Cloud computing and bring-your-own-device (BYOD) workplace policies are expanding the endpoints in IT infrastructures — and more complexity when it comes to investigating cyber attacks. The SANS 2013 Report on Digital Forensics and Incident Response Survey reveals some of the major difficulties that security professionals face in this new environment and how to better prepare for future investigations. Collecting responses from more than 450 security professionals across a range of industries and company sizes, the survey found that nearly 90 percent of respondents had conducted at least one forensics investigation within the last two years. But just 54 percent called their digital forensics capabilities “reasonably effective.” For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
The law of unintended consequences strikes again. In an effort to address security risks in enterprise IT systems and the critical data in them, numerous security standards and requirement frameworks have emerged over the years. But most of these efforts have had the opposite effect — diverting organizations’ limited resources away from actual cyber defense toward reports and compliance.
Recognizing this serious problem, the U.S. National Security Agency (NSA) in 2008 launched Critical Security Controls (CSCs), a prioritized list of controls likely to have the greatest impact in protecting organizations from evolving real-world threats. This SANS Institute survey of nearly 700 IT professionals across a range of industries examines how well the CSCs are known in government and industry and how they are being used.
For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
With malware attacks growing more sophisticated, swift, and dangerous by the day — and billions of dollars spent to combat them — surprisingly few organizations have a grip on the problem. Only 20 percent of security professionals surveyed by Information Security Media Group (ISMG) rated their incident response program “very effective.” Nearly two-thirds struggle to detect APTs, limiting their ability to defend today’s most pernicious threats. In addition, more than 60 percent struggle with the speed of detection, and more than 40 percent struggle with the accuracy of detection. Those shortcomings give attackers more time to steal data and embed their malware deeper into targeted systems. For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
M-Trends® 2010: The Advanced Persistent ThreatFireEye, Inc.
The inaugural M-Trends report details threat intelligence learned while conducting intrusion investigations for the U.S. government, the defense industrial base, and commercial organizations. This report focuses on the Advanced Persistent Threat (APT), and outlines trends, techniques, and real details of how the APT successfully compromises any target it desires. For the latest M-Trends report, visit https://www.fireeye.com/mtrends
M-Trends® 2013: Attack the Security GapFireEye, Inc.
Mandiant’s annual threat report reveals evolving trends, case studies and best practices gained from Mandiant observations to targeted attacks in the last year. The report, compiled from hundreds of Mandiant advanced threat investigations, also includes approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches. For the latest M-Trends report, https://www.fireeye.com/mtrends.
Mandiant’s annual threat report reveals key insights, statistics and case studies illustrating how the tools and tactics of advanced targeted attackers, including the Advanced Persistent Threat (APT), have evolved over the last year. The report, based on hundreds of advanced threat investigations, also shares approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches. For the latest M-Trends report, https://www.fireeye.com/mtrends
In 2010, Mandiant's first M-Trends report detailed how the Advanced Persistent Threat (APT) successfully compromised its victims. In 2011, the attackers continued to expand their targets and innovated their techniques. In this report, those attack techniques are explored further and key steps you can take are identified so you can address the threat in your enterprise. For the latest M-Trends report, visit https://www.fireeye.com/mtrends
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
The law of unintended consequences strikes again. In an effort to address security risks in enterprise IT systems and the critical data in them, numerous security standards and requirement frameworks have emerged over the years. But most of these efforts have had the opposite effect — diverting organizations’ limited resources away from actual cyber defense toward reports and compliance.
Recognizing this serious problem, the U.S. National Security Agency (NSA) in 2008 launched Critical Security Controls (CSCs), a prioritized list of controls likely to have the greatest impact in protecting organizations from evolving real-world threats. This SANS Institute survey of nearly 700 IT professionals across a range of industries examines how well the CSCs are known in government and industry and how they are being used.
For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
With malware attacks growing more sophisticated, swift, and dangerous by the day — and billions of dollars spent to combat them — surprisingly few organizations have a grip on the problem. Only 20 percent of security professionals surveyed by Information Security Media Group (ISMG) rated their incident response program “very effective.” Nearly two-thirds struggle to detect APTs, limiting their ability to defend today’s most pernicious threats. In addition, more than 60 percent struggle with the speed of detection, and more than 40 percent struggle with the accuracy of detection. Those shortcomings give attackers more time to steal data and embed their malware deeper into targeted systems. For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
M-Trends® 2010: The Advanced Persistent ThreatFireEye, Inc.
The inaugural M-Trends report details threat intelligence learned while conducting intrusion investigations for the U.S. government, the defense industrial base, and commercial organizations. This report focuses on the Advanced Persistent Threat (APT), and outlines trends, techniques, and real details of how the APT successfully compromises any target it desires. For the latest M-Trends report, visit https://www.fireeye.com/mtrends
M-Trends® 2013: Attack the Security GapFireEye, Inc.
Mandiant’s annual threat report reveals evolving trends, case studies and best practices gained from Mandiant observations to targeted attacks in the last year. The report, compiled from hundreds of Mandiant advanced threat investigations, also includes approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches. For the latest M-Trends report, https://www.fireeye.com/mtrends.
Mandiant’s annual threat report reveals key insights, statistics and case studies illustrating how the tools and tactics of advanced targeted attackers, including the Advanced Persistent Threat (APT), have evolved over the last year. The report, based on hundreds of advanced threat investigations, also shares approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches. For the latest M-Trends report, https://www.fireeye.com/mtrends
In 2010, Mandiant's first M-Trends report detailed how the Advanced Persistent Threat (APT) successfully compromised its victims. In 2011, the attackers continued to expand their targets and innovated their techniques. In this report, those attack techniques are explored further and key steps you can take are identified so you can address the threat in your enterprise. For the latest M-Trends report, visit https://www.fireeye.com/mtrends
Today, the delegation of risk decisions to the IT team
cannot be the only solution and has to be a shared
responsibility. The board and business executives are
expected to incorporate the management of cyber risk
as part of their business strategy since they are
accountable to stakeholders, regulators and
customers. For the CROs, CISOs, and Security and Risk
Management Professionals to be on the same page,
there has to be a single source of truth for
communicating the impact that cyber risk has on
business outcomes, in a language that everyone can
understand.
How close is your organization to being breached | Safe SecurityRahul Tyagi
Traditional methods are certainly limited in
their capabilities and this is easily proven by
the multitude of breaches businesses were a
victim of, across the globe. The 2020 Q3 Data
Breach QuickView Report revealed that the
number of records exposed in 2020 has
increased to 36 billion globally. The report
stated that there were 2,953 publicly
reported breaches in the first three quarters
of 2020 itself! 2020 is already named the
“worst year on record” by the end of Q2 in
terms of the total number of records
exposed. With the growing sophistication of
cyber-attacks and global damages related
to cybercrime reaching $6 trillion by 2021, we
need a solution that simplifies
cybersecurity.
To know more about breach probability visit : www.safe.security
Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"
Sam Maccherola - VP and General Manager Public Sector Guidance Software Inc.
Brasília, 04 de agosto de 2010
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
Executive Summary of the 2016 Scalar Security Study, The Cyber Security Readiness of Canadian Organizations, published February 2016. The full report can be downloaded at: scalar.ca/security-study-2016/
In this report, we put this area of application security understanding to the test by measuring how various web programming languages and development frameworks actually perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that the most popular modern languages and frameworks yield similar results in production websites?
By analyzing the vulnerability assessment results of more than 30,000 websites under management with WhiteHat Sentinel, we begin to answer these questions. These answers may enable the application security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas. Software vendors may focus on areas that are found to be lacking. Developers can increase their familiarity with the strengths and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and must be virtually transparent. Only then will application security progress be made.
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Proofpoint
Insider threats come in all shapes and sizes and affect organizations across all industries and geographies. Understanding the motives behind them is key to defense.
One of the best ways to do this is to study some of the bold, headline-generating insider threats that have taken place recently, like the big Twitter debacle of July 2020. This is just one example of what has become a very common problem.
DDoS Attacks Advancing and Enduring a SANS & Corero SurveyStephanie Weagle
Distributed denial of service (DDoS) attacks continue to grow in frequency, sophistication and bandwidth. There are numerous reasons for this. These trends are supported by a new SANS survey on the state of DDoS readiness. In
the survey, 378 security and network managers reveal that they are experiencing more frequent and sophisticated DDoS attacks. The survey also reveals that many organizations are indeed not prepared to deal with the problem.
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
WhiteHat Security, the Web security company, today released the twelfth installment of the WhiteHat Security Website Security Statistics Report. The report reviewed serious vulnerabilities* in websites during the 2011 calendar year, examining the severity and duration of the most critical vulnerabilities from 7,000 websites across major vertical markets. Among the findings in the report, WhiteHat research suggests that the average number of serious vulnerabilities found per website per year in 2011 was 79, a substantial reduction from 230 in 2010 and down from 1,111 in 2007. Despite the significant improvement in the state of website security, organizational challenges in creating security programs that balance breadth of coverage and depth of testing leave large-scale attack surfaces or small, but very high-risk vulnerabilities open to attackers.
The report examined data from more than 7,000 websites across over 500 organizations that are continually assessed for vulnerabilities by WhiteHat Security’s family of Sentinel Services. This process provides a real-world look at website security across a range of vertical markets, including findings from the energy and non-profit verticals for the first time this year. The metrics provided serve as a foundation for improving enterprise application security online.
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
In this security insight brief, 21CT researchers look at the malicious network behaviors that concern organizations the most, and how to use security analytics to find them before damage is done. Understanding these 12 indicators of compromise are critical to identifying a network breach.
Today, the delegation of risk decisions to the IT team
cannot be the only solution and has to be a shared
responsibility. The board and business executives are
expected to incorporate the management of cyber risk
as part of their business strategy since they are
accountable to stakeholders, regulators and
customers. For the CROs, CISOs, and Security and Risk
Management Professionals to be on the same page,
there has to be a single source of truth for
communicating the impact that cyber risk has on
business outcomes, in a language that everyone can
understand.
How close is your organization to being breached | Safe SecurityRahul Tyagi
Traditional methods are certainly limited in
their capabilities and this is easily proven by
the multitude of breaches businesses were a
victim of, across the globe. The 2020 Q3 Data
Breach QuickView Report revealed that the
number of records exposed in 2020 has
increased to 36 billion globally. The report
stated that there were 2,953 publicly
reported breaches in the first three quarters
of 2020 itself! 2020 is already named the
“worst year on record” by the end of Q2 in
terms of the total number of records
exposed. With the growing sophistication of
cyber-attacks and global damages related
to cybercrime reaching $6 trillion by 2021, we
need a solution that simplifies
cybersecurity.
To know more about breach probability visit : www.safe.security
Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"
Sam Maccherola - VP and General Manager Public Sector Guidance Software Inc.
Brasília, 04 de agosto de 2010
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
Executive Summary of the 2016 Scalar Security Study, The Cyber Security Readiness of Canadian Organizations, published February 2016. The full report can be downloaded at: scalar.ca/security-study-2016/
In this report, we put this area of application security understanding to the test by measuring how various web programming languages and development frameworks actually perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that the most popular modern languages and frameworks yield similar results in production websites?
By analyzing the vulnerability assessment results of more than 30,000 websites under management with WhiteHat Sentinel, we begin to answer these questions. These answers may enable the application security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas. Software vendors may focus on areas that are found to be lacking. Developers can increase their familiarity with the strengths and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and must be virtually transparent. Only then will application security progress be made.
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Proofpoint
Insider threats come in all shapes and sizes and affect organizations across all industries and geographies. Understanding the motives behind them is key to defense.
One of the best ways to do this is to study some of the bold, headline-generating insider threats that have taken place recently, like the big Twitter debacle of July 2020. This is just one example of what has become a very common problem.
DDoS Attacks Advancing and Enduring a SANS & Corero SurveyStephanie Weagle
Distributed denial of service (DDoS) attacks continue to grow in frequency, sophistication and bandwidth. There are numerous reasons for this. These trends are supported by a new SANS survey on the state of DDoS readiness. In
the survey, 378 security and network managers reveal that they are experiencing more frequent and sophisticated DDoS attacks. The survey also reveals that many organizations are indeed not prepared to deal with the problem.
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
WhiteHat Security, the Web security company, today released the twelfth installment of the WhiteHat Security Website Security Statistics Report. The report reviewed serious vulnerabilities* in websites during the 2011 calendar year, examining the severity and duration of the most critical vulnerabilities from 7,000 websites across major vertical markets. Among the findings in the report, WhiteHat research suggests that the average number of serious vulnerabilities found per website per year in 2011 was 79, a substantial reduction from 230 in 2010 and down from 1,111 in 2007. Despite the significant improvement in the state of website security, organizational challenges in creating security programs that balance breadth of coverage and depth of testing leave large-scale attack surfaces or small, but very high-risk vulnerabilities open to attackers.
The report examined data from more than 7,000 websites across over 500 organizations that are continually assessed for vulnerabilities by WhiteHat Security’s family of Sentinel Services. This process provides a real-world look at website security across a range of vertical markets, including findings from the energy and non-profit verticals for the first time this year. The metrics provided serve as a foundation for improving enterprise application security online.
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
In this security insight brief, 21CT researchers look at the malicious network behaviors that concern organizations the most, and how to use security analytics to find them before damage is done. Understanding these 12 indicators of compromise are critical to identifying a network breach.
Learn about key trends facing the mobile forensics industry this year, including growing device and data backlogs, cloud-based data, and how to manage large quantities of data from multiple disparate sources.
2016 Scalar Security Study Executive Summarypatmisasi
Executive Summary of the 2016 Scalar Security Study. The study examines the cyber security readiness of Canadian organizations and the trends in dealing with growing cyber threats.
We surveyed 650+ IT and IT security practitioners in Canada , and found that organizations are experiencing an average of 40 cyber attacks per year and only 37% of organizations believe they are winning the cyber security war. We looked at average spend, cost of attacks, and technologies that are yielding the highest ROI. We also provide recommendations on how you can benchmark your own security posture and what you can do to improve.
An Improved Method for Preventing Data Leakage in an OrganizationIJERA Editor
Data is one of the most important assets an organisation has since it denes each organisations unique- ness.It
includes data on members and prospects, their inter- ests and purchases, your events, speakers, your content,
social media, press, your staff, budget, strategic plan, and much more. As organizations open their doors to
employees, part- ners, customers and suppliers to provide deeper access to sensitive information, the risk
sassociated with business increase. Now, more than ever, within creasing threats of cyber terrorism, cor- porate
governance issues, fraud, and identity theft, the need for securing corporate information has become paramount.
Informa- tion theft is not just about external hackers and unauthorized external users stealing your data, it is also
about managing internal employees and even contractors who may be working within your organization for
short periods of time. Adding to the challenge of securing information is the increasing push for corporate
governance and adherence to legislative or regulatory requirements. Failure to comply and provide privacy,
audit and internal controls could result in penalties ranging from large nes to jail terms. Non-compliance can
result in not only potential implications for executives, but also possible threats to the viability of a corporation.
Insiders too represent a sign cant risk to data security. The task of detecting malicious insiders is very
challenging as the methods of deception become more and more sophisticated. There are various solutions
present to avoid data leakage. Data leakage detection, prevention (DLPM) and monitoring solutions became an
inherent component of the organizations security suite.DLP solutions monitors sensitive data when at rest, in
motion, or in use and enforce the organizational data protection policy.These solutions focus mainly on the data
and its sensitivity level, and on preventing it from reaching an unauthorized person. They ignore the fact that an
insider is gradually exposed to more and more sensitive data,to which she is authorized to access. Such data
may cause great damage to the organization when leaked or misused. Data can be leaked via emails, instant
messaging, le transfer etc. This research is focusing on email data leakage monitoring, detection and
prevention. It is proposed to be carried out in two phases: leakage detection through mining and prevention
through encryption of email content.
The SANS 2013 Help Desk Security and Privacy SurveyEMC
This white paper discusses the results of a survey designed to serve as a starting point to promote awareness and help bridge the educational gap between what a help desk is and what a secure help desk should be.
Material de apoyo Un replanteamiento masivo de la seguridad.Universidad Cenfotec
Material de apoyo en la presentación: Un replanteamiento masivo de la seguridad.
Mejores prácticas para el aseguramiento de identidades
Charla por Centrify, del Ing. Alvaro Ucrós en desayuno organizado por UCenfotec
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Asia Pacific & The Security Gap: Don't Stand StillFireEye, Inc.
During a breach, attackers will infect a machine and any connected systems with malicious software. Once in, persistence is established by forcing this software to run every time you boot-up your computer. This leads to the theft of sensitive data. Find out about the unique challenges faced in the Asia Pacific region, so you can take the necessary actions to step up your security.
EMEA & The Security Gap: Don't Stand StillFireEye, Inc.
During a breach, attackers will infect a machine and any connected systems with malicious software. Once in, persistence is established by forcing this software to run every time you boot-up your computer. This leads to the theft of sensitive data. Find out about the unique challenges faced in the EMEA region, so you can take the necessary actions to step up your security.
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...FireEye, Inc.
Get an overview the threat groups targeting the legal and professional services industries, as well as the top 5 malware and crimewave families detected.
[Infographic] Healthcare Cyber Security: Threat PrognosisFireEye, Inc.
Data breaches cost the healthcare industry $6 billion a year. Learn how you can justify the cost for better healthcare cyber security in this infographic. For more information, visit https://www.fireeye.com/solutions/healthcare.html
[Infographic] Email: The First Security Gap Targeted by AttackersFireEye, Inc.
When two-thirds of all email is spam, it's easy to miss dangerous email attacks that evade spam filters. FireEye Email Security offers 6 unmatched advantages to help save — millions in income and reputation. Visit www.fireeye.com/go/email for more information.
Analyses, décryptages, statistiques et études de cas : ce rapport annuel sur les menaces revient sur l'évolution des outils et tactiques mis en œuvre par les auteurs de menaces APT.
5 Reasons Cyber Attackers Target Small and Medium Businesses FireEye, Inc.
High-profile data breaches of corporate giants make the headlines. But 77% of cyber crime actually targets small and midsize enterprises (SMEs). Here's why SMEs are targets, and what you can do about it.
Connected Cares: The Open Road For HackersFireEye, Inc.
As vehicles become both increasingly complex and better connected to the Internet, their increased connectivity makes them even more vulnerable to advanced cyber attacks. This report looks at the five most concerning potential threats created by vehicle software vulnerabilities — including various threat scenarios, their likelihood of occurring and their potential impact — and offers suggestions on how to address this growing cyber security challenge.
Do you know the internal signs of a compromise? This deck takes you through the process our Mandiant services teams go through to help discover if an organization has been compromised. You can also view the full webinar here: https://www.brighttalk.com/webcast/10703/187133?utm_source=SS
WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW
BEFORE, DURING AND AFTER AN ATTACK
View the webinar:
https://www2.fireeye.com/The_Board_and_CyberSecurity_webinar_EMEA.html?utm_source=SS
Download the full report:
https://www2.fireeye.com/WEB-2015-The-Cyber-Security-Playbook.html?utm_source=SS
Proatively Engaged: Questions Executives Should Ask Their Security TeamsFireEye, Inc.
Jim Aldridge from FireEye discusses what executives should ask their security teams. This is available on the FireEye Blog www.fireeye.com/blog/executive-perspective/2015/11/proactively_engaged.html
FireEye Advanced Threat Protection - What You Need to KnowFireEye, Inc.
Like water, cybercrime moves effortlessly around obstacles. Today, security-conscious enterprises and federal governments choose FireEye™ for industry-leading protection against advanced cybercrime and targeted attacks. FireEye stops advanced malware, zero-day and targeted APT attacks. FireEye’s appliances supplement traditional and next-generation firewalls, IPS, AV, and gateways, adding integrated multi-stage protection against today’s multi-vectored Web, email, and file-based threats.
The FireEye Advanced Threat Report is based on research and trend analysis conducted by the FireEye Malware Intelligence Labs providing insights to the most current threat landscapes.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
2. More than 450 participants completed the SANS 2013 Digital Forensics Survey, conducted online during April
and May 2013. A primary goal of this survey was to identify the nontraditional areas where digital forensics
techniques are used.
In the survey 54% of respondents indicated their digital forensics capabilities are reasonably effective.
Although the majority of their investigations still take place on company-issued computers and laptops
and internal networks and systems, participants also conduct forensic investigations on virtual and cloud-
based systems and other unconventional endpoints. When it comes to investigating these new media types,
participants are nearly equally divided among several challenges inherent to such investigations—including a
lack of specialized tools, standards and training, and visibility into potential incidents.
A chief finding of the survey was that participants identified deficiencies in standards, tools and training
as the fundamental challenges to investigating incidents involving the cloud, mobile devices and other
unconventional endpoints. Figure 1 shows the other challenges identified by respondents.
Figure 1. Primary Challenges of New Devices and Technologies
SANS Analyst Program 1 TheSANSSurveyofDigitalForensicsandIncidentResponse
Executive Summary
What are your primary challenges with investigations involving new media
as virtual, cloud, BYOD or atypical embedded devices?
3. Executive Summary (CONTINUED)
As organizations adopt bring-your-own-device (BYOD) policies and cloud (particularly“public cloud”)
technologies, they should ensure that the policies cover digital forensics and incident response (DFIR) in
these and other emerging technologies. IT professionals should also engage the advice of their legal teams
or consultants so that the policies actually achieve the desired outcomes and protections, while avoiding
undesired ones. For instance, some incident response (IR) teams routinely reload compromised workstations
without obtaining forensic disk images or memory captures. Although accomplishing the IR goals of
containment and eradication, this method undermines the value of evidence that may be required for
subsequent legal action.
Forensic investigations of so-called“new”computing devices and media are increasing, affecting enterprise
governance (and society in general) more than ever before. Increasingly, these investigations involve
technologies such as cloud computing and mobile devices.
To assess the current state of forensic investigations and emerging trends, the SANS Institute conducted this
online survey of digital forensics practitioners. The results, summarized in this whitepaper, will help forensic
professionals and their clients better prepare for future investigations and allocate resources, while helping
guide educators and forensic tools vendors.
SANS Analyst Program 2 TheSANSSurveyofDigitalForensicsandIncidentResponse
4. Survey Respondents
The respondents for this survey were numerous and diverse, with more than half representing organizations
of 2,000 employees or more. Smaller operations were also well represented; organizations with fewer than 500
employees comprised almost one-third of all responses, as shown in Figure 2.
Figure 2. Size of Respondents’ Organization
The results of the survey are representative of a cross-section of organization sizes, not merely those with large
budgets for DFIR.
SANS Analyst Program 3 TheSANSSurveyofDigitalForensicsandIncidentResponse
How large is your organization?
5. Survey Respondents (CONTINUED)
Respondents also came from a range of industries; the largest group (almost one-quarter of survey
respondents) was government professionals. Financial, IT services, consultants in forensics and incident
response, and education were the next most represented industries, ranging from 9–13% of responses. Figure
3 shows the distribution of respondents’industries.
Figure 3. Respondents by Industry
This cross-section of respondents demonstrates the broad interest (and investment) in forensic investigations.
It also speaks to the different roles and perceptions they may have regarding digital forensics.
SANS Analyst Program 4 TheSANSSurveyofDigitalForensicsandIncidentResponse
What is your organization’s primary industry?
6. Survey Respondents (CONTINUED)
The survey did not break out“Government”respondents by branch, so it is difficult to distinguish law
enforcement professionals from other forensic or investigative personnel in public service. Nevertheless, we
assume that a substantial share of the 25% of respondents who identified themselves as“Government”(twice
as many as any other industry classification) belong to the law enforcement community. We base this in part
on the high number of“Government”respondents who selected“Investigator”as their primary role.
Figure 4 shows the breakdown of consultants and staff in the various roles and job titles listed by respondents.
Figure 4. Roles or Job Titles of Respondents
Just as law enforcement professionals have certain definitions and perceptions of digital forensics and related
tools, personnel in staff positions will have concerns and goals that differ from those of outside consultants.
Consultants can provide value through up-to-date skills and access to specialized equipment and tools that
are unavailable to inside staff that may be challenged for resources and time to research the latest tools and
techniques. Clearly, the majority of respondents are treated as staff by the organizations they support.
The most well represented work roles identified by respondents were, in descending order: Digital forensics
specialist, incident responder, security analyst and investigator.
SANS Analyst Program 5 TheSANSSurveyofDigitalForensicsandIncidentResponse
What is (are) your role(s) in the organization,
whether as staff or consultant? Please check all that apply.
7. Survey Respondents (CONTINUED)
Figure 5 shows the breakdown among the various types of in-house
and outside resources most used for digital investigations, based on
how often they are called in; the scale ranges from least used (0) to
most used (4).
Figure 5. Use of Professionals for Digital Investigations
The close alignment of these numbers may also indicate that many
part-time incident responders are borrowed from the IT staff ranks,
particularly for small- and medium-sized businesses with fewer
resources. Regardless, it is clear that in-house staff is less likely to have
forensic training as most have incident response assignments. (See
the sidebar“Forensic Investigations Defined”for how we distinguish
between forensics and incident response.)
The lower incidences of specially trained forensic and legal
professionals (in-house or consultants) indicates that more IT groups
are using“forensics”capabilities to respond to incidents than for preserving digital evidence that would
stand up in court. This indicates many respondents do not expect to have the results of these investigations
challenged in external reviews such as legal or regulatory hearings.
SANS Analyst Program 6 TheSANSSurveyofDigitalForensicsandIncidentResponse
Forensic Investigations
Defined
For the purposes of our survey, and because
the survey base includes professionals
from both private and public sectors, with
consultants as well as in-house experts,
we distinguish between“forensics”and
“investigations”:
• We use“forensics”in the sense of search-
ing computer networks and systems for
evidence of breach, data loss or other
activities.
• In similar fashion, we use“investigations”
when referring to the cases our respon-
dents support, such as employee abuse
of resources, espionage or financially
motivated attacks.
• We define“incident response”(IR) as
the identification of a compromise, the
containment of the compromise and the
eradication of the threat actor from the
environment.
Because detection often relies on intelli-
gence derived from forensics and eradica-
tion can destroy forensic evidence, optimal
outcomes are achieved when IR and digital
forensics teams work closely together.
Please rank the professionals you use for
digital investigations, based on frequency of use
starting with the highest frequency of use.
In-house dedicated incident responders
In-house part-time incident reponders
In-house dedicated IT specialists
In-house part-time IT specialists
Specialty-trained in-house forensics
In-house legal staff
Outside forensics specialists/consultants
Outside specialty law firm
Other
8. How and Why They Investigate
The next section of the survey focused on the investigations that survey participants and their organizations
conduct.
Number of Investigations
Slightly more than 25% of respondents told us they conducted more than 50 investigations in the last two
years, with 11% of that 25% conducting more than 100 investigations and 4% conducting more than 500
investigations. A disproportionately large number of those conducting more than 50 investigations identified
their industry as“Government.”In fact, those respondents accounted for more than half of those reporting 500
or more cases, possibly working in law enforcement-related forensic labs.
Others conducting large numbers of investigations may be from large-sized forensic/IT consulting services
that conduct multiple investigations for their clients. Nevertheless, such responses certainly do not represent
the norm; the majority of respondents said they conducted up to 25 investigations in the last two years, as
shown in Figure 6.
Figure 6. Number of Investigations Conducted in Previous Years
SANS Analyst Program 7 TheSANSSurveyofDigitalForensicsandIncidentResponse
Over the past two years, how many forensics investigations have you
(or people working under you) conducted?
9. How and Why They Investigate (CONTINUED)
Types of Investigations
Respondents were asked to select the reasons their organizations conduct forensic investigations. The
responses to this question were telling: Three-quarters of respondents (75%) said they conduct forensic
investigations to“find and investigate incidents after the fact.” This follows the pattern of traditional forensic
investigations, particularly for law enforcement or legal professionals whose work may be used in court or
regulatory proceedings.
However, digital forensics is also useful for investigations in real time. The survey found 57% of respondents
reporting that they conduct investigations to“find and investigate incidents as they are occurring.”Real-time
digital forensics is increasingly important to IT security professionals grappling with advanced persistent threats
(APTs) in their networks, as APTs can be multifaceted in their danger as well as in their attempts to survive. In
the survey nearly 50% of respondents are also using forensics to track and remediate APTs, for example.
The range of reasons behind investigations and the relative share of each appear in Figure 7.
Figure 7. Reasons to Investigate
This was a multiple-choice answer set, with the ranking occurring based on the number of responses
to each option. HR issues, such as investigating employee misuse of resources, were the second most
frequently reported reason for conducting forensic investigations. Collecting evidence for legal or regulatory
investigations was also frequently cited, which may be related to the large representation of respondents from
government, which includes law enforcement with other public sector forensic experts.
SANS Analyst Program 8 TheSANSSurveyofDigitalForensicsandIncidentResponse
For what purposes does your organization conduct forensics investigations?
Please check all that apply.
10. How and Why They Investigate (CONTINUED)
Prepared for Legalities?
Considering that 62% of respondents have used digital forensics to investigate“HR issues/employee misuse or
abuse”and 57% indicate that they were looking for legal evidence that could hold up in court, organizations
would be wise to treat such cases as if they may end up in arbitration or even legal proceedings. This
means applying an appropriate degree of rigor in the collection and management of evidence so that the
trustworthiness of the evidence can be defended.
The substantial number of respondents who specified evidence collection as an investigative goal also
emphasizes the need for sound processes that can withstand challenge under outside scrutiny. Law
enforcement has, for years, led the private sector in the use of digital forensics, whether investigating
computer-related crimes or more prosaic ones. The evolution of practices and tools in the areas of chain of
custody, evidence control, forensic imaging and similar fields is, as a rule, driven by the requirements of police,
prosecutors and related investigators.
The need for rigor also applies when conducting forensics for measuring legal or regulatory compliance. In the
survey only 40% of respondents reported they use forensic investigations to support regulatory or compliance
processes. Regulatory issues are also likely to be reviewed by an outside authority, such as a court, an auditor
or a government agency.
Forensics-Derived Intelligence
The survey results also indicate a substantial amount of threat intelligence being derived from forensic data,
as more than half of respondents reported that they use forensic investigations to collect intelligence for
ongoing and future incidents. Similarly, almost half of respondents use investigations to track and remediate
APTs. Because of difficulties in detecting APTs inside corporate networks—in most cases these are reported
to victims from an outside source—the ability to proactively use intelligence gathered through forensics and
other means is increasingly valuable for incident detection and follow-up, especially where it may provide
specific indicators of compromise. This can help identify other assets within the organization (or elsewhere)
that may be at risk.
Intelligence and digital forensics have a close-knit, nearly circular relationship. Artifacts discovered with
forensic techniques can be used to identify attacks—especially those perpetrated by stealthy APT actors—
much earlier and with a higher degree of accuracy than without such techniques. Detecting attacks earlier
reduces the scope (and cost) of the subsequent incident response and forensic investigation.
SANS Analyst Program 9 TheSANSSurveyofDigitalForensicsandIncidentResponse
11. How and Why They Investigate (CONTINUED)
Level of Effectiveness
The good news is that the majority of respondents (74%) feel their overall forensics and incident response
capabilities are reasonably (54%) or very (20%) effective. Of the remaining 26%, the overwhelming majority
has some sort of DFIR capability while only 3% of respondents have no such capability. Figure 8 shows the
distribution of respondents’self-evaluation of their DFIR efforts.
Figure 8. Effectiveness of Digital Forensics and Incident Response
For those 26% of respondents reporting marginal or zero DFIR effectiveness, we recommend reaching out to
their particular industry or trade association for technical guidance and other assistance with investigations
that rely on digital forensics. Otherwise, they risk incurring greater liability if mistakes are made during the
investigative process.
SANS Analyst Program 10 TheSANSSurveyofDigitalForensicsandIncidentResponse
How would you rate the overall effectiveness of your
digital forensics and incident response capability?
12. How and Why They Investigate (CONTINUED)
Extensiveness of Policies
Survey respondents indicated overwhelmingly that their forensics policies and tools are neither up to date nor
ready to respond, even in those investigations involving mature forensics processes and tools. Only 29% of the
respondents indicated that they have detailed policies and are ready to respond to an incident. The remaining
participants indicated that either their policies need to be updated (“partially mission-capable”) or they have
none at all, as shown in Figure 9.
Figure 9. Policies for Investigations on Conventional Systems
The low number of respondents with a“detailed policy”is especially significant because this question
specifically addressed forensic capabilities in traditional environments. This brings up the question: If so
many respondents feel their policies for traditional environments are deficient, how are they conducting
investigations that involve new technologies or unconventional deployments? In the next sections, we discuss
new technologies professionals are using in their investigations and how the innovations complement the
tried-and-true.
SANS Analyst Program 11 TheSANSSurveyofDigitalForensicsandIncidentResponse
How extensive is your policy regarding your investigations on
traditional network devices (servers, routers/switches, security devices),
endpoints and company applications?
13. What They’re Investigating
The landscape of digital forensics is rapidly changing, increasingly involving nontraditional devices, platforms
and systems. Survey respondents are obviously scrambling to adapt their efforts to these new environments,
given the diversity of device types on which they report conducting investigations.
Cloud on the Horizon
When asked about the types of environments they typically investigate, nearly 60% of respondents stated
that they investigate virtual systems and networks; however, only 15% of respondents indicated that
they investigate server infrastructure in the cloud, such as Amazon EC2, and only 17% investigate shared
collaborative cloud apps, such as DropBox, as shown in Figure 10.
Figure 10. Devices and Systems Subjected to Investigation
The disparity between these numbers suggests that assets deployed to the cloud are generally not included in
forensic investigations or that respondents may be conflating their virtualized systems with cloud-based ones
or focusing on the nature of a system rather than where it is deployed.
Although“the cloud”implicitly relies on virtualized systems, the concepts are not necessarily interchangeable;
the virtualized systems can be in a“private”cloud, where the organization owns the hardware supporting the
virtualized systems, or in a“public”cloud, where the system provider owns the hardware and rents access in a
fashion reminiscent of mainframe time-sharing.
The responses to this question indicating a lower frequency for cloud-related investigations may reflect the
relative novelty of such deployments; alternatively, the owner of the hardware in public cloud environments
such as Amazon EC2 (typically the provider, rather than the user of the service) may be able to block or merely
disregard such inquiries. Organizations whose policies assume physical access to systems in the course of
internal investigations should keep this in mind when contracting with cloud and similar service providers.
Nevertheless, the responses show that cloud, mobile and virtual systems are a part of forensic investigations at
many organizations and will be a growing part of future investigations.
SANS Analyst Program 12 TheSANSSurveyofDigitalForensicsandIncidentResponse
What type of media, devices, and/or infrastructure
do you conduct investigations on? Check all that apply.
Company-owned laptops and other mobile devices
Internal network systems and applications
USB devices
Virtual systems and networks
Other mobile digital storage media
Web applications
Employee-owned computers and mobile devices (e.g., BYOD)
Business applications in the cloud
Atypical devices (e.g., embedded, game, printers)
Corporate-owned social media accounts
Third-party social media
Cloud-based data sharing (e.g., DropBox)
Cloud-based infrastructure (e.g., Amazon EC2)
Other
14. What They’re Investigating (CONTINUED)
Nontraditional Platforms
Respondents were asked what percentage of investigations involves nontraditional platforms, specifically
virtual or cloud-based resources, mobile devices (with or without BYOD policies) or atypical systems
(including embedded systems, game systems, printers and similar devices). The results show that such
investigations still represent a small share of the total number (generally, in the 1–5% range), regardless of
which technology is involved.
However, 40% of respondents investigated employee-owned mobile devices, while 20% investigated
virtualized, cloud-based or other unconventional systems.
For this reason organizations looking to increase forensic investigation capabilities in nontraditional areas
should address mobile platforms first. Policies should account for the routine backup of mobile device data
to the cloud, potentially through employee-owned accounts. Due to the complications inherent in BYOD
environments, organizations should also align policy and training with the adoption of new practices and
technologies when creating or reviewing their DFIR strategies.
The tools and techniques used in forensic investigations of traditional platforms are in some ways similar to
those used in virtualized and cloud-based environments, but in other ways, may not be suited at all to these
newer technologies. Similarly, mobile devices and embedded systems present their own challenges.
Tools for the Cloud
When asked about the tools forensic investigators employ in virtualized and cloud environments, only 16% of
respondents indicated they use tools designed specifically for such platforms. Additionally, more than one-
third of organizations (36%) use low-tech image captures and screen recordings for investigating virtualized
and cloud-based systems, while one-quarter reported that they create their own tools as the need arises. The
opportunity cost that comes with creating and maintaining specialty tools in-house can be significant. Figure
11 shows the usage of various tools and techniques among the survey respondents.
SANS Analyst Program 13 TheSANSSurveyofDigitalForensicsandIncidentResponse
15. What They’re Investigating (CONTINUED)
Figure 11. Tools and Resources in Common Use
These responses suggest that a capability or usability gap exists for custom tools in cloud environments.
Almost one-third of respondents (31%) rely on cloud service providers to collect evidence for them. This
practice relieves organizations of the requirement to train on specialized forensics, but it raises concerns about
the quality and accessibility of evidence, including:
• How well is the service provider’s staff trained?
• What tools and procedures do staff use?
• What assurance is there that the service provider will respond in a timely fashion when an investigation
is required?
• What is the chain of custody?
Organizations should carefully vet cloud service providers that offer evidence collection, to ensure they
meet expectations. They should ask service providers to provide assurances about controls, capabilities and
obligations in regard to forensic investigations.
SANS Analyst Program 14 TheSANSSurveyofDigitalForensicsandIncidentResponse
What types of tools and resources are you using to conduct
investigations in virtual and cloud environments?
Please choose all that apply.
16. What They’re Investigating (CONTINUED)
Nevertheless, only 16% of respondents reported that they have a service agreement allowing them to
conduct forensic investigations in the provider’s environment if the need arises. Organizations that previously
overlooked this consideration during their migration to the cloud should evaluate their current requirements
and negotiate specific terms with their providers.
Tools for Mobile/BYOD
We also wanted to understand the tools and techniques used to investigate mobile/BYOD environments,
assuming that these would vary from those used on traditional platforms. Therefore, respondents were asked
about the tools and techniques used in their mobile/BYOD device investigations. The most common tools and
techniques are acquiring the device filesystem and physical data extraction (62%), followed by interviewing
the device owner/user (59%) and forensic acquisition of logical data (55%). Figure 12 shows the tools and
resources used to investigate mobile devices, with or without BYOD policies.
Figure 12. Tools and Resources in Common Use
SANS Analyst Program 15 TheSANSSurveyofDigitalForensicsandIncidentResponse
What tools and techniques are you using to conduct
investigations involving mobile/BYOD? Check all that apply.
17. What They’re Investigating (CONTINUED)
The reliance on acquiring the actual device and recovering physical data from it (a basic digital forensics
technique) and on user interviews (an inherently nontechnical solution) may indicate an immaturity of tools
(or investigator access to and experience with tools) for mobile/BYOD situations. Alternatively, it may indicate
that old-school“gumshoe”work is still fundamental to law enforcement and regulatory investigations.
Only 30% of respondents indicated they retrieve data from a mobile device management (MDM) platform
during forensic investigations. This number is probably close to if not exactly congruent with the number of
respondents whose organization uses MDM, on the assumption that it is employed in investigations whenever
it is available.
Comparing this number to the survey demographics indicates that about one-half of responding organizations
with more than 2,000 employees do not employ MDM systems in their investigations. This may indicate that
many of the respondents simply don’t encounter mobile devices that are provisioned by (or otherwise in
contact with) an MDM platform. For example, investigators reporting themselves as“Government”are far less
likely to use MDM logs in investigations involving mobile devices than their peers, employing MDM data in 18%
of investigations. Nevertheless, such data can be invaluable during a forensic investigation that involves mobile
devices, whether these are company provided or supported through BYOD policies.
Interestingly, more than one-half of respondents use data from network access control (NAC) platforms or
network records, such as logs, for analysis. This indicates that these organizations have NAC, egress/exfiltration
logs or other network monitoring assets at their disposal for investigators’use, or organizations performing
investigations are more likely to use NAC or related tools in their endpoint monitoring. Nevertheless, mobile
devices could be entirely bypassing corporate networks by using cellular or“rogue”Wi-Fi connections, and
investigations focusing on a corporate network may miss this traffic.
Government investigators are much more likely to perform forensic investigations on mobile devices than
the other types of respondents. Participants were asked to approximate the share of investigations involving
mobile devices. The number of respondents reporting that mobile devices were involved in more than 10%
of cases was much higher among government investigators than it is for the general population (47% vs.
25%). This seems to indicate that law enforcement personnel—presumably a large portion of the responding
investigators who are employed by government—are as likely to encounter mobile devices in their
investigations as not. Also, government investigators (whether employed in law enforcement or not) were
much more likely than the other respondents to acquire physical or filesystem data, by margins of up to 25%.
SANS Analyst Program 16 TheSANSSurveyofDigitalForensicsandIncidentResponse
18. Challenges with “New” Technologies
In order to determine what tools and techniques are working for investigations on unconventional platforms
and how best to deploy those means of inquiry, the next set of questions asked about respondents’level of
satisfaction with these tools and processes, and the challenges posed by these rapidly evolving technologies.
Much Room for Improvement
Respondents were first asked about their satisfaction with the tools and processes used in forensic
investigations of traditional devices and systems, and the dominant answer across all categories (except
for“Other”) was“Somewhat satisfied.” This response indicates that forensic tool development has room
for improvement in the eyes of the survey respondents, even in well-documented and conventional
environments, as shown in Figure 13.
Figure 13. Tools Used to Investigate Conventional Systems
SANS Analyst Program 17 TheSANSSurveyofDigitalForensicsandIncidentResponse
What tools do you use for investigations on traditional
network devices, endpoints and company applications?
Check your level of satisfaction with the tools you do use.
19. Challenges with “New” Technologies (CONTINUED)
Log collection dominates the ranking of processes and tools used for investigations, although respondents
indicate that logs do not completely satisfy their requirements. In a similar vein, respondents frequently use
browsers and screen captures in their investigations, but few respondents (15%) find these sufficient.
Interestingly, two-thirds of survey respondents use homegrown tools tailored to their environment when
investigating conventional systems. This was surprising, given the maturity of the tools commonly used
in such investigations. However, nearly as many respondents also use third-party tools, and the overall
satisfaction with homemade tools is not noticeably different from that for commercial ones.
Other telling observations from this data are that only two-thirds of respondents use a security information
and event management (SIEM) product in their work. Of respondents using SIEM tools, 80% are either very
or somewhat satisfied with SIEM data for investigations, indicating that SIEM products provide worthwhile
evidence for forensic investigations.
Investigations on Unconventional Systems
When asked to cite the primary challenges in responding to incidents involving virtualized, mobile and
atypical systems, respondents indicated multiple challenges for each of these technologies and identified five
fundamental challenges:
• Legal issues of ownership and privacy
• Lack of standards and tools
• Lack of skills, training and certification
• Lack of established policy
• Lack of visibility
The majority of challenges selected in this survey relate to virtual (including cloud) systems and mobile
devices. Respondents reported only about 70% as many challenges for atypical systems as they did for
mobile or virtualized systems. This correlates with Figure 10, in which one-fifth of respondents indicated they
conducted investigations on atypical systems.
SANS Analyst Program 18 TheSANSSurveyofDigitalForensicsandIncidentResponse
20. Challenges with “New” Technologies (CONTINUED)
Meanwhile, the type of challenges reported for virtual (including cloud) and mobile systems is nearly identical,
as shown in Figure 14.
Figure 14. Challenges of New Technologies
Normalized responses for“virtual or cloud”hovered near 20%, indicating that all of these challenges are
commonly faced by organizations and that the challenges are of equal significance.
Challenges of Mobile Devices
Legal issues of ownership and privacy was the main challenge for mobile devices, with 27% of the normalized
responses indicating this to be their biggest challenge.“Skills and training”for mobile appears less
problematic, being listed in only 17% of the normalized responses. This may indicate that forensic training
addresses at least some of the needs related to mobile devices. Keeping in mind the responses illustrated in
Figure 12—specifically, more than three-fifths of respondents use a device’s filesystem or physical data in their
investigations—while considering these numbers, it may be that“dump and image”of mobile devices isn’t a
technical challenge for our respondents.
Nevertheless, if use of data recovered by such means is a priority for an organization, it should ensure that the
policies surrounding the use of such tools keeps pace with their technical advancement.
In the case of atypical platforms such as embedded systems and game consoles, the two top challenges
were the lack of standards and tools and lack of skills, training or certification (each receiving about 25% of
normalized responses). Not surprisingly, legal issues of ownership and privacy was not rated a significant
concern for such devices.
SANS Analyst Program 19 TheSANSSurveyofDigitalForensicsandIncidentResponse
What are your primary challenges with investigations involving new
technologies such as virtual, cloud, BYOD or atypical embedded devices?
21. Challenges with “New” Technologies (CONTINUED)
Challenges of Virtualized Systems, With or Without the Cloud
When respondents were asked which activities were the most difficult to complete in virtual and cloud
environments, the most frequent response (56%) was“imaging the environment.”Respondents reported that disk
acquisition (52%) and memory acquisition (40%) are also difficult in cloud environments, as shown in Figure 15.
Figure 15. Forensics Complicated by New Platforms
Most“infrastructure as a service”(IaaS) providers offer some ability to image disks through volume snapshots,
although imaging of memory is rarely available. This suggests that many forensic professionals do not
consider memory imaging important when compromises occur in IaaS environments. It may also indicate that
the difficulty of obtaining memory images in such cases outweighs their perceived usefulness.
Legal processes (40%), live response (36%) and monitoring for events (30%) are also identified as difficult
activities in IaaS-based cloud environments. Some of the respondents who selected“Other”reported that
they“only copy content.” The difficulty of obtaining both data access and timely response from third-party
providers was a common theme.
SANS Analyst Program 20 TheSANSSurveyofDigitalForensicsandIncidentResponse
What forensics activities are most difficult to complete
in virtual and cloud environments today?
