Re: Incident investigation and forensic capabilities and obligations

["Penn, Blake" <pennb () UWW EDU>]

David:

I share you concern with this issue having recently come to higher education
from a large banking environment.  From what I have seen so far, forensic
and investigative capabilities in higher ed tend to be more primitive than
in the public sector (particularly in highly-regulated industries such as
banking and healthcare).  That being said, there is also a much greater
diversity when it comes to these capabilities in higher ed.  In a regulated
industry, baselines govern (and pretty much directly set, to be honest) the
standards when it comes to a variety of information security and assurance
practices.  In higher ed, each campus/system sets it's own respective
practices - hence a much greater variety of approaches and practices.

As far as regulations, many are the same as in the private sector; HIPAA,
GLBA, and the like usually apply to the campus environment.  The big
difference is that the scope of these regulations is greatly reduced.  HIPAA
applies to your health centers, GLBA to your financial aid, debit card,
payment systems, etc.  Given this reduced regulatory scope, getting
campus-wide buy-in for extensive and formalized incident handling and
forensics policies and procedures might be challenging.    This may
justified though, as the business case for such extensive policies and
procedures is much weaker.  Personally, I have found that the policies and
procedures that I used in banking are certainly not a good fit for this
medium-sized campus environment.

I know that some of our larger campuses in the UW System use commercial
tools like EnCase enterprise -  so it's certainly not unheard of in this
"industry."  We are more likely, though, to use individual licenses of
EnCase and/or freeware tools such as Helix for this function.  And Helix can
work very well if your staff is skilled enough to properly use the tools in
that distribution.  The focus, however, is on hardening, detection, and
remediation in our environment - not forensics and incident response.  The
focus is to determine what information is most critical - financial, FERPA,
etc. and apply the appropriate elevated protection profile to this
information and a "reasonable" level of protection to other data.

VISA CISP (PCI-DSS) may be the exception to this rule.  Data covered under
PCI-DSS is held to a rigorous (and more importantly SPECIFIC) set of
standards unlike the mushy and higher-level (read interpretable) language of
regulations like HIPAA.  If you want to apply more rigorous IR and forensics
policies and procedures, then this is certainly the place to do so.  PCI-DSS
requires standards such as centralized audit logging and file integrity
monitoring with alerting (Tripwire and the like), and daily log reviews.  It
also requires other rigorous security standards such as two-factor remote
access and video surveillance monitoring.  If any of your applications are
taking credit card data, then this would be the place to hit with the iron
gauntlet - and the $500,000.00 per incident fines will go a long way towards
justifying this approach (I wouldn't want to accept that particular risk
from a risk management standpoint!).

Outside of these "critical" areas, the level of due diligence expected is
relatively low compared to what you are probably used to.  And the need to
preserve data for evidence purposes is almost non-existent (at least from a
regulatory standpoint ).  You should have some risk management people on
your campus - but if it's like mine, IT is not their strong-suit.  I've had
to bridge together several departments and functions to create hybrids that
approximate the departments and functions that I have been used to having
within private industry.  You may need to do the same and/or push for the
creation of the aforementioned entities.

Again, information security management and practice varies widely here in
academia, so others may have a completely difference situation.  If you
would like to discuss these issues more in-depth, please feel free to
contact me directly.  Hope that this helps.

__________________________________
Blake Penn, CISSP
Information Security Officer
University of Wisconsin-Whitewater
(p) 262-472-5513 (f) 262-472-1285
e-mail: pennb () uww edu


________________________________

From: Hearn, David L. [mailto:DHearn () ADMIN FSU EDU]
Sent: Thursday, June 02, 2005 12:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Incident investigation and forensic capabilities and
obligations



Hello all,

        I am trying to get some information and feedback on the current
state of IT incident investigative and forensic capabilities within the
higher education arena. As well, I would like to find out opinions (or
authoritative information) on the obligations (whether regulatory or legal)
associated with those capabilities.

Here's my motivation: Due to the recent upsurge of "phishing" scams, and the
aggressiveness of the RIAA and MPAA investigations and notifications, our
security team is finding itself in the position of performing much more than
it's normal, "go fix the hacked box" type of "abuse" response.

I recently left IT security in the private sector financial industry, where
formalized and highly structured incident response, reporting and forensic
analysis and storage were SOP and not only supported, but required for
regulatory reasons. We had frequent interaction with law enforcement,
internal HR, and industry investigation and litigation arms. Obviously, this
is not the norm in public sector education.

So . here are some direct questions .

1)      How formal and\or mature are your current incident response
processes? Tracking? Reporting? Remediation?
2)      How advanced are your forensic capabilities? Evidence storage? I
would love to have a full EnCase setup and the capability to image and store
large drives, but we just do not have the funding and support for this type
operation.

3)      Here's the tough one. What are the obligations associated with
externally initiated investigations - whether abuse report, law enforcement
or other? What is "minimum due diligence"? What is the "expected due
diligence"? Who determines capability level and responsibility in your org?
In my last position, it was the "Risk Management Department". Obviously,
it's not quite so clear in the Higher Ed hierarchy.

4)      Is this aspect of your security operations recognized as a
capability, responsibility and budgetary line item?


Any opinions, information or feedback would be appreciated. Also any
examples or relevant links.

Thank you for your time and consideration.

David Hearn
FSU - User Services
Assistant Director, Security and Operations
david.hearn () fsu edu <mailto:david.hearn () fsu edu>
w -(850)644-2591
m -(850)528-4309
f - (850)644-8722

Attachment: smime.p7s
Description: