Litigation Holds

Information subject to discovery can be hiding in unsuspecting places, do you know where all the data you want to find is located?

There’s a lot of information about the scope of a litigation hold, but most of it seems to miss a key issue: you need to involve a technical expert consultant.  Not necessarily as an expert witness, but someone with the technical know-how to look at an organization as the black box it seems during discovery, and peel back the layers to get at the really important bits that usually get missed.  Business networks are complicated beasts, and there’s more to retaining data than the email backup tapes and a primary application or two.

For instance, what feeds the system in question?  What does it in turn feed?  The interconnections can provide a means of validating an otherwise opaque operation.  For example, say they’ve held the backup tapes for email; very reasonable, but what if they created and sent and deleted a letter in one day?  Did the system back that up, or is it gone?  Is there an email gateway in addition to the server, or some other intermediary system that tracks simple in/out email transactions.  By comparing the logs from the gateway to the preserved email (using programs, so it’s fast) it’s possible to locate transient messages.  Messages that might be interesting.  This is not an onerous extension.  It’s just a log file, or set of logs, from a server. It only takes the time necessary to copy the log files and burn a CD.

This principle extends to every system in a complex network.  It is far more rare to find an isolated system than one that interfaces to at least one other system.  And that 2nd system can possibly validate claims of preservation, or invalidate them.  That’s why you need a technical expert for preservation, and why the judge/magistrate/arbitrator needs one as well.

The other thing that’s missed currently is the hard disks and other storage devices from the personal computers and devices of any interesting parties.  They can preserve what they have on hand, but what if it’s already gone?  A recovery specialist (a.k.a. forensic computer expert) can go through a hard drive rapidly and see if there’s any interesting material that’s been deleted.  So long as you are paying the expert to do the looking, this isn’t onerous to the producing party, it’s just a couple hours of tech time to copy the original drive and provide you with the original, but they’ll object that there are other materials on that drive that aren’t relevant and may be proprietary or protected.  Which brings us back to the expert.  If the material in question is important enough, an agreement can be made regarding what the expert can look for and how.  By limiting the scope, and including a non-disclosure agreement, it may be possible to produce material that was deleted.  This is a simplification, but it mostly comes down to how important the possibly deleted materials may be.  In most major cases, it is probably an easy stretch to include these materials.  Materials that can be invaluable to proving a point.

So attorney’s, please include qualified expert assistance in cases where the additional outlay is worthwhile.  It probably isn’t going to cost more than you can handle, and can be very worthwhile.

And for more possible sources, don’t forget employees personally owned computers, smart phones, and memory sticks.  There’s a lot of places for valuable data to hide, and all of it is potentially viable material.  If the company permits personnel to store work materials on personal data storage devices, those devices should be within scope.  Which is why every company today should have a policy and controls in place to protect employees by restricting what company material can be copied to non-company devices.

Contact Digital Trust regarding assistance with developing a complete scope for your discovery efforts, but, attorney’s, please do not list without a contract.  Always contact a lawyer for legal advice, and do not construe this technical advice as legal advice.  Digital Trust assumes no liability for use of this free advice.

This post is copyright 2010 Digital Trust, LLC.  Replication for internal company use is permitted provided this notice remains attached.  No other private or public re-use is permitted without consent.

There is no shortage of Infosec professionals.

There is no shortage of Infosec professionals, as recently bandied about in various news circles and blogs.  But there is a shortage of companies willing to pay for the talent.

Number wise, how many people attend Blackhat?  5,000?  How many people attend the two big US SANS events? 10,000?  And a lot of folks can’t make it every year, so the rough number is a lot larger.   Admittedly, most of them have jobs, or limited talents, but that’s the glory of a free market.  Pay them enough and they’ll come work for you.  It’s a good system, because the talent gets drawn to where the most demand is, and then lower position jobs come open, for personnel with lower skill sets.

The problem is, some people want the talent they get in a 10 year veteran, in a middle to low salary range.  Not going to happen.  It takes years to train people up in security.  There’s no magic certificate.  Security talent is less numerous than some professions because it’s *hard*.  Infosec folks never stop going to school.  Worse, school’s expensive.  It takes a lot of personal time to pick up the general skillset.  You can make a firewall technician fairly easily, but they won’t know how to spot a lot of attacks; you’ll be on the growth curve.

But there is no shortage of talent, just a shortage of cheap talent.

The Kato Method

Clouseau and Kato. Red Team and Blue Team. Building kaizen in to corporate security practices.

There’s a rule in operations that during an event, you are only going to be (at best) 50% as good as you were when practicing.  Which makes practice and critical evaluation very important to anyone in an incident response field.  Whether we’re talking law enforcement, fire response, or computer security, the same rule of thumb applies.  Most computer security response teams train informally, if at all, on an annual basis.  That’s not nearly good enough, otherwise your company wouldn’t fail that annual penetration test every year.

In the classic films about the Pink Panther, Inspector Clouseau’s butler Kato tries to keep his boss on his toes by constantly plotting surprise attacks.  The ongoing potential for conflict is Clouseau’s unorthodox training regimen.

While the Pink Panther was just a movie, there’s potential in the idea of having a Kato.  Because real computer security incidents happen infrequently, there is opportunity for practice by internal team members.  Most companies get their practice annually in the form of a penetration test, which isn’t nearly enough.  These tests usually involve external agencies, and transfer of knowledge is questionable at best.  There simply is not time during an engagement to provide the service and educate the client’s personnel.  Likewise, there may be annual training, but it’s limited, and thin, and not integrated into an ongoing practice, which means it atrophies.

But what if Kato was on your payroll?  If your internal security personnel were encouraged to test the defenses, they could learn a great deal.  What if they were given bonuses for gaining access?  Sure, they know the layout, that’s half the purpose; you might be a victim of knowledgeable hackers.  By having your internal people test on an ongoing basis, with appropriate protocols, naturally, you get into the habit of constant vigilance.  By trading off roles in the process, you ensure no one person becomes a bottleneck in the security profile.  Your company becomes much, much more capable.

And it’s great management.  You get a real opportunity to establish some team spirit, and boost individual pride.

Take a tip from an old movie, and get a Kato process going in your company.  Clouseau considered it a best practice.

This blog and it’s contents copyright 2010 Digital Trust, LLC.  All referenced trade mark and copyrighted materials are the property of their respective owners.  Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing.  Any republication or reuse is forbidden if the Digital Trust name or this paragraph is removed.

UN Courier Scam

A new twist on some old material has surfaced.  This scam involves a person phoning you and asking for you to transfer some funds so that they can release some international packages that have come in for you from overseas.  They may claim to be a UN courier, or some other person.  Don’t fall for it, not even if they claim to be something sensible, like USPS or UPS.   Customs clearance is handled at your local main post office or shipping center and you’re always required to show up physically; sending money isn’t an option.

This notice may be freely copied and redistributed.

Digital Trust, LLC

Password Change Frequency

Holding users to a standard frequency of password changes is an expensive legacy security requirement. Make it longer and cut support costs without decreasing security or increasing risk.

Password change frequency rose out of a government and industrial complex need (in other words, people concerned with spies) to protect information assets from internal threats. Back in the day, computers weren’t networked, so outsiders weren’t really an issue. It was the insider that was the threat, and the only people with computers were big companies and governments. Limitations in security technology and sophistication at the time meant an idea like forced password changes every 90 days was the best solution. At the time.
And for governments and industrial complexes or anyone worried about industrial espionage or trade secret theft, it still makes sense to use password aging.
But for the rest of the business world, periodically changing passwords can be much more liberal. Like yearly. Established dogma may say otherwise, but you will never, ever hear a security penetration tester (white hat hacker) or a criminal say: “I wish they didn’t change their passwords so often”. It’s not an issue when breaking into accounts.
The fact is periodic password changes have never kept someone out of a system. Worse, forcing users to change frequently leads to poor password choice, making it easier for attackers to break in.
With modern security techniques and options, the time has come to relegate frequency of change to a choice of broad possibilities and not treat it as a mandatory security setting.
First, it won’t reveal a compromise unless that compromise is very simplistic, ie: internal user fooling around. Which is a risk, but any damage they do is very likely to occur within the frequency window regardless.
A better option is to watch for login failures. Because even if someone picks “mother” for a password, unless it’s in the hackers top 5 guesses, if you’re watching for failures, you’re going to spot the attempt. Alerting to attempts is much, much better than discovering an account is compromised 90 days after the fact.
And once a bad guy from outside gets inside, frequency changes aren’t going to stop anything they do. You need detection.
Password complexity is what aids in detection. Complexity is a factor in time, and security is about delaying the attacker until alarms go off and personnel can respond. But if other security settings like lockout and alerting are set up correctly, complexity doesn’t have to mean passwords so shockingly hard that users have no choice but to write them down. Caps, letters, and numbers are plenty strong enough to provide a window for detection.
But educating users to pick something other than Mother1 is an additional effort. The users have to be part of the solution, and the security operation needs to periodically inspect passwords as part of an overall effort.
Detection of failed attempts is the key. This allows you to pick up internal and external access attempts and deal with them before they become a compromise. And the complexity helps.
As for cost savings, doubling the password lifespan can cut help desk calls for locked accounts in half. Not a bad gain. Go from quarterly to annually and you get 4x the savings, but beware of the risk of appearing to act recklessly. If it comes up in a legal case, the other team will use it to paint you as careless, you need to be able to demonstrate that the decision was thought through.
No single security setting is the answer, though, and without additional controls and a proper risk management program, any controls in place may be worse than useless, leading to a false sense of security. Have a professional review your company’s security practices, including password change frequency.
Digital Trust, LLC

This blog and it’s contents copyright 2010 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name or this paragraph is removed.

Partnering & Subcontracting (for peers and customers)

Digital Trust was recently approached by a foreign company asking if they could list us as a partner and use us as overflow on jobs. A few things come to mind here, for professionals in the field as well as for consumers of our services.
First, as consumers, particularly in regulated industries, you need to be certain whom you are dealing with. In pentesting especially, you must be confident that your corporate security secrets are going to be handled in a way that assures you everything is protected. By subcontracting, business consumers end up with twice the headache, because most regulated industries cannot rely on a chain of contractual responsibility. Healthcare in particular requires knowledge of the actual people and business entities in contact with healthcare information.
Companies can get around this limitation by referring the subcontracting company directly to the business consumer. This is, unfortunately, very distasteful to some companies, because they fear they may lose future business. It is, however, the only legitimate way to conduct business like this. If you can’t offer the service yourself, you’ll need to refer security work, not subcontract it. Business consumers, be sure to watch out for this. In the middle of a lawsuit is not the time to find out your favorite systems integrator has been holding out on you.

Furthermore, if you do expert witness work, and most security companies do, affiliating yourself with another company can complicate your testimony options. For all parties. In the same way that experts tell lawyers not to list them without contract, experts and professionals should also remain unaffiliated unless they’ve worked out all the risks and exposures. A hypothetical example: security expert Dosko is affiliated with company EZ Bank Inspection, and EZ has a client, Town-group, that EZ does PCI inspections for. Town-group gets hacked and in the quest for deep pockets, Town-group sues Dosko because he’s affiliated and should have done something about the underlying problem. Dosko has a very unpleasant couple months trying to get out from under the net that Town-group is casting.

If you think you need to protect yourself, insurance is one option. And to be on the safe side, Google your company name once in a while, just to see if someone is capitalizing on your brand.
Digital Trust, LLC

This blog and it’s contents copyright 2010 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name or this paragraph is removed.

Aurora Who?

More details have recently been released regarding the Aurora hacking event in the news recently, and now enough detail has been made public to take some measured steps as responsible corporate citizens. First off, a roadmap can be found here. Any company with an online presence should take this roadmap and compare it to data security practices currently in place, and run a table game if possible to see how they might hold up. Security to be shored up as necessary to support not becoming a victim to this sort of effort. And don’t delay; despite being found out, this activity will hardly cease. If you are a high profile target, then exceeding this level of sophistication is critical for safely conducting your business activities.

Digital Trust, LLC

This blog and it’s contents copyright 2010 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name, link, or this paragraph is removed.

Shameless Plugs vs Shameful Plugs

In a conversation on a popular networking site, it was suggested to the membership that a particular vendor selling a (barely) relevant product was a “great deal”. Curiosity piqued, we investigated and quickly found out that not only was it not a great deal, it was also not from a friendly source. The user in question was pitching his own product, something that’s all too common in online threads and forums.

It’s an old trick, from the Snake Oil days or earlier, if you want to sell something, you employ a “shill” to work the audience by asking leading questions or offering testimonial about the products effectiveness. Whether the product is worthwhile or not is immaterial, the fact is you’re being played by a dishonest sales technique.
There has been a flood of get-rich-quick schemes in the past decade, and they are becoming quite sophisticated, whether its junk medicine or hucksters pushing trash at you, its now a big business. The real eels are the ones selling the techniques and books. Greed knows no satiation, so they’re not going to stop anytime soon, and so far, we haven’t made taking advantage of gullible people a crime sort of a true con.
The point of this post is this, just because you hear it in a forum full of trusted individuals doesn’t mean
a) that you can trust the particular individual
b) that the individual is really who you think it is
c) that its factual
Never hesitate to question authority. If they’re genuine, they won’t mind, and if they get angry, you’ll know you’re onto them and can act accordingly.
Too many people are shelling out money without all the facts. Double check the facts. Because once you part with your money, it’s gone forever. And Bob14 on is not the financial wizard he claims to be. Albert9, a guy shamelessly plugging gold coins from owns the site, but failed to let you know that. These clowns troll the Internet at all levels looking for ways to shamefully scam you out of your money. Even warned, it’s sometimes difficult to spot the ruse.
Digital Trust, LLC

This blog and it’s contents copyright 2010 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name or this paragraph is removed.

Data Destruction Presentation

We will be presenting a seminar on data destruction open to all at East Stroudsburg University on 2/24/10 6pm EST.

Room 340, Science and Technology Center
East Stroudsburg University of Pennsylvania

Secure disposal of confidential information is a critical part of any organizations data security program. This discussion will cover why destruction is necessary, what to destroy, different ways to destroy it, and errors sometimes made in the destruction process. Legal issues will be examined, and demonstrations of several common destruction and verification technologies will be shown.

Digital Trust, LLC


Old Scam Rides Again

The Jury Duty scam from a few years back has resurfaced; hard to keep something this good burried. Someone will call claiming you missed your jury duty and how much trouble you’re in and then they’ll ask for your personal data to take you off the bad list. It probably sounds more than convincing for most people to fall for. Watch the caller id and don’t give out any information. See more here.

Feel free to redistribute.
Digital Trust, LLC