After witnessing such a dismal response to Hurricane Katrina last September, a hurricane of a different dimension still hovers over the infrastructure of U.S. computer networks. Cyber Katrina, if you will, is posed to hit the U.S. and authorities are indeed not ready [2, 5] to handle the aftermath. Today there are simply not enough law enforcement officers at the state level with appropriate computer forensics and computer crime investigative skills to protect their part of the infrastructure.
This report is based on the non-classified portion of our work to develop and implement a state-based computer security incident response involving computer forensics. In a survey of 530 law enforcement agencies in the Midwest U.S. states, we found that only a handful of personnel in each of the surveyed states have even a basic understanding of the computer forensics (see the accompanying table). As a result, there is an average of 612 month backlog within the states and major cities.
The National Strategy to Secure Cyberspace plan makes improvements to the nation’s response to cyber incidents and reducing potential damage the top priority [9]. But at the state level, the response is handled by different agencies that do not necessarily coordinate. Moreover, the blueprint for the response is predominantly only technical (related to how to bring the computer networks back online).
Multistage Intelligence and Analysis Sharing Center (MSISAC) is a state-level organization set up to serve as a critical point of contact between the states and the federal government. MSISAC focuses primarily on technical responses without any consideration to computer forensics and computer-crime investigation needs [8].
Individual organizations responsible for responding to a statewide computer network incident affecting the infrastructure find it difficult to implement a response with computer forensics as the main focus due to the following reasons:
- Knowledge of computer forensics within the law enforcement community is very limited. None of the key elements of computer forensics—identification, preservation, analysis, and presentation—are done uniformly by law enforcement. It causes an uncertainty in the basic need of the investigators to ensure digital evidence to withstand judicial scrutiny if the matter goes to trial [4].
- There is limited legal support trained in computer forensics law. For admissibility in court, the computer forensics evidence should possess a chain of custody to show that no inadvertent or purposeful contamination occurred. Due to a lack of legal experts in state services who are trained to prosecute computer crimes using the results of computer forensics, law enforcement officers find themselves working on non-prosecutable cases [4].
Possible Solution
The solution we are implementing to this problem takes a two-pronged approach:
Organization. According to the Homeland Security Presidential Directive [3], any incident should be managed by establishing a single comprehensive national incident management system (NIMS). As a result of this directive, all federal departments, agencies, state, local, and tribal governments are required to fully comply with NIMS by FY 2007 (Oct. 1, 2006) in order to be eligible to apply for federal preparedness assistance. This can be accomplished by setting up an Incident Command System (ICS)- based crisis management plan for each response [6].
A Computer Security Incident Response Team (CSIRT) is a viable ICS-based organization to support computer forensics, computer crime investigation processes, as well as technical aspects of a response [7]. It is characteristically a cross-functional team with personnel from law enforcement, academic, and private and public organizations. It can be instrumental in using the limited personnel with computer forensics and forensics law knowledge to support a statewide response and escalation. This resolves two main issues, mentioned earlier, when including computer forensics in any statewide response.
Processes. In our work with a particular state, we have determined specific investigatory processes that can be operational by a CSIRT (see Figure 1).
In the “identify and notify” step, initial forensics analysis is done to decide the level and kind of response, and notification is sent to the organizations that can support a cohesive response. This is followed by the “collation and classification” of the new information. In the next step, “response and escalation” strategy is decided, which may include ultimately involving the U.S. National Guard and Department of Defense. Computer forensics is used extensively to “analyze, store, and enhance” any evidence obtained in the process. The whole process is undertaken while keeping an overall focus on traditional law enforcement duties like safety of life and property.
A serious shortage of law enforcement officers trained in computer forensics presents a significant challenge to any computer security response plan.
We have found that these processes are effective and well received because they are based on traditional crime investigation processes, as shown in Figure 2 [1]. In traditional processes, targeting suspects is followed by the collection of data about the suspect, which is then used to evaluate and analyze this information. At every step of the process, the prosecutorial aspects are kept in focus by the crime investigators.
The initial response to the statewide rollout of the plan has drawn very positive feedback from the federal, state, local, and tribal law enforcement and infrastructure organizations.
A combination of processes based upon traditional investigative procedures supported by a computer security incident response team can utilize the limited resources available and effectively protect citizens from a possible Cyber Katrina.
Conclusion
A serious shortage of law enforcement officers trained in computer forensics presents a significant challenge to any computer security response plan. A combination of processes based upon traditional investigative procedures supported by a computer security incident response team can utilize the limited resources available and effectively protect citizens from a possible Cyber Katrina.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment