Forensics the last resort?

Thanks to California 1386 we have been treated to dozens of disclosures of lost data from the likes of ChoicePoint, Ernst and Young, and last week, the Veterans Administration.  Ever wonder what goes on behind the scenes at those organizations leading up to those disclosures?

 You can imagine the first indication, the phone call from the employee who misplaced their laptop or left a CD on an airplane, or the first discovery of a keystroke logger on a critical system.  Those are triggers that kick off a forensic investigation. It is an arcane art that involves freezing IT assets, recovering data and extensive sleuth work. 

I interviewed Dennis Portney with Security Forensics, Inc. yesterday for the IT-Harvest Threatcast. This inaugural podcast is the first time I have weaned myself from CNET’s recording studio in San Francisco. So if you have any problems with the audio engineering you know who to blame. 

Forensics is the back side of security. It is what you do when your security has failed. According to Dennis 99% of the time the forensics experts have to be called in it is because existing policies were not enforced.  Downloading hacking tools, disk erasure, and the use of thumb drives to walk off with critical data are all things that can be protected against. 

My take is that it would be extremely valuable for IT security practitioners to get up to speed on forensics, even walk through a dummy scenario. By doing this you can identify holes in your record keeping, policy enforcement, and emergency response methodologies.   When there is a real breach you will be much better prepared for it.

Theme music for IT-Harvest ThreatCasts used with the permission of Hyperion Records