LeRoy Budnik likes to tell the story of how a U.S.-based bank was fined $500 million by for losing encrypted backup tapes of customer records.
The drive was protected, you might think, so the names couldn’t have been at risk. Why was it at fault?
The financial institution couldn’t prove the tapes were properly protected. Like many companies, after two years it overwrote the disks with new encrypted data, but didn’t document whether the checksum was validated to prove the data was the same as the original.
“Because they failed to have the paper trail they didn’t have the forensic evidence to support their case in court.”
Budnik, CEO of Knowledge Transfer, a Winfield, Ill., storage consulting company, told the tale Tuesday at a security forum in Toronto to illustrate the burden facing IT managers charged with gathering evidence to support a civil or criminal case against an intruder.
These days the odds are “probably pretty high” every IT manager will be involved in a forensics investigation over his career, he said in an interview after his address to the forum, which was run by the Storage Networking Industry Association, a group of storage vendors and channel partners.
So the best defence is to be prepared. The biggest mistake someone assigned to gather evidence for an investigation makes is not writing down everything they do, and not having a witness beside when anything is done. Instead, too many want to match wits with the hacker. “The hack game is fun,” he said. “It’s the discipline that’s hard.”
“I have to change into ‘How am I going to put this guy in jail,’ as opposed to ‘How can I stop him.’” His address was dubbed “The CSI View of Data Security,” but he emphasized that unlike a TV show, IT forensic investigation isn’t glamorous.
If there has been a suspected policy or data violation the first step is to go to the company’s legal officer and ask what should be done. If you are assigned to gather material, remember that nothing is evidence until it is admitted in court, Budnik stressed.
What’s needed is a chain of evidence of IT processes in which the steps taken are completely documented and the integrity of whatever is gathered is preserved, including log files from PCs, servers, switches or storage devices. Among tips he passed on is to make notes in a hardbound notebook – so no one can say the pages were altered — in which the pages are numbered.
When duplicating disks, make sure the target disk is sterile to prevent allegations it might be contaminated. Then seal the copied drive.
“It’s like playing cop,” Budnik said.
As for the need for managers to assure storage systems are secure, he added, assume nothing is impossible. The head of data protection for the government of China has told him of intruders hacking the firmware of a university storage array there, and then transmitting the data out over the Fibre Channel interface. He was also critical of storage managers.
“Network administrators have a greater cognizance of security than the guys who do storage,” he also said in the interview. “Guys who do storage think that the storage is safe because the data’s still in the computer. But they forget that the management connects through the Internet,” where intruders attack from.
(SNIA has a detailed guide to help those who have to do a forensic investigation.