22. Challenges with “New” Technologies (CONTINUED)
Investigative Costs
The scope of an investigation largely controls its cost, and the scope is largely based on the goals of the
investigation. Scope isn’t the only factor that affects cost; complexity is another driving factor.
When asked about the scope and cost of their investigations, the majority of respondents (55%) reported
that most of their investigations are small, costing less than $50,000. These likely represent investigations
that are conducted almost completely in-house, without any need for outside consultants or a substantial
commitment from in-house legal teams.
This may also represent investigations that do not involve regulatory oversight and are not intended for use
in legal proceedings, such as a find-it-and-fix-it repair. Alternatively, in the case of law enforcement it may
indicate investigations where evidence never appears in court, but is used to encourage acceptance of a plea
bargain. Figure 16 shows the distribution of reported average costs of investigations.
Figure 16. Scope and Cost of an Investigation
In the other large group of answers, 37% of respondents reported that the scope of their investigations varied
too widely to assign an average cost.
With nearly 8% of the respondents who were able to assign a cost to investigations saying that most cost more
than $50,000, it’s clear that the expenses associated with a digital forensics investigation can be varied and
complex.
Understanding all of these complexities, particularly at the high end of the scale, is difficult. However, smaller
organizations (particularly those with limited budgets) could benefit substantially by considering the costs
before they dive into an investigation that relies on digital forensics.
SANS Analyst Program 21 TheSANSSurveyofDigitalForensicsandIncidentResponse
What is your average scope and cost of an investigation?
23. Recommendations
To complement the advice presented in the preceding discussion, we offer a baker’s dozen set of
recommendations to the readers of this paper.
1. Respondents indicated that training and certification are challenging for investigations in virtual and
cloud environments. As your organization increases its cloud and virtual footprint, ensure that the
skills of your forensic investigators keep pace with current technologies.
2. Take inventory of the tools used by your digital forensics staff. Find out which tools are developed
in-house and what problems they solve. Leverage existing vendor relationships to close capability
gaps in tools, leaving your forensic staff to do what they do best—namely, forensics. The tools at your
disposal must provide timely, accurate and insightful analysis to forensic specialists.
3. If your organization uses cloud services, review your SLA for assistance with forensic investigations.
If your organization is planning a move to the cloud, ensure that you negotiate an acceptable SLA,
establish relevant policies and train team members before the migration. It is important to understand
which tools the provider uses in forensic investigations, and the tools’limitations as well as strengths.
4. Increase the involvement of legal team members in forensic investigations. Many organizations involve
the legal team only in investigations they feel are likely to involve law enforcement or be resolved in
court. However, every investigation has the potential to end in court proceedings, so legal staff should
be consulted in most if not all investigations. The improved working relationships between forensic
investigators and legal staff will be an even greater asset when complicated cases arise.
5. Use forensic investigations to identify potential issues before they rise to the level of incidents.
Involvement of incident response professionals in daily operations can help detect problems before
they are incidents, lowering the overall cost of your forensic staff.
6. Update policies and procedures regarding forensic investigations to account for new policies and
technologies. More than half of respondents reported that their policies needed revision.
7. Ensure that your forensic team has input into the creation of the policies they’ll have to implement.
Staff will be less likely to correctly implement policies that don’t align with industry best practices.
8. Budget appropriately for forensic investigations. These are understandably expensive, but their true
costs are often underestimated, resulting in sticker shock when upper management sees the bills.
Educating management now on the factors that affect the cost of forensic investigations will save
pain later.
9. Improve visibility into IT security operations. Several survey responses suggest that this is still a
problem for many organizations. Enhanced visibility improves the chances of discovering an incident
early, neutralizing it and lowering the cost of the investigation.
10. Seek out cross-disciplinary training for personnel who may be involved with investigations. Forensic
professionals need to understand law in order to better engage with legal advisors. Lawyers need
education about technology and forensic techniques so they can better advise forensic professionals.
SANS Analyst Program 22 TheSANSSurveyofDigitalForensicsandIncidentResponse
24. Recommendations (CONTINUED)
11. Vendors must develop tools that are easier to use and that better serve the diverse and changing
environments in which investigations now occur. Early and accurate detection is vital to incident
response.
12. Vendors also need to develop tools that are more cost-effective than current offerings so that the
community does not need to rely so much on custom tools that may be used only once or twice. These
tools must support emerging and unconventional platforms such as cloud, embedded, mobile and
virtualized systems.
13. New investigative practices will develop as forensic professionals and legal authorities gain more
experience with new and unconventional platforms. Everyone in the community should be abreast of
the latest cases and practices.
SANS Analyst Program 23 TheSANSSurveyofDigitalForensicsandIncidentResponse
25. Conclusion
The computing landscape continues to diversify, moving away from PC-derived hardware to include new
technologies; mobile devices, BYOD policies and embedded systems complicate many investigations. Cloud
and virtualized environments are increasingly part of the picture and present their own challenges.
The survey results indicate that many challenges to digital forensics come with the deployment of these
“new”platforms. However, survey participants report that they are already engaging these environments
and embracing their challenges with the help of a variety of tools and processes available today. A large
percentage of respondents are also relying on home-developed tools and processes, and organizations
indicate an equal need for improvement in their own tools as well as the commercial tools available today.
To keep pace, forensic professionals, and the educators and vendors who support them, must redouble
their efforts in training and educating their investigators in the legal and technical processes of conducting
investigations that involve modern computing technologies.
SANS Analyst Program 24 TheSANSSurveyofDigitalForensicsandIncidentResponse
26. About the Authors
Paul Henry is one of the world’s foremost global information security and computer forensic experts with
more than 20 years’experience managing security initiatives for Global 2000 enterprises and government
organizations worldwide, and is a principal at vNet Security, LLC. Paul also advises and consults on some of the
world’s most challenging and high-risk information security projects, including the National Banking System
in Saudi Arabia, the Reserve Bank of Australia, the Department of Defense’s Satellite Data Project (USA), and
government and telecommunications projects throughout Southeast Asia.
Jacob Williams, a principal consultant at CSRgroup Computer Security Consultants, has more than a decade
of experience in secure network design, penetration testing, incident response, forensics and malware reverse
engineering. Before joining CSRgroup, he worked with various government agencies in information security
roles. Jake is a two-time victor at the annual DC3 Digital Forensics Challenge.
Benjamin Wright is the author of several technology law books, including Business Law and Computer
Security, published by the SANS Institute. With more than 25 years in private law practice, he has advised
many organizations—large and small, private sector and public sector—on privacy, computer security, email
discovery and records management, and he has been quoted in publications around the globe, from the Wall
Street Journal to the Sydney Morning Herald. He teaches the law of data security and investigations at the SANS
Institute and is a graduate of Georgetown University Law Center.
SANS Analyst Program 25 TheSANSSurveyofDigitalForensicsandIncidentResponse
SANS would like to thank its sponsor: