
Data recovery is the process in which highly trained engineers evaluate and extract data from damaged media and return it in an intact format. Many people, even computer experts, fail to recognize data recovery as an option during a data crisis, yet it is possible to retrieve files that have been deleted and passwords that have been forgotten or to recover entire hard drives that have been physically damaged.
.
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfMahdi_Fahmideh
Digital Forensics for Artificial
Intelligence (AI ) Systems:
AI systems make decisions impacting our daily life Their actions might cause accidents, harm or, more generally, violate
regulations either intentionally or not and consequently might be considered suspects for various events. In this lecture we explore how digital forensics can be performed for AI based systems.
Data Breach Response: Before and After the BreachFinancial Poise
You’ve received the dreaded call that your company has just suffered a data breach – what do you do next? Who do you call for help? What notification obligations do you have?
With proper preparation, you can mitigate the damage caused by this unfortunate event and put your business in a position to recover. Your company may have already implemented its information security program and identified the responsible parties, including applicable outside experts, to be contacted in the event of a breach. However, now you must call up your incident response team to investigate the extent of the breach, evaluate the possible damage to your company, and determine whether you must notify your clients, customers, or the public of the breach. This webinar will help prepare you to take action when the worst happens.
Part of the webinar series: Cybersecurity & Data Privacy 2021
See more at https://www.financialpoise.com/webinars/
NIST Cybersecurity Framework is a good starting point for many enterprises to harden their security posture against advanced threats. In this webinar, we will share the major take-aways from the framework. More importantly, we will explain the 5 critical factors in implementing cybersecurity defense, and how to handle them with best practice.
ZyLAB White Paper - Bringing e-Discovery In-houseZyLAB
This report provides a straightforward, pragmatic overview
about how legal professionals and organizations confronted with e-discovery must be able to interpret e-discovery
within the context of actual expected processes, inherent risks, and the available technical solutions that can
support relevant activities. Many people may have some
idea about what e-discovery is, at least thematically, but
many do not have a full appreciation of how to effectively
engage the setup and execution of the process. Even for
those who have gone through an e-discovery process
in the past, some of the acknowledged approaches to
e-discovery are outdated, particularly when viewed against
the current economic backdrop and the rapidly expanding
technical challenges found in most organizations and legal
firms.
1. Internal Investigations: A Look at
Proactive and Reactive Responses
Using Technology and Process
Albert Barsocchini
barsocchini@gmail.com
415.456.8318
2. Definition of an Internal Investigation
P A G E 1
An internal investigation is launched by a corporation to understand
and diagnose problems within the corporation.
Frequently used to help a corporation avoid or limit possible criminal
or civil liability exposure and correct significant problems.
Fact driven
The old adage that sometimes the best defense is a good offense.
3. Flawed Investigation Risks
P A G E 2
Allegations of obstruction of justice
Damage to the corporation’s reputation
Damage to employee morale
Creation of negative evidence that may be used in future criminal or
civil proceedings
Destruction of evidence that could be helpful in the company’s
defense
4. Is an Internal Investigation Appropriate ?
P A G E 3
The titles, roles and responsibilities of the people alleged to have engaged in the wrongdoing;
Whether the company was a victim or the perpetrator of the alleged wrongdoing;
If the company was a victim of the wrongdoing, is it likely to recur and will the company likely
recover much, if anything, in pursuing the wrongdoers?
The nature, length, and scope of the alleged conduct in question;
The dollar value of any loss to the company if it was a victim of any wrongdoing;
Does the wrongdoing involve ongoing business conduct or existing business relationships, or is it
historical and unlikely to recur due to changed business practices or other circumstances?
The likely—not merely the possible—potential economic exposure to the company;
Whether alleged wrongdoing, if true, is placing any third party at risk;
Whether the allegations are susceptible to verification;
The cost and effort of the investigation as compared with any results it may yield;
The nature and source of allegations, including the motivation and the potential gain to those
making the allegation, if that party is known.
5. Reality Check
P A G E 4
There are known known's. These are things we know
that we know. There are known unknowns. That is to say,
there are things that we know we don't know. But there
are also unknown unknowns. There are things we don't
know we don't know.
Donald Rumsfeld
Query: Traditional investigation techniques focus on
known known's and sometimes known unknowns
4
6. Know Your Self
P A G E 5
Sun Tzu:
“If you know your opponents strengths and limitations and know your
own strengths and limitations, you can win one hundred battles without a
single loss.”
“If you know neither yourself nor your opponent, you will always
endanger yourself and the mission.”
5
7. United States Approach To Data Protection & Privacy
P A G E 6
The United States has an ad hoc approach to data protection legislation, relying on a
combination of legislation, regulation, and self-regulation, rather than overarching
governmental regulations.
The private sector should lead, and companies should implement self-regulation in
reaction to issues brought on by Internet technology.
Corporate Codes of Conduct
Alternative Dispute Resolution mechanisms
The United States has no single, overarching privacy law comparable to the EU
Directive.
Privacy legislation in the United States tends to be adopted on an “as needed” basis,
with legislation arising when certain sectors and circumstances require. For example:
Video Protection Act of 1988;
Cable Television Consumer Protection and Competition Act of 1992;
Electronic Communications Privacy Act; and
Fair Credit Reporting Act.
9. Today’s Corporate Risks & New Litigation Rules
Require Consistent Digital Investigations
P A G E 8
eDiscovery Compliance
Data Audit &
Internal Security
Investigations
The Common need to search, collect and preserve electronic evidence
in a timely, efficient and defensible process with court admissibility
11. Trends
P A G E 10
Board Members Will Demand Investigations
Less Pressure to Waive Attorney-Client Privilege
More written reports instead of oral
More Executives Will Have Their Legal Fees Paid by Their
Employer
More Employees Will Be Prosecuted For Lying to Outside Counsel
Increased difficulty conducting Investigations because of complex
enterprise environment
12. Invest in Leap Ahead Technology
P A G E 11
We still use a lot of Homegrown tools.
Not enough innovation.
Can we prevent wrongdoing by watching the data?
Can we make the data police itself?
11
13. Know the Triggers
P A G E 12
Search Warrant, Government Subpoena or Voluntary Request for
Information
Whistleblower
HR matters
Media Reports
Financial Restatements
Shareholder Demand Letter or Civil Complaint
Auditor concerns
Part 205 Report
Board or Audit Committee Concern
FCPA
14. Understand Data Location
P A G E 13
What are your “Crown Jewels”?
Do you know where all the Crown Jewels are?
Processes and procedures
should be in place to ensure
“The Crown Jewels” remain
in authorized locations.
15. Evolving Corporate Threats
P A G E 14
Traditional reactive investigations not enough
New technologies bring new exploits
Threats can be internal, external and/or inadvertent
A determined wrongdoer will find a way
16. Proactive Considerations
P A G E 15
How do you…
Identify unknown or covert corporate threats?
Limit the risk exposure presented by sensitive information?
Respond to a suspected incident?
Limit the scope of an incident?
Ensure corporate endpoints remain
secure?
Address and scale technology
and processes to include file
servers, email servers,
semi-structured data repositories?
17. Find your Heading
P A G E 16
Directional orientation determines your focus
coming at , going away, or circling you
Perception is what you observe
Peripheral vision is for detection (perimeter)
Central vision is for identification (endpoint)
Could you drive with only peripheral vision?
Bottom-line: You will conclude what you perceive
Learn to use innovative procedures and technology to
increase your vision.
16
18. Technology Obsolescence
P A G E 17
Traditional investigative technology are
obsolete and not keeping pace with the
number of corporate threats being created.
Traditional investigative techniques places
you in a perpetual catch up mode and provides
false sense of security & plausible deniability
20. Your New Adversaries
P A G E 19
1. “Bear” - firmly nestled where users are most exposed; the data
stream…
2. “Raccoon” - masked bandit who sneaks in at night and takes our
valuable loot.
3. “Wolf” - constantly probing and looking for signs of weakness.
4. “RAT” - burrowing his way through your foundation, weakening your
structure.
21. Flawed Internal Investigation
personalities
P A G E 20
1.“Turtle” - both for having a hard outer shell and soft meaty middle,
and for being characteristically slow in every endeavor
2.“Lemming” – Because we like to follow other’s lead, often to our own
demise
3.“Guinea Pig” – Using untested new ideas and procedures.
4.“Beaver” – Who after getting his dam breached will work feverishly to
patch and repair, even when conditions aren’t favorable.
5.“Sheep” – They may make great T Shirts, but terrible investigators
6.“Ostrich” – who believes that there is a peaceful bliss in ignorance
and if you bury your head long enough, maybe the threat will go
away…
22. Desired Qualities of an investigator
P A G E 21
Objective
Impartial
Subject matter expertise
Credible
Fair
Respectful
Compassionate
Professional
Innovative
Flexible
Open to new ideas and techniques
23. Undesirable Qualities of an Investigator
P A G E 22
Biased
Judgmental
Accusatory
Inconsiderate
Angry or “put out”
Incompetent
Inflexible
Not thinking outside the box
Unwilling to accept new ideas and technology
24. Challenges
P A G E 23
Complexity - Internal investigations are inherently complicated given
regulatory considerations, disclosure implications and overall liability
exposure.
Timing - Critical aspect of any internal investigation.
Risk - The disclosure of investigative findings can subject a
corporation and its employees to potential criminal and/or civil
liability.
Ethical Issues - Effectively conducting an internal investigation often
requires keen attention to a myriad of ethical issues (e.g., privilege
Adverse impact - The investigation and its findings can adversely
impact the company by generating low employee morale, hampering
employee recruitment and depressing the stock price.
Conflict of interests – can effect investigation effectiveness
25. Investigative Challenges
P A G E 24
Detecting Covert, Advanced and Unknown threats and keeping pace with
the evolving nature of attacks
Identifying and analyzing suspected threats
Quickly triaging and containing an identified threat
Locating and rapidly responding to data leakage (PII, IP etc)
26. Be proactive and Understand Potential
Corporate Threat Vectors
P A G E 25
Network
Unusual employee behavior
Email
Open ports
VPN
Insider threat
Software vulnerabilities
27. Ten Red Flags for the Enterprise
P A G E 26
Account information on unauthorized workstation
Account information on a web or email server
Unencrypted account information
Unscheduled bulk data transfers after hours
File sharing software (i.e. Bit torrent)
Unknown process running on a workstation
Account privilege escalation/out of band activity
Encrypted/compressed file repositories
Large number of removable drives on a single computer
Un-patched applications
28. Recommendations
P A G E 27
Assess your risk
Assess your readiness
Prevention, detection, response
Implement effective compliance program
People
Process
Technologies
29. Getting Started
P A G E 28
Have a corporate investigation and document retention policy
Develop a process to identify and retain evidence
Develop a response strategy for both inside or outside counsel
Identify event triggers and decision tree
Who in the enterprise controls the investigation?
Who should conduct the investigation –credibility is key?
How should the investigation be conducted?
What should the scope of the investigation be?
What will be done with the results of the investigation?
30. Investigative Objectives
P A G E 29
Find the truth
Stop the conduct
Identify the Evidence
Get control of the evidence
Preserve the evidence
Find out what happened and why
Report (oral or written) (purpose)
Implement remedial measures
Maintain confidentiality
31. Best Practices
P A G E 30
Document the process
Establish credibility
Don’t make it worse
Always re-evaluate strategy
Have a clear communication channel
Have consistent procedures
Use the latest technologies
Have an efficient and cost effective response
Properly preserve evidence
Provide effective expert testimony
Review and de-brief
32. Rewards
P A G E 31
Using the latest investigative approaches and technology will help a
company identify potential liability and develop a plan to limit such
liability while allowing the company to control the process before
governmental or other third party intervention.
Give a corporation more time to develop responses or defenses
which may ultimately minimize overall criminal and civil exposure
and reduce the likelihood of lawsuits.
Make a corporation look more responsible to government regulators,
shareholders, and auditors, thus minimizing the effect of any
negative publicity that has arisen from allegations of wrongdoing.
Satisfies the board’s fiduciary obligations.