Agencies must monitor insider network threats, expert says
- By Patience Wait
- Nov 28, 2005
Agency networks are more vulnerable than ever, according to a former CIA official and cybersecurity expert, and the greatest threat to an organization's network security may come from within.
Eric Cole, who worked for the CIA for more than five years, told an audience of government and corporate security professionals today at the inaugural Techno Forensics Conference at the National Institute of Standards and Technology that despite their best efforts, networks are only getting more porous.
Cole said an emerging threat for organizations is that the emphasis on thwarting outside attacks and tracing their origins has led them to overlook the insider threat.
In several recent cases, organizations conducted preliminary forensic examinations after network incidents and identified employees as being responsible.
The problem, according to Cole, is that 'those individuals were digitally framed. ' I'm the inside expert, I can set it up that you can never catch me, you catch some innocent individual.'
Aside from network insecurity, Cole said agencies need to have standardized procedures for computer forensics. A lack of standardized procedures for computer forensics, he warned, will jeopardize organizations' abilities to use forensic examinations at trial and will poison the well with judges on future cases.
Some of the difficulties could be alleviated if standards are established and certifications issued to those who are qualified to conduct forensic examinations, Cole said.
Doctors, lawyers, certified public accountants'all must meet specific public standards in order to use those titles, Cole said.
'But what stops someone from saying they are a computer security expert?' he asked. 'It was bad during the dot-com boom, but it is happening today.'
According to a recent study conducted for the National Institute of Justice in the U.S. Justice Department, most agencies don't have dedicated digital evidence units, and a majority of agencies have no digital evidence policies, Cole said. In addition, less than half require specific training to seize digital evidence, and only half require specific training to duplicate, examine and analyze evidence.
Eoghan Casey of Stroz Friedberg LLC of Washington, a consulting and technical services firm specializing in computer forensics, addressed the computer side of the forensics challenge.
The emergence of 'the pervasive computing' environment means that forensics experts will have to find ways to start analyzing 'live' systems, instead of relying on making images of hard drives and servers, he said.
'Best practices, in the traditional sense, will differ in the future,' Casey said. 'We are seeing disk space not just on servers, but home computers, in [the] hundreds of gigabytes. I don't think we will be able to image everything.'
Because of the vastness of the data to be examined, Casey said new forensic processes are needed that address the speed of processing, automating forensic processes where possible and finding ways to reduce the data to be examined down to a more manageable size. All of this has to be done in a 'forensically sound' manner, so the evidence can be authenticated, he said.
Among new threats, Casey warned, is the growing sophistication of concealment techniques by network intruders.
'Criminals are coming up with ways to conceal their activities,' he said. 'It's not just the hacker who doesn't have a date on Saturday night and takes it out on us. [A]nd covert channels are becoming difficult to deal with. How do we observe suspicious traffic when it is designed to be invisible?'
Casey suggested that organizations need to figure out how to conduct distributed processing of forensic information in order to conduct both faster and deeper analysis of the data and to facilitate collaboration among all the parties involved, such as agencies and Internet service providers.
There also have to be standards for the forensic readiness of the organization and the interoperability of forensic tools, such as a standard evidence storage format, Casey added.