Disaster recovery & business continuity
•Télécharger en tant que PPT, PDF•
1 j'aime•2,630 vues
Information Technology & Management Program
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Disaster recovery & business continuity
Similaire à Disaster recovery & business continuity (20)
Plus de Dhani Ahmad
Plus de Dhani Ahmad (20)
Dernier
Dernier (20)
Disaster recovery & business continuity
- 1. TransformingLives. InventingtheFuture. www.iit.edu I ELLINOIS T UINS TI T OF TECHNOLOGY ITM 578 1 DisasterRecovery & Business Continuity Ray Trygstad ITM 478/578 Spring 2004 Master of Information Technology & Management Program CenterforProfessional Development Slides based on Whitman, M. and Mattord, H., Principles of InformationSecurity; Thomson Course Technology 2003
- 2. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 2 ILLINOIS INSTITUTE OF TECHNOLOGY Learning Objectives Upon completion of this lesson the student should be able to: – Describe what contingency planning is and how incident response planning, disaster recovery planning, and business continuity plans are related to contingency planning. – Discuss the elements that comprise a business impact analysis and the information that is collected for the attack profile. – Recognize the components of an incident response plan.
- 3. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 3 ILLINOIS INSTITUTE OF TECHNOLOGY Learning Objectives Upon completion of this lesson the student should be able to: – Explain the steps involved in incident reaction and incident recovery. – Define the disaster recovery plan and its parts. – Define the business continuity plan and its parts. – Discuss the reasons for and against involving law enforcement officials in incident responses and when may be required.
- 4. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 4 ILLINOIS INSTITUTE OF TECHNOLOGY FIGURE 7-1 Contingency Planning and the SecSDLCContingency Planning and the SecSDLC Contingency Planning Design: planning for continuty Chapter 7 Investigate Analyze Implement Maintain Physical Design
- 5. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 5 ILLINOIS INSTITUTE OF TECHNOLOGY Continuity Strategy Managers must provide strategic planning to assure continuous information systems availability ready to use when an attack occurs Plans for events of this type are referred to in a number of ways: – Business Continuity Plans (BCPs) – Disaster Recovery Plans (DRPs) – Incident Response Plans (IRPs) – Contingency Plans
- 6. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 6 ILLINOIS INSTITUTE OF TECHNOLOGY Continuity Strategy Large organizations may have many types of plans, small organizations may have one simple plan, but most have inadequate planning
- 7. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 7 ILLINOIS INSTITUTE OF TECHNOLOGY Contingency Planning Components of Contingency Planning (CP): – Incident Response Planning (IRP) – Disaster Recovery Planning (DRP) – Business Continuity Planning (BCP)
- 8. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 8 ILLINOIS INSTITUTE OF TECHNOLOGY Contingency Planning The primary functions of these three planning components: – IRP focuses on immediate response, but if the attack escalates or is disastrous the process changes to disaster recovery and BCP – DRP typically focuses on restoring systems after disasters occur, and as such is closely associated with BCP – BCP occurs concurrently with DRP when the damage is major or long term, requiring more than simple restoration of information and information resources
- 9. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 9 ILLINOIS INSTITUTE OF TECHNOLOGY Contingency Planning Team Before any planning can begin, a team has to plan the effort and prepare the resulting documents Champion - A high-level manager to support, promote, and endorse the findings of the project
- 10. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 10 ILLINOIS INSTITUTE OF TECHNOLOGY Contingency Planning Team Project Manager - Leads the project and makes sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed Team Members - Should be the managers or their representatives from the various communities of interest: Business, IT, and Information Security
- 11. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 11 ILLINOIS INSTITUTE OF TECHNOLOGY Contingency Planning Hierarchy ContingencyContingency PlanningPlanning DisasterDisaster RecoveryRecovery IncidentIncident ResponseResponse BusinessBusiness ContinuityContinuity FIGURE 7-2 Contingency Planning Hierarchy
- 12. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 12 ILLINOIS INSTITUTE OF TECHNOLOGY Contingency Planning Timeline FIGURE 7-3 Contingency Planning Timeline Incident Response (IRP)Incident Response (IRP) Disaster Recovery Planning (DRP)Disaster Recovery Planning (DRP) Business Continuity (BCP)Business Continuity (BCP) Attack Post Attack (hours) Post Attack (days)
- 13. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 13 ILLINOIS INSTITUTE OF TECHNOLOGY Major Steps in Contingency Planning Identification ofIdentification of threats and attacksthreats and attacks Business unit analysisBusiness unit analysis Scenarios ofScenarios of successful attackssuccessful attacks Assessment ofAssessment of potential damagespotential damages Classification ofClassification of subordinate planssubordinate plans IncidentIncident planningplanning IncidentIncident detectiondetection IncidentIncident reactionreaction IncidentIncident recoveryrecovery Plan forPlan for disasterdisaster recoveryrecovery CrisisCrisis ManagementManagement RecoveryRecovery operationsoperations EstablishEstablish ContinuityContinuity strategystrategy Plan forPlan for continuity ofcontinuity of operationsoperations ContinuityContinuity managementmanagement Incident response planning Business impact analysis (BIA) Disaster recovery planning Business continuity planning FIGURE 7-4 Major Steps in Contingency Planning
- 14. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 14 ILLINOIS INSTITUTE OF TECHNOLOGY Business Impact Analysis Begin with Business Impact Analysis (BIA) if the attack succeeds, what do we do then? The CP team conducts the BIA in the following stages: 1.Threat attack identification 2.Business unit analysis 3.Attack success scenarios 4.Potential damage assessment 5.Subordinate plan classification
- 15. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 15 ILLINOIS INSTITUTE OF TECHNOLOGY Threat Attack Identification & Prioritization Update threat list with latest developments and add the attack profile The attack profile is the detailed description of activities during an attack Must be developed for every serious threat the organization faces Used to determine the extent of damage that could result to a business unit if the attack were successful
- 16. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 16 ILLINOIS INSTITUTE OF TECHNOLOGY Table 7-1 – Attack Profile Date of AnalysisDate of Analysis Attack name & descriptionAttack name & description Threat & probable threat agentThreat & probable threat agent Known or possible vulnerabilitiesKnown or possible vulnerabilities Likely precursor activities or indicatorsLikely precursor activities or indicators Likely attack activities or indicators of attack inLikely attack activities or indicators of attack in progressprogress Information assets or risk from this attackInformation assets or risk from this attack Damage or loss to information assets likelyDamage or loss to information assets likely from this attackfrom this attack Other assets at risk from this attackOther assets at risk from this attack Damage or loss to other assets likely from thisDamage or loss to other assets likely from this attackattack TABLE 7-1 Attack Profile
- 17. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 17 ILLINOIS INSTITUTE OF TECHNOLOGY Business Unit Analysis The second major task within the BIA is the analysis and prioritization of business functions within the organization Identify the functional areas of the organization and prioritize them as to which are most vital Focus on a prioritized list of the various functions the organization performs
- 18. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 18 ILLINOIS INSTITUTE OF TECHNOLOGY Attack Success Scenario Development Next create a series of scenarios depicting the impact a successful attack from each threat could have on each prioritized functional area with: – details on the method of attack – the indicators of attack – the broad consequences Attack success scenarios details are added to the attack profile including: – Best case – Worst case – Most likely alternate outcomes
- 19. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 19 ILLINOIS INSTITUTE OF TECHNOLOGY Potential Damage Assessment From the attack success scenarios developed, the BIA planning team must estimate the cost of the best, worst, and most likely cases Costs include actions of the response team This final result is referred to as an attack scenario end case
- 20. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 20 ILLINOIS INSTITUTE OF TECHNOLOGY Subordinate Plan Classification Once potential damage has been assessed, a subordinate plan must be developed or identified Subordinate plans will take into account the identification of, reaction to, and recovery from each attack scenario An attack scenario end case is categorized as disastrous or not The qualifying difference is whether or not an organization is able to take effective action during the event to combat the effect of the attack
- 21. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 21 ILLINOIS INSTITUTE OF TECHNOLOGY Incident Response Planning Incident response planning covers the identification of, classification of, and response to an incident An incident is an attack against an information asset that poses a clear threat to the confidentiality, integrity, or availability of information resources
- 22. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 22 ILLINOIS INSTITUTE OF TECHNOLOGY Incident Response Planning Attacks are only classified as incidents if they have the following characteristics: – Are directed against information assets – Have a realistic chance of success – Could threaten the confidentiality, integrity, or availability of information resources IR is more reactive, than proactive, with the exception of the planning that must occur to prepare the IR teams to be ready to react to an incident
- 23. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 23 ILLINOIS INSTITUTE OF TECHNOLOGY Incident Planning The pre-defined responses enable the organization to react quickly and effectively to the detected incident This assumes two things: – first, the organization has an IR team – second, the organization can detect the incident The IR team consists of those individuals needed to handle the systems as incident takes place
- 24. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 24 ILLINOIS INSTITUTE OF TECHNOLOGY Incident Planning The military process of planned team responses can be used in an incident response The planners should develop a set of documents that guide the actions of each involved individual reacting to and recovering from the incident These plans must be properly organized and stored
- 25. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 25 ILLINOIS INSTITUTE OF TECHNOLOGY Incident Response Plan Format and Content – The plan must be organized to support quick and easy access to the information needed Storage – The plan should be protected as sensitive information – On the other hand, the organization needs this information readily available
- 26. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 26 ILLINOIS INSTITUTE OF TECHNOLOGY Incident Response Plan Testing – An untested plan is not a useful plan. The levels of testing strategies can vary: – Checklist – Structured walk-through – Simulation – Parallel – Full-interruption
- 27. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 27 ILLINOIS INSTITUTE OF TECHNOLOGY Incident Detection The most common occurrence is a complaint about technology support, often delivered to the help desk Possible detections: – intrusion detection systems, both host-based and network-based – virus detection software – systems administrators – end users Only through careful training can the organization hope to quickly identify and classify an incident Once an attack is properly identified, the organization can respond
- 28. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 28 ILLINOIS INSTITUTE OF TECHNOLOGY Incident Indicators Possible indicators of incidents: – Presence of unfamiliar files – Unknown programs or processes – Unusual consumption of computing resources – Unusual system crashes Probable indicators of incidents: – Activities at unexpected times – Presence of new accounts – Reported attacks – Notification from IDS Definite indicators of incidents: – Use of dormant accounts – Changes to logs – Presence of hacker tools – Notifications by partner or peer – Notification by hacker Predefined situations that signal an automatic incident: – Loss of availability – Loss of integrity – Loss of confidentiality – Violation of policy – Violation of law
- 29. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 29 ILLINOIS INSTITUTE OF TECHNOLOGY Incident or Disaster When Does an Incident Become a Disaster? – the organization is unable to mitigate the impact of an incident during the incident – the level of damage or destruction is so severe the organization is unable to quickly recover – It is up to the organization to decide which incidents are to be classified as disasters and thus receive the appropriate level of response
- 30. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 30 ILLINOIS INSTITUTE OF TECHNOLOGY Incident Reaction Incident reaction consists of actions that guide the organization to stop the incident, mitigate the impact of the incident, and provide information for the recovery from the incident In reacting to the incident there are a number of actions that must occur quickly including: – notification of key personnel – assignment of tasks – documentation of the incident
- 31. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 31 ILLINOIS INSTITUTE OF TECHNOLOGY Notification of Key Personnel Most organizations maintain alert rosters for emergencies. An alert roster contains contact information for the individuals to be notified in an incident Two ways to activate an alert roster: – A sequential roster is activated as a contact person calls each and every person on the roster – A hierarchical roster is activated as the first person calls a few other people on the roster, who in turn call a few other people, and so on
- 32. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 32 ILLINOIS INSTITUTE OF TECHNOLOGY The Alert Message The alert message is a scripted description of the incident, with just enough information so that everyone knows what part of the IRP to implement Can be prepared rapidly by filling in the blanks in a template included in the IRP
- 33. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 33 ILLINOIS INSTITUTE OF TECHNOLOGY Documenting an Incident Documenting the event is important: – First, it is important to ensure that the event is recorded for the organization’s records, to know what happened, and how it happened, and what actions were taken. The documentation should record the who, what, when, where, why, and how of the even – Second, it is important to prove, should it ever be questioned, that the organization did everything possible to prevent the spread of the incident – Finally, the recorded incident can also be used as a simulation in future training sessions
- 34. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 34 ILLINOIS INSTITUTE OF TECHNOLOGY Incident Containment Strategies Before an incident can be contained, the affected areas of the information and information systems must be determined The organization can stop the incident and attempt to recover control through a number of strategies including: – severing the affected circuits – disabling accounts – reconfiguring a firewall – The ultimate containment option, reserved for only the most drastic of scenarios, involves a full stop of all computers and network devices in the organization
- 35. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 35 ILLINOIS INSTITUTE OF TECHNOLOGY Incident Recovery Once the incident has been contained, and control of the systems regained, the next stage is recovery The first task is to identify the human resources needed and launch them into action The full extent of the damage must be assessed The organization repairs vulnerabilities, addresses any shortcomings in safeguards, and restores the data and services of the systems
- 36. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 36 ILLINOIS INSTITUTE OF TECHNOLOGY Damage Assessment There are several sources of information: – including system logs – intrusion detection logs – configuration logs and documents – documentation from the incident response – results of a detailed assessment of systems and data storage Computer evidence must be carefully collected, documented, and maintained to be acceptable in formal proceedings Individuals assessing damage need special training
- 37. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 37 ILLINOIS INSTITUTE OF TECHNOLOGY Recovery In the recovery process: – Identify the vulnerabilities that allowed the incident to occur and spread and resolve them – Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place. Install, replace or upgrade them – Evaluate monitoring capabilities. Improve their detection and reporting methods, or simply install new monitoring capabilities
- 38. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 38 ILLINOIS INSTITUTE OF TECHNOLOGY Recovery In the recovery process: – Restore the data from backups – Restore the services and processes in use – Continuously monitor the system – Restore the confidence of the members of the organization’s communities of interest – Conduct an after-action review
- 39. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 39 ILLINOIS INSTITUTE OF TECHNOLOGY Automated Response New systems can respond to incidents autonomously Trap and trace uses a combination of resources to detect intrusion then trace back to source Trapping may involve honeypots or honeynets Entrapment is luring an individual into committing a crime to get a conviction Enticement is legal and ethical, while entrapment is not
- 40. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 40 ILLINOIS INSTITUTE OF TECHNOLOGY Disaster Recovery Planning Disaster recovery planning (DRP) is planning the preparation for and recovery from a disaster The contingency planning team must decide which actions constitute disasters and which constitute incidents When situations are classified as disasters plans change as to how to respond - take action to secure the most valuable assets to preserve value for the longer term even at the risk of more disruption DRP strives to reestablish operations at the ‘primary’ site
- 41. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 41 ILLINOIS INSTITUTE OF TECHNOLOGY DRP Steps There must be a clear establishment of priorities There must be a clear delegation of roles and responsibilities Someone must initiate the alert roster and notify key personnel Someone must be tasked with the documentation of the disaster If and only if it is possible, some attempts must be made to mitigate the impact of the disaster on the operations of the organization
- 42. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 42 ILLINOIS INSTITUTE OF TECHNOLOGY Crisis Management Crisis management is actions taken during and after a disaster focusing on the people involved and addressing the viability of the business The crisis management team is responsible for managing the event from an enterprise perspective and covers: – Supporting personnel and families during the crisis – Determining impact on normal business operations and, if necessary, making a disaster declaration – Keeping the public informed – Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties
- 43. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 43 ILLINOIS INSTITUTE OF TECHNOLOGY Disaster Recovery Planning Establish a command center to support communications Includes individuals from all functional areas of the organization to facilitate communications and cooperation Some key areas of crisis management include: – Verifying personnel head count – Checking the alert roster – Checking emergency information cards
- 44. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 44 ILLINOIS INSTITUTE OF TECHNOLOGY DRP Structure Similar to the IRP, DRP is organized by disaster, and provides procedures to execute during and after a disaster Provides details on the roles and responsibilities for those involved in the effort, and identifies the personnel and agencies that must be notified Just as the IRP must be tested, so must the DRP, using the same testing mechanisms Each organization must examine its scenarios, developed during the initial contingency planning, to determine how to respond to the various disasters
- 45. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 45 ILLINOIS INSTITUTE OF TECHNOLOGY Business Continuity Planning Business continuity planning outlines reestablishment of critical business operations during a disaster that impacts operations If a disaster has rendered the business unusable for continued operations, there must be a plan to allow the business to continue to function
- 46. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 46 ILLINOIS INSTITUTE OF TECHNOLOGY Continuity Strategies There are a number of strategies for planning for business continuity The determining factor in selection between these options is usually cost In general there are three exclusive options: – hot sites – warm sites – cold sites And three shared functions: – timeshare – service bureaus – mutual agreements
- 47. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 47 ILLINOIS INSTITUTE OF TECHNOLOGY Off-Site Disaster Data Storage To get these types of sites up and running quickly, the organization must have the ability to port data into the new site’s systems These include: – Electronic vaulting - The bulk batch-transfer of data to an off-site facility. – Remote Journaling - The transfer of live transactions to an off-site facility; only transactions are transferred not archived data, and the transfer is real-time. – Database shadowing - Not only processing duplicate real- time data storage, but also duplicates the databases at the remote site to multiple servers.
- 48. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 48 ILLINOIS INSTITUTE OF TECHNOLOGY Model for IR/DR/BC Plan The single document set approach supports concise planning and encourages smaller organizations to develop, test, and use IR/DR plans The model presented is based on analyses of disaster recovery and incident response plans of dozens of organizations
- 49. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 49 ILLINOIS INSTITUTE OF TECHNOLOGY The Planning Document 1. Establish responsibility for managing the document, typically the security administrator 2. Appoint a secretary to document the activities and results of the planning session(s) 3. Independent incident response and disaster recovery teams are formed, with a common planning committee
- 50. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 50 ILLINOIS INSTITUTE OF TECHNOLOGY The Planning Document 4. Outline the roles and responsibilities for each team member 5. Develop the alert roster and lists of critical agencies 6. Identify and prioritize threats to the organization’s information and information systems
- 51. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 51 ILLINOIS INSTITUTE OF TECHNOLOGY The Planning Process There are six steps in the Contingency Planning process: 1. Identifying the mission- or business-critical functions 2. Identifying the resources that support the critical functions 3. Anticipating potential contingencies or disasters 4. Selecting contingency planning strategies 5. Implementing the contingency strategies 6. Testing and revising the strategy
- 52. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 52 ILLINOIS INSTITUTE OF TECHNOLOGY Using the Plan During the incident After the incident Before the incident
- 53. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 53 ILLINOIS INSTITUTE OF TECHNOLOGY Contingency Plan
- 54. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 54 ILLINOIS INSTITUTE OF TECHNOLOGY Law Enforcement Involvement When the incident at hand constitutes a violation of law the organization may determine that involving law enforcement is necessary There are several questions, which must then be answered: – When should the organization get law enforcement involved? – What level of law enforcement agency should be involved: local, state, or federal? – What will happen when the law enforcement agency is involved? Some of these questions are best answered by the organization’s legal department
- 55. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 55 ILLINOIS INSTITUTE OF TECHNOLOGY Local, State, or Federal Authorities Selecting the level of law enforcement depends on the level and type of crime discovered: – The Federal Bureau of Investigation deals with many computer crimes that are categorized as felonies – The US Secret Service works with crimes involving US currency, counterfeiting, credit cards, identity theft, and other crimes – The US Treasury Department has a bank fraud investigation unit and the Securities and Exchange Commission has investigation and fraud control units as well
- 56. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 56 ILLINOIS INSTITUTE OF TECHNOLOGY State Investigative Services Each state has its own version of the FBI (except Illinois! – interesting story why not) These state agencies arrest individuals, serves warrants, and generally enforce laws on property that is owned by the state or any state agency In Illinois, computer crime is the responsibility of the State of Illinois High Tech Crime Bureau, part of the Attorney General’s Office
- 57. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 57 ILLINOIS INSTITUTE OF TECHNOLOGY Local Law Enforcement Local agencies enforce all local and state laws and handle suspects and security crime scenes for state and federal cases Local law enforcement agencies seldom have a computer crimes task force, but most investigative (detective) units are capable of processing crime scenes, and handling most common criminal activities and the apprehension and processing of suspects of computer related crimes
- 58. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 58 ILLINOIS INSTITUTE OF TECHNOLOGY Benefits of Law Enforcement Involvement Involving law enforcement agencies has advantages: – Agencies may be much better equipped at processing evidence than private organizations – Unless the organization has staff trained in forensics they may less effective in convicting suspects
- 59. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 59 ILLINOIS INSTITUTE OF TECHNOLOGY Benefits of Law Enforcement Involvement Involving law enforcement agencies has advantages: – Law enforcement agencies are also prepared to handle the warrants and subpoenas needed – Law enforcement skilled at obtaining statements from witnesses, completing affidavits, and other information collection
- 60. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 60 ILLINOIS INSTITUTE OF TECHNOLOGY Drawbacks to Law Enforcement Involvement Involving law enforcement agencies has disadvantages: – On the downside, once a law enforcement agency takes over a case, the organization loses complete control over the chain of events – The organization may not hear about the case for weeks or even months
- 61. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 61 ILLINOIS INSTITUTE OF TECHNOLOGY Drawbacks to Law Enforcement Involvement Involving law enforcement agencies has disadvantages: – Equipment vital to the organization’s business may be tagged as evidence, to be removed, stored, and preserved until it can be examined for possible support for the criminal case – However, if the organization detects a criminal act, it is a legal obligation to involve the appropriate law enforcement officials
- 62. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 62 ILLINOIS INSTITUTE OF TECHNOLOGY The End… Questions?
Notes de l'éditeur
- Learning Objectives: Upon completion of this material you should be able to: Know what contingency planning is and how incident response planning, disaster recovery planning, and business continuity plans are related to contingency planning. Understand the elements that comprise a business impact analysis and the information that is collected for the attack profile. Recognize the components of an incident response plan and the components of the planning process. Define the disaster recovery plan and its parts. Define the business continuity plan and its parts. Grasp the reasons for and against involving law enforcement officials in incident responses and when it is required.
- Learning Objectives: Upon completion of this material you should be able to: Know what contingency planning is and how incident response planning, disaster recovery planning, and business continuity plans are related to contingency planning. Understand the elements that comprise a business impact analysis and the information that is collected for the attack profile. Recognize the components of an incident response plan and the components of the planning process. Define the disaster recovery plan and its parts. Define the business continuity plan and its parts. Grasp the reasons for and against involving law enforcement officials in incident responses and when it is required.
- Introduction So far you have: Identified the following the problems facing the organization Assessed a value for the organization’s information assets Analyzed the threats in the organization’s environment Identified potential vulnerabilities Assessed the risks associated with current levels of the organization’s exposure Prepared solid business reasons to support the risk strategy the organization should adopt for each information asset Begun to develop a security blueprint for future actions Outlined information security architecture or the necessary policies and technologies to guide the organization’s next steps. The next step is to examine the topic of contingency planning within the information security context.
