Educause Security Discussion mailing list archives
Re: Incident investigation and forensic capabilities and obligations
From: "Penn, Blake" <pennb () UWW EDU>
Date: Thu, 2 Jun 2005 16:57:48 -0500
David: I share you concern with this issue having recently come to higher education from a large banking environment. From what I have seen so far, forensic and investigative capabilities in higher ed tend to be more primitive than in the public sector (particularly in highly-regulated industries such as banking and healthcare). That being said, there is also a much greater diversity when it comes to these capabilities in higher ed. In a regulated industry, baselines govern (and pretty much directly set, to be honest) the standards when it comes to a variety of information security and assurance practices. In higher ed, each campus/system sets it's own respective practices - hence a much greater variety of approaches and practices. As far as regulations, many are the same as in the private sector; HIPAA, GLBA, and the like usually apply to the campus environment. The big difference is that the scope of these regulations is greatly reduced. HIPAA applies to your health centers, GLBA to your financial aid, debit card, payment systems, etc. Given this reduced regulatory scope, getting campus-wide buy-in for extensive and formalized incident handling and forensics policies and procedures might be challenging. This may justified though, as the business case for such extensive policies and procedures is much weaker. Personally, I have found that the policies and procedures that I used in banking are certainly not a good fit for this medium-sized campus environment. I know that some of our larger campuses in the UW System use commercial tools like EnCase enterprise - so it's certainly not unheard of in this "industry." We are more likely, though, to use individual licenses of EnCase and/or freeware tools such as Helix for this function. And Helix can work very well if your staff is skilled enough to properly use the tools in that distribution. The focus, however, is on hardening, detection, and remediation in our environment - not forensics and incident response. The focus is to determine what information is most critical - financial, FERPA, etc. and apply the appropriate elevated protection profile to this information and a "reasonable" level of protection to other data. VISA CISP (PCI-DSS) may be the exception to this rule. Data covered under PCI-DSS is held to a rigorous (and more importantly SPECIFIC) set of standards unlike the mushy and higher-level (read interpretable) language of regulations like HIPAA. If you want to apply more rigorous IR and forensics policies and procedures, then this is certainly the place to do so. PCI-DSS requires standards such as centralized audit logging and file integrity monitoring with alerting (Tripwire and the like), and daily log reviews. It also requires other rigorous security standards such as two-factor remote access and video surveillance monitoring. If any of your applications are taking credit card data, then this would be the place to hit with the iron gauntlet - and the $500,000.00 per incident fines will go a long way towards justifying this approach (I wouldn't want to accept that particular risk from a risk management standpoint!). Outside of these "critical" areas, the level of due diligence expected is relatively low compared to what you are probably used to. And the need to preserve data for evidence purposes is almost non-existent (at least from a regulatory standpoint ). You should have some risk management people on your campus - but if it's like mine, IT is not their strong-suit. I've had to bridge together several departments and functions to create hybrids that approximate the departments and functions that I have been used to having within private industry. You may need to do the same and/or push for the creation of the aforementioned entities. Again, information security management and practice varies widely here in academia, so others may have a completely difference situation. If you would like to discuss these issues more in-depth, please feel free to contact me directly. Hope that this helps. __________________________________ Blake Penn, CISSP Information Security Officer University of Wisconsin-Whitewater (p) 262-472-5513 (f) 262-472-1285 e-mail: pennb () uww edu ________________________________ From: Hearn, David L. [mailto:DHearn () ADMIN FSU EDU] Sent: Thursday, June 02, 2005 12:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Incident investigation and forensic capabilities and obligations Hello all, I am trying to get some information and feedback on the current state of IT incident investigative and forensic capabilities within the higher education arena. As well, I would like to find out opinions (or authoritative information) on the obligations (whether regulatory or legal) associated with those capabilities. Here's my motivation: Due to the recent upsurge of "phishing" scams, and the aggressiveness of the RIAA and MPAA investigations and notifications, our security team is finding itself in the position of performing much more than it's normal, "go fix the hacked box" type of "abuse" response. I recently left IT security in the private sector financial industry, where formalized and highly structured incident response, reporting and forensic analysis and storage were SOP and not only supported, but required for regulatory reasons. We had frequent interaction with law enforcement, internal HR, and industry investigation and litigation arms. Obviously, this is not the norm in public sector education. So . here are some direct questions . 1) How formal and\or mature are your current incident response processes? Tracking? Reporting? Remediation? 2) How advanced are your forensic capabilities? Evidence storage? I would love to have a full EnCase setup and the capability to image and store large drives, but we just do not have the funding and support for this type operation. 3) Here's the tough one. What are the obligations associated with externally initiated investigations - whether abuse report, law enforcement or other? What is "minimum due diligence"? What is the "expected due diligence"? Who determines capability level and responsibility in your org? In my last position, it was the "Risk Management Department". Obviously, it's not quite so clear in the Higher Ed hierarchy. 4) Is this aspect of your security operations recognized as a capability, responsibility and budgetary line item? Any opinions, information or feedback would be appreciated. Also any examples or relevant links. Thank you for your time and consideration. David Hearn FSU - User Services Assistant Director, Security and Operations david.hearn () fsu edu <mailto:david.hearn () fsu edu> w -(850)644-2591 m -(850)528-4309 f - (850)644-8722
Attachment:
smime.p7s
Description:
Current thread:
- Re: Incident investigation and forensic capabilities and obligations Penn, Blake (Jun 02)