Please share your comments; critics make life meaningful!

Saturday, December 6, 2014

‘Incident’ Based Approach to Information (Cyber) Security and the critical role of Digital Forensics

  
'Risk Based Approach' (RBA) has been the recommended way to address Information Security as per the initial standards on the subject - BS 25999 which was subsequently incorporated into ISO 27001. It has been also recommended as a foundational principle by most standards on Information Security which have emerged subsequently such as the ones put forth by ISF, COBIT etc. Although it has been so for a while, actual adoption of the risk based approach has been a rather recent phenomenon. There are many good reasons for it, the primary ones being the lack of apparent cost benefit from Information Security investments and the growing body of compliance mandates around the subject leading to a predominantly compliance approach becoming in vogue.
 
But with the predominance of crippling breaches despite significant compliance oriented investments and acknowledgement of Information Risk (more fancifully referred to as Cyber Risk in recent times) as top 5 risks to global corporations, understanding of Information Security in corporations and adoption of a risk based approach has rapidly gained favour. Such an approach follows a cyclic pattern as under:
· Risks inherent in an enterprise entity (service, process, asset etc.) are assessed by discerning the probability and frequency of various types of threats exploiting vulnerabilities inherent in the service/process/asset
· Effectiveness of existing controls is evaluated and residual risk is computed by subtracting the control effectiveness from the inherent risk
· Residual risks are mitigated through various measures - avoidance, transference, acceptance or mitigation
· Once some progress is made in risk mitigation, the cycle is repeated all over again starting with risk assessment.
 
A similar cyclic patterned but 'Incident based approach' (IBA) can be taken of Cyber Security wherein incident prevention is intended as the primary objective of the existing Cyber Security framework. Once an incident occurs, as it always does despite all preventive controls, incident triage is undertaken, followed by incident investigation, doing root cause analysis (RCA), taking corrective and preventive action (CAPA), and controls are enhanced by ploughing the learnings back into the incident prevention oriented Cyber Security framework.

In this 'Incident based approach' to Cyber Security, Digital Forensics plays an anchoring role at all the stages of the process:
· It is essential at the triage stage to have an idea of Digital Forensics to be able to preserve incident parameters while taking down infected/compromised systems and getting back essential systems and services.
· During incident investigation, Digital Forensics is of central relevance and paramount importance as investigation relies primarily relies on forensics.
· It can contribute in no small manner during CAPA and RCA.
· And finally, Digital Forensics can provide insights into designing more effective controls.
 
Even during the times when it appears to be business as usual, Digital Forensics has several contributions to make in setting up and running the day to day operations of Cyber Security apparatus. It needs to be taken into consideration while deciding the type of access that administrators have to systems as this can be a vital factor to having the capability to pick up the trail of a hacker who assumes administrative privilege or a malicious insider who mis-utilizes the same. Digital Forensics considerations are also very important while considering remote investigations on systems.
 
For a Cyber Security function, it may not always make sense to create a very highly developed internal capability on Digital Forensics. While a minimum and potent capability such as disk imaging, limited Network packet capture and mining of logs and other data etc. would be deemed appropriate/necessary, advanced capabilities such as forensic analysis of disk images, pattern & link analysis, heuristics analysis of suspect logs and other data etc. could be planned for being availed as outsourced services. Such services should be identified as appropriate for the specific industry/ business segment an enterprise belongs to, pre-configured as per the management or regulatory specifications/ expectations and contractually negotiated and sanctified, so that they can be availed without any loss of time and within pre-set SLAs after the occurrence of an incident which requires Digital Forensic investigation. Return on investment would be a key consideration while configuring the above and each enterprise would need to find its own balance with due consideration to its unique impacting factors. An optimum model comprising of limited essential in-house capability and bulk outsourced capability often finds greater acceptance from management and brings maximum benefits as it leverages competence of Digital Forensic specialists for the detailed forensics investigations.