- Continuity Strategy Managers in the IT and information security communities are called on to provide strategic planning to assure the organization of continuous information systems availability. Each must be ready to act when a successful attack occurs. Plans for events of this type are referred to in a number of ways: Business Continuity Plans (BCPs), Disaster Recovery Plans (DRPs), Incident Response Plans (IRPs), or Contingency Plans.
- In large, complex organizations, each of these named plans may represent separate but related planning functions, differing in scope, applicability, and design. In a small organization, the security or systems administrator may have one simple plan, which consists of a straightforward set of media backup and recovery strategies, and a few service agreements from the company’s service providers. Many organizations have a level of planning that is woefully deficient.
- We can classify Incident Response, Disaster Recovery, and Business Continuity planning, as components of Contingency Planning. Contingency Planning (CP) is the entire planning conducted by the organization to prepare for, react to and recover from events that threaten the security of information and information assets in the organization, and the subsequent restoration to normal modes of business operations. Incident Response Planning (IRP) is the planning process associated with the identification, classification, response, and recovery from an incident. Disaster Recovery Planning (DRP) is the planning process associated with the preparation for and recovery from a disaster, whether natural or man-made. Business Continuity Planning (BCP) is the planning process associated with ensuring that critical business functions continue if a catastrophic incident or disaster occurs.
- The primary functions of these three types of planning are: IRP focuses on immediate response, but if the attack escalates or is disastrous the process changes to disaster recovery and BCP. DRP typically focuses on restoring systems after disasters occur, and as such is closely associated with BCP. BCP occurs concurrently with DRP when the damage is major or long term, requiring more than simple restoration of information and information resources.
- Contingency Planning Team Before any planning can begin, a team has to plan the effort and prepare the resulting documents Champion - A high-level manager to support, promote, and endorse the findings of the project Project Manager - Leads the project and makes sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed Team Members - Should be the managers or their representatives from the various communities of interest: Business, IT, and Information Security Before any planning can begin, a team has to plan the effort and prepare the resulting documents. Champion. A high-level manager to support, promote, and endorse the findings of the project. Project Manager. Leads the project and makes sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed. Team Members. Should be the managers or their representatives from the various communities of interest: business, IT, and infosec
- Business Impact Analysis The first phase in the development of the CP process is the Business Impact Analysis or BIA. A BIA is an investigation and assessment of the impact that various attacks can have on the organization, and takes up where the Risk Assessment process leaves off. The BIA assumes that these controls have been bypassed, have failed, or are otherwise ineffective in stopping the attack, and that the attack was successful. The question asked at this point is, if the attack succeeds, what do we do then? Business Impact Analysis The CP team conducts the BIA in the following stages: Threat Attack identification Business unit analysis Attack success scenarios Potential damage assessment Subordinate plan classification
- Threat Attack Identification and Prioritization Most organizations have already performed the tasks of identifying and prioritizing threats. All that is required now is to update the threat list with the latest developments and add one additional piece of information, the attack profile. An attack profile is a detailed description of the activities that occur during an attack, must be developed for every serious threat the organization faces and are used to determine the extent of damage that could result to a business unit if the attack were successful.
- Business Unit Analysis The second major task within the BIA is the analysis and prioritization of business functions within the organization. The intent of this task is to identify the functional areas of the organization and prioritize them to determine which are most vital to the continued operations of the organization. Efforts in function analysis focus on the result of a prioritized list of the various functions the organization performs.
- Attack Success Scenario Development Next the BIA team must create a series of scenarios depicting the impact a successful attack from each threat could have on each prioritized functional area with details on the method of attack, the indicators of attack, and the broad consequences. Then attack success scenarios with more detail are added to the attack profile, including alternate outcomes, describing a best, worst, and most likely case that could result from each type of attack on this particular business functional area.
- Potential Damage Assessment From the attack success scenarios developed above, the BIA planning team must estimate the cost of the best, worst, and most likely cases. These costs include the actions of the response team(s) described in subsequent sections as they act to quickly and effectively recover from any incident or disaster, and can also management representatives from all of the organization’s communities of interest of the importance of the planning and recovery efforts. This final result is referred to as an attack scenario end case.
- Subordinate Plan Classification Once the potential damage has been assessed, and each end case has been evaluated, a subordinate plan must be developed or identified from among existing plans already in place. These subordinate plans will take into account the identification of, reaction to, and recovery from each attack scenario. An attack scenario end case is categorized as disastrous or not. The qualifying difference is whether or not an organization is able to take effective action during the event to combat the effect of the attack.
- Incident Response Planning Incident response planning covers the identification of, classification of, and response to an incident. The IRP is made up of activities that are to be performed when an incident has been identified. An incident is an attack against an information asset that poses a clear threat to the confidentiality, integrity, or availability of information resources.
- Attacks are only classified as incidents if they have the following characteristics: Are directed against information assets Have a realistic chance of success Could threaten the confidentiality, integrity, or availability of information resources. Incident Response Planning Incident response (IR) is the set of activities taken to plan for, detect, and correct the impact of an incident on information resources. IR is more reactive, than proactive, with the exception of the planning that must occur to prepare the IR teams to be ready to react to an incident. Planning for an incident requires a detailed understanding of the scenarios developed for the BIA.
- Incident Planning The pre-defined responses enable the organization to react quickly and effectively to the detected incident. This assumes two things: first, the organization has an IR team, and second, the organization can detect the incident. The IR team consists of those individuals who must be present to handle the systems and functional areas that can minimize the impact of an incident as it takes place.
- Incident Planning The designated IR teams act to verify the threat, determine the appropriate response, and coordinate the actions necessary to deal with the situation. The military process of planned team responses can be used in an incident response. The planners should develop a set of documents that guide the actions of each involved individual reacting to and recovering from the incident. These plans must be properly organized, and stored to be available when, where and in a format supportive of the incident response. Incident Planning The designated IR teams act to verify the threat, determine the appropriate response, and coordinate the actions necessary to deal with the situation. The military process of planned team responses can be used in an incident response. The planners should develop a set of documents that guide the actions of each involved individual reacting to and recovering from the incident. These plans must be properly organized, and stored to be available when, where and in a format supportive of the incident response.
- Incident Response Plan Format and Content. The IR plan must be organized so that, the organization supports, rather than impedes quick and easy access to the information needed. This can be accomplished through a number of measures, the simplest of which is to create a directory of incidents, with tabbed sections for each possible incident. When an individual needs to respond to an incident, he or she simply opens the binder, flips to the appropriate section, and follows the clearly outlined procedures for an assigned role. Incident Response Plan Storage. The information in the IR plan should be protected as sensitive information. If attackers know how a company responds to a particular incident, it could improve their chances of success in the attack. On the other hand, the organization needs this information readily available, usually within reach of the information assets that must be manipulated during or immediately after the attack. The bottom line is that individuals responding to the incident should not have to search frantically for needed information, especially under stress.
- Incident Response Plan Testing. A plan untested is not a useful plan. The levels of testing strategies can vary: Checklist. Structured walk-through. Simulation. Parallel. Full-interruption.
- Incident Detection Individuals sometimes bring an unusual occurrence to the attention of systems administrators, security administrators, or their bosses. The most common occurrence is a complaint about technology support, often delivered to the help desk. The mechanisms that could potentially detect an incident include intrusion detection systems, both host-based and network-based, virus detection software, systems administrators, and even the end user. Incident Detection Only by carefully training the user, the help desk, and all security personnel on the analysis and identification of attacks can the organization hope to quickly identify and classify an incident. Once an attack is properly identified, the organization can effectively execute the corresponding procedures from the IR plan. Incident classification is the process of examining a potential incident, or incident candidate, and determining whether or not the candidate constitutes an actual incident.
- Incident Indicators There are a number of occurrences that could signal the presence of an incident candidate. Possible indicators of incidents: 1)Presence of unfamiliar files. 2)Presence or execution of unknown programs or processes. 3)Unusual consumption of computing resources. 4)Unusual system crashes. Probable indicators of incidents: 1)Activities at unexpected times. 2)Presence of new accounts. 3)Reported attacks. 4)Notification from IDS. Incident Indicators Definite indicators of incidents. 1)Use of dormant accounts. 2)Changes to logs. 3)Presence of hacker tools. 4)Notifications by partner or peer. 5)Notification by hacker. Predefined situations that signal an automatic incident: 1)Loss of availability. 2)Loss of integrity. 3)Loss of confidentiality. 4)Violation of policy. 5)Violation of law.
- Incident Indicators When Does an Incident Become a Disaster? 1) the organization is unable to mitigate the impact of an incident during the incident, 2) the level of damage or destruction is so severe the organization is unable to quickly recover. The difference may be subtle. It is up to the organization to decide which incidents are to be classified as disasters and thus receive the appropriate level of response.
- Incident Reaction Incident reaction consists of actions outlined in the IRP that guide the organization in attempting to stop the incident, mitigate the impact of the incident, and provide information for the recovery from the incident. In reacting to the incident there are a number of actions that must occur quickly. These include notification of key personnel, assignment of tasks, and documentation of the incident.
- Notification of Key Personnel Most organizations maintain alert rosters for emergencies. An alert roster contains contact information for the individuals to be notified in an incident. Two ways to activate an alert roster: A sequential roster is activated as a contact person calls each and every person on the roster. A hierarchical roster is activated as the first person calls a few other people on the roster, who in turn call a few other people, and so on.
- The alert message is a scripted description of the incident, just enough information so that everyone knows what part of the IRP to implement.
- Documenting an Incident Documenting the event is important. First, it is important to ensure that the event is recorded for the organization’s records, to know what happened, and how it happened, and what actions were taken. The documentation should record the who, what, when, where, why and how of the event. Second, it is important to prove, should it ever be questioned, that the organization did everything possible to prevent the spread of the incident. The recorded incident can also be used as a simulation in future training sessions.
- Incident Containment Strategies One of the most critical components of incident reaction is to stop the incident or contain its scope or impact. However, sometimes situations prevent the most direct measures associated with simply “cutting the wire.” Before an incident can be contained, the affected areas of the information and information systems must be determined. In general, incident containment strategies focus on two tasks: stopping the incident and recovering control of the systems. Incident Containment Strategies The organization can stop the incident and attempt to recover control through a number of strategies. If the Incident: originates outside the organization, the simplest and most straightforward approach is to sever the affected circuits. is using compromised accounts, the accounts can be disabled. is coming in through a firewall, the firewall can be reconfigured to block that particular traffic. is using a particular service or process, that process or service can be disabled temporarily. is using the organization’s systems to propagate itself, you can take down that particular application or server. The ultimate containment option, reserved for only the most drastic of scenarios, involves a full stop of all computers and network devices in the organization. The bottom line is that containment consists of isolating the channels, processes, services, or computers and removing the losses from that source of the incident.
- INCIDENT RECOVERY Once the incident has been contained, and control of the systems regained, the next stage is recovery. As with reaction to the incident, the first task is to identify the human resources needed for the recovery and launch them into action. The full extent of the damage must be assessed. The process of computer forensics entails determining how the incident occurred and what happened. The organization repairs vulnerabilities, addresses any shortcomings in safeguards, and restores the data and services of the systems.
- Damage Assessment Incident damage assessment is the immediate determination of the scope of the breach of CIA of information and assets after an incident. There are several sources of information on the type, scope, and extent of damage, including system logs, intrusion detection logs, configuration logs and documents, the documentation from the incident response, and the results of a detailed assessment of systems and data storage. Based on this information, the IR team must begin to examine the current state of the information and systems and compare them to a known state. Damage Assessment Related to the task of incident damage assessment is the field of computer forensics. Computer forensics is the process of collecting, analyzing, and preserving computer-related evidence. Evidence proves an action or intent. Computer evidence must be carefully collected, documented, and maintained to be acceptable in formal or informal proceedings. Circumstances requires that individuals who look for the damage receive special training, should it be determined that the incident is part of a crime or may result in a civil action.
- Recovery The recovery process involves: Identify the vulnerabilities that allowed the incident to occur and spread and resolve them. Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place. Install, replace or upgrade them.
- Evaluate monitoring capabilities. Improve their detection and reporting methods, or simply install new monitoring capabilities. Restore the data from backups. Restore the services and processes in use. Continuously monitor the system. Restore the confidence of the members of the organization’s communities of interest. Conduct an after-action review.
- Automated Response While traditional systems were configured to detect incidences, and then notify the human administrator, new systems can respond to the incident threat autonomously. These systems, referred to as trap and trace, use a combination of resources to detect an intrusion, and then to trace incidents back to their sources. Unfortunately, some less scrupulous administrators might even be tempted to back hack or hack into a hacker’s system to find out as much as possible about the hacker. The problem is that the hacker may actually move into and out of a number of organizations’ systems and by tracking the hacker, administrators may wander through other organizations’ systems. Automated Response The trap portion frequently involves the use of honeypots or honeynets. Honeypots are computer servers configured to resemble production systems. If a hacker stumbles into the system, alarms are set off, and the administrator notified. Honeynets, consist of networks or subnets of systems that operate similarly. Enticement is the process of attracting attention to a system by placing tantalizing bits of information in key locations. Entrapment is the action of luring an individual into committing a crime to get a conviction. Enticement is legal and ethical, while entrapment is not.
- Disaster Recovery Planning Disaster recovery planning (DRP) is planning the preparation for and recovery from a disaster, whether natural or manmade. The contingency planning team must decide which actions constitute disasters and which constitute incidents. At the time that a decision is made and the situations is classified as a disaster, the organization may change how it is responding and take action to secure its most valuable assets to preserve value for the longer term even at the risk of more disruption in the immediate term. Again, the key emphasis of a DRP is to reestablish operations at the ‘primary’ site, the location at which the organization performs its business. The goal is to make things ‘whole’ or ‘as they were’ before the disaster. Disaster Recovery Planning Disaster recovery planning (DRP) is planning the preparation for and recovery from a disaster, whether natural or manmade. The contingency planning team must decide which actions constitute disasters and which constitute incidents. At the time that a decision is made and the situations is classified as a disaster, the organization may change how it is responding and take action to secure its most valuable assets to preserve value for the longer term even at the risk of more disruption in the immediate term. Again, the key emphasis of a DRP is to reestablish operations at the ‘primary’ site, the location at which the organization performs its business. The goal is to make things ‘whole’ or ‘as they were’ before the disaster.
- DISASTER RECOVERY PLANNING Steps 1) There must be a clear establishment of priorities. 2) There must be a clear delegation of roles and responsibilities. 3) Someone must initiate the alert roster and notify key personnel. 4) Someone must be tasked with the documentation of the disaster. 5) If and only if it is possible, some attempts must be made to mitigate the impact of the disaster on the operations of the organization.
- Crisis Management Crisis management includes the actions taken during and after a disaster, and focuses first and foremost on the people involved and addresses the viability of the business. The crisis management team is responsible for managing the event from an enterprise perspective and covers: Supporting personnel and their loved ones during the crisis Determining the event's impact on normal business operations and, if necessary, making a disaster declaration Keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties.
- Disaster Recovery Planning The crisis management team should establish a base of operations or command center to support communications until the disaster has ended and includes individuals from all functional areas of the organization to facilitate communications and cooperation. Some key areas of crisis management include:1)Verifying personnel head count. 2)Checking the alert roster. 3)Checking emergency information cards. Crisis management must balance the needs of the employees with the needs of the business in providing personnel with support for personal and family issues during disasters.
- DRP Structure Similar in structure to the IRP, the DRP is organized by disaster, and provides procedures to execute during and after a disaster. It also provides details on the roles and responsibilities of the various individuals involved in the disaster recovery effort, and identifies the personnel and agencies that must be notified. Just as the IRP must be tested, so must the DRP, using the same testing mechanisms. Reaction to a disaster can vary so widely, that it is impossible to describe the process with any accuracy. As a result it is up to each organization to examine its scenarios, developed during the initial contingency planning, to determine how to respond to the various disasters. Should the physical facilities be spared after the disaster, the disaster recovery team should begin the restoration of systems and of data to work toward full operational capability. If the organization’s facilities do not survive, alternative actions must be taken until new facilities can be acquired.
- Business Continuity Planning Business continuity planning outlines reestablishment of critical business operations during a disaster that impacts operations at the primary site. If a disaster has rendered the current location of the business unusable for continued operations, there must be a plan to allow the business to continue to function.
- Continuity Strategies There are a number of strategies that an organization can choose from when planning for business continuity. The determining factor in selection between these options is usually cost. In general there are three exclusive options: hot sites, warm sites, and cold sites, and three shared functions: timeshare, service bureaus, and mutual agreements.
- Off-Site Disaster Data Storage To get these types of sites up and running quickly, the organization must have the ability to port data into the new site’s systems. There are a number of options for getting operations up and running quickly, and some of these options can be used for purposes other than restoration of continuity. These include: Electronic vaulting - The bulk batch-transfer of data to an off-site facility. Remote Journaling - The transfer of live transactions to an off-site facility; only transactions are transferred not archived data, and the transfer is real-time. Database shadowing - not only processing duplicate real-time data storage, but also duplicates the databases at the remote site to multiple servers.
- Model For IR/DR/BC Plan The single document set approach supports concise planning and encourages smaller organizations to develop, test, and use IR/DR plans. The model presented is based on analyses of disaster recovery and incident response plans of dozens of organizations.
- The Planning Document Establish the responsibility for managing the document, typically the security administrator. Appoint a secretary to document the activities and results of the planning session. Independent incident response and disaster recovery teams are formed, sharing a common planning committee.
- Outline the roles and responsibilities for each team member. Develop the alert roster is developed, and lists of critical agencies. Identify and prioritize threats to the organization’s information and information systems.
- The Planning Process There are six steps in the Contingency planning process . 1. Identifying the mission- or business-critical functions. 2. Identifying the resources that support the critical functions. 3. Anticipating potential contingencies or disasters. 4. Selecting contingency planning strategies. 5. Implementing the contingency strategies. 6. Testing and revising the strategy. The Planning Document 1.During the incident. Develop and document the procedures that must be performed during the incident. Group procedures and assign to individuals. Each member of the planning committee begins to draft a set of function-specific procedures. 2.After the incident. Develop the procedures that must be performed immediately after the incident has ceased. Again, separate functional areas may develop different procedures. 3.Before the incident. Draft those tasks that must be performed to prepare for the incident. These are the details of the data backup schedules, the disaster recovery preparation, training schedules, testing plans, copies of service agreements, and business continuity plans if any. The Planning Document Finally the IR portion of the plan is assembled. Sections detailing the organization’s DRP and BCP efforts are placed after the incident response sections. Critical information as outlined in these planning sections are recorded, including information on alternate sites, etc. as indicated in the “before the incident” section, applicable to the disaster recovery and business continuity efforts. Multiple copies for each functional area are created, cataloged, and signed out to responsible individuals.
- Using the Plan During the incident Develop and document the procedures that must be performed during the incident Group procedures and assign to individuals Each member of the planning committee begins to draft a set of function-specific procedures After the incident Develop the procedures that must be performed immediately after the incident has ceased Again, separate functional areas may develop different procedures 3.Before the incident. Draft those tasks that must be performed to prepare for the incident. These are the details of the data backup schedules, the disaster recovery preparation, training schedules, testing plans, copies of service agreements, and business continuity plans if any. Finally the IR portion of the plan is assembled. Sections detailing the organization’s DRP and BCP efforts are placed after the incident response sections. Critical information as outlined in these planning sections are recorded, including information on alternate sites, etc. as indicated in the “before the incident” section, applicable to the disaster recovery and business continuity efforts. Multiple copies for each functional area are created, cataloged, and signed out to responsible individuals.
- Law Enforcement Involvement There may come a time, when it has been determined that the incident at hand exceeds the violation of policy and constitutes a violation of law. The organization may determine that involving law enforcement is necessary. There are several questions, which must then be answered. When should the organization get law enforcement involved? What level of law enforcement agency should be involved: local, state or federal? What will happen when the law enforcement agency is involved? Some of these questions are best answered by the organization’s legal department.
- Local, State, or Federal Authorities Selecting the level of law enforcement to involve depends in part on the level and type of crime discovered. The Federal Bureau of Investigation deals with many computer crimes that are categorized as felonies. The US Secret Service works with crimes involving US currency, counterfeiting, credit cards, identity theft and other crimes. The US Treasure Department has a bank fraud investigation unit and the Securities and Exchange Commission has investigation and fraud control units as well. However, due to the heavy load of cases these agencies must handle, they typically give preference to those incidents that address the national critical infrastructure or that have significant economic impact.
- State Investigative Services Each state has its own version of the FBI (except Illinois! – interesting story why not) These state agencies arrest individuals, serves warrants, and generally enforce laws on property that is owned by the state or any state agency In Illinois, computer crime is the responsibility of the State of Illinois High Tech Crime Bureau, part of the Attorney General’s Office Local Law Enforcement Local agencies enforce all local and state laws and handle suspects and security crime scenes for state and federal cases. Local law enforcement agency seldom have a computer crimes task force, but the investigative (detective) units are quite capable of processing crime scenes, and handling most common criminal activities, such as physical theft or trespassing, damage to property, and the apprehension and processing of suspects of computer related crimes.
- Local Law Enforcement Local agencies enforce all local and state laws and handle suspects and security crime scenes for state and federal cases. Local law enforcement agency seldom have a computer crimes task force, but the investigative (detective) units are quite capable of processing crime scenes, and handling most common criminal activities, such as physical theft or trespassing, damage to property, and the apprehension and processing of suspects of computer related crimes.
- Benefits of Law Enforcement Involvement Involving law enforcement agencies has both advantages and disadvantages. The agencies may be much better equipped at processing evidence than a particular organization. Unless the security forces in the organization have been trained in processing evidence and computer forensics, they may do more harm than good in extracting the necessary information to legally convict a suspected criminal.
- Benefits of Law Enforcement Involvement Involving law enforcement agencies has both advantages and disadvantages. Law enforcement agencies are also prepared to handle the warrants and subpoenas necessary to documenting a case. They are also adept at obtaining statements from witnesses, affidavits, and other required documents. Law enforcement personnel can be a security administrator’s greatest ally in the war on computer crime. It is therefore important to get to know your local and state counterparts, before you have to make a call announcing a suspected crime.
- Drawbacks to Law Enforcement Involvement Involving law enforcement agencies has both advantages and disadvantages. On the downside, once a law enforcement agency takes over a case, the organization loses complete control over the chain of events, the collection of information and evidence, and the prosecution of suspects. An individual the organization may wish only to censure and dismiss may face criminal charges whereby the intricate details of their crimes become matters of public record. The organization may not hear about the case for weeks or even months.
- Drawbacks to Law Enforcement Involvement Involving law enforcement agencies has both advantages and disadvantages. Equipment vital to the organization’s business may be tagged evidence, to be removed, stored, and preserved until it can be examined for possible support for the criminal case. However, if the organization detects a criminal act, it is a legal obligation to involve the appropriate law enforcement officials.