Generate Revenue Through IT Using Business Service Management Sponsored by HP
Making sure that your business applications are available to their end users is an important part of running your business smoothly. Business operations have evolved to where IT must now broaden its focus to help the company attract, retain and grow customer relationships and increase customer satisfaction. Business service management (BSM) helps lay the foundation by managing services in dynamic support of business requirements. »
Managing the Modern Network Sponsored by HP
Networks are more than vehicles to transport e-mail and Web pages. In a global economy where information crosses the globe in an instant, and where Web-based applications power business, it's more important than ever to ensure your network is safe from threats and optimized to deliver the data your business needs. »
Storage Networking 2, Configuration and Planning
Sponsored by HP
In Part 1, we discussed storage area networks (SANs) and fibre channel. In Part 2, delve into best practices and cover the general concepts you must know before configuring SAN-attached storage. The most critical, sometimes tedious, part of setting up a SAN is configuring each individual disk array. This guide examines configurations for SAN-attached servers and disk arrays, and also includes a look at the future of IP storage.
»
Is Your Disaster Recovery Plan Good Enough? Get Disaster Recovery Right Sponsored by HP
Preparing for a disaster is more often than not part of the storage planning process, and without question it is one of the most difficult task, since it includes local hardware and software, networking equipment, and a test plan to ensure that you can recover from the disaster. Learn how to put your organization on the proper disaster recovery plan, now. »
Old Data Never Dies...
October 11, 2004 By Bob Hillery
Old data never dies... but it may not even fade away, to rework a saying
from General Douglas MacArthur.
OK, how many of you out there have a lawyer you'd call a friend? Oh,
come on now. There must be a few of you. No, this is not a lawyer joke
or a rant at the expense of attorneys. By the end of this article those
of you muttering in the back of the room should want to review your
company's -- and maybe even your personal -- policies regarding the legal
aspects of IT.
Let me explain.
Along with the IT security consulting that I do, I also review forensic
data. The technical part isn't rocket science, but it does require
patience, care, and a lot of detailed notes. I also deal with lawyers
and the legal aspects of evidence, digital data, and digital data as
evidence. The hard part in digital forensics seems to be policy and
dealing with the human factor.
It comes back to company policies. Always does, doesn't it?
Let's start with an example -- a 'composite' drawn from a couple of
recent cases. All of the elements are real, they may just have come from
more than one case so I can maintain the clients' privacy.
Company X calls and says they need to have the computer used by a former
employee examined. Their concern is that the employee who recently left
is now working for their competitor, and it seems the competition has
just bid on a contract for developing some new widget that looks an
awful lot like Company X's gadget.
They want to know if I can find out if proprietary information or
protected intellectual property has been stolen?
Never say, ''Yes.'' Just say, ''We'd be happy to review the drive in a
forensically clean process, and if the drive has that information, we'll
find it.''
It's all about the facts and the data -- not inferences and surmises.
That's what the lawyers get paid to do as they build cases from all of
the details from digital and traditional investigations.
Now we enter through the looking glass.
When I arrive on site I learn that:
The employee left three months ago;
The employee worked in a development role, with sensitive files on
his system;
He had added un-restricted internet access from this system (and
used it);
He was allowed (as was everyone else) to use web-based email in
addition to company email;
Because there was no policy enforcement, he was allowed to download
and install third-party software on the system;
He had a CD-ROM burner and software on the system;
The system had been on the floor behind someone's desk or on a
shelf in a common access workshop, and
The system had been accessed by IT staff, at the specific request
of management, to 'copy files over to a server'.
The person telling me all of this averted his eyes and carefully
inspected his shoes. I think I may have been glaring, dumbstruck.
At this point, it's hard to call this a ''forensics'' case. Anyway, I
suggested that it was good to at least know these things. Perhaps I
could determine what had happened on a timeline and show what may or may
not have been done while the former employee was responsible for the
computer.
In the end, I did find some facts that were useful to the lawyers' teams
in each case. But the important part, again, wasn't technical -- it was
the process.
What should the process be for the termination, transfer, or promotion
of any employee with access to sensitive company or personnel
information? Out-brief letters, signing or re-signing non-compete and
non-disclosure agreements, a review of transaction logs and the data on
the system, all jump to mind as good standard practice.
Why does a sensitive development system have internet access? Why are
employees using web-mail that won't have company transaction logs or
email records? For those in companies with Sarbanes-Oxley or
Gramm-Leach-Bliley requirements, this could be a regulatory violation,
too.
User installed software is a great vector for Trojan horses and other
malicious programs, so it should be avoided at all costs. This untested
software could also simply introduce incompatibilities that crash
programs or degrade the network.
CD-Rom burners used to be part of resource management. Some of you are
nodding... Remember when there was one burner and you had to get blank
CDs through some tracked process? ''What are you copying and why?,''
needed to be answered first. Today, burners are literally everywhere.
And so are copies of software and data.
If someone leaves the company or a project, and there's enough of an
issue to keep a computer out of the network, shouldn't that be a hint
that something more formal should be done to keep track of the box?
Don't wait three months. And don't turn on the system to check things
out and copy a few files. If a computer needs do be 'examined', and
there is any chance it may be key in upcoming litigation, you must
follow some pretty clear procedures that maintain a chain of custody and
record of access to the system.
This, of course, brings us back to the lawyers.
It is essential that legal counsel be an active part of the policy
development and implementation team. Among other things, they need to
help determine what is private and what isn't. Anyone dealing with
European-based firms or offices knows the E.U. privacy laws are very
different from those in North America.
As an IT department decides what to check for policy compliance
measures, they should also talk to the lawyers so they know how to
handle what may become evidence in either a civil or criminal case.
Remember, forensics is generally what gets done after something bad
happens. There's a lot of homework and preparation that should come
beforehand.
Oh, if you're ever a defendant, you want your counsel to be more of a
friend than just another lawyer. In one of the parts of this composite
story, it became pretty clear that the person under scrutiny wasn't
doing anything wrong. They were just unpopular.
So, go meet a lawyer. She will help you understand a crucial and
under-appreciated aspect of the business world.
By the way, in each of the cases that made up the composites, data was
discovered that pre-dated the employee in question -- and some of it
wasn't good at all. We found snippets of emails to and from competing
companies, and address books with entries for competitors. Of course, we
found where some employees had been surfing the Web for a new car or
clothing.
And we did find, in one case, where an employee had been surfing
pornographic Web sites in violation of company policies. When the
company further investigated this same employee, they found he was still
viewing porn on the job and he received an administrative warning. And
yes, any one of a dozen ways to block sites would have helped, but this
company hadn't put policy enforcement processes in place.
Bob Hillery, a former computer and security manager for the U.S.
Navy, is a founder of Intelguardians, LLC, a security consultancy. With
experience in the corporate, military and academic worlds, he now also
is an instructor with the SANS Institute.
Tools:
Add www.esecurityplanet.com to your favorites Add www.esecurityplanet.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.xReceive news via our XML/RSS feed
Generate Revenue Through IT Using Business Service Management
Managing the Modern Network
Storage Networking 2, Configuration and Planning
Is Your Disaster Recovery Plan Good Enough? Get Disaster Recovery Right 
By 
IE 7
Firefox 2.0
