It is an understandable yet curious characteristic of the information security space that the current 'big thing' relates not to the latest big threat, but to the newest threat.
The column inches dedicated to mobile malware bear little relation to the threat posed. All IT security personnel are aware of the reality of this situation, which is that the risk posed by internal threats has always outweighed the risk from external threats. Employee fraud, sloppy exposure of passwords and malicious damage from within the security perimeter cost businesses millions more every year than losses from viruses or spyware.
Most organisations have policies and processes in place to try and counter the internal threat, but two industry developments are making these threats — and the ability to investigate them — a timely and significant concern. First, it has become increasingly difficult for a company that has suffered a security breach to sweep the fact under the carpet. Not only have we witnessed numerous significant and public ID theft breaches, we also have legislation either in effect or being planned that will force companies to 'come clean' regarding their security failures, and to investigate the source of the failure.
Second, Microsoft will soon launch the Microsoft Vista platform, which will encrypt systems at the disk level by default. If successful investigation of a security breach relies on the data on a computer's drive being accessible to an investigator, then locking out that investigator by encrypting the data means all bets are off. While encryption has been a capability for years, most people doing bad things don't take the steps necessary to cover their tracks. Encryption by default means that without user credentials it will no longer be possible to investigate user behaviour at a disk level.
The result? Network forensics is rapidly becoming the next big thing in IT security.
Network forensics is the ability to investigate, at a network level, things taking place or that have taken place across an IT system. Network forensics software provides the tools to conduct this investigation in a correct, sound and thorough manner.
Network forensics overcomes the problem of disk-based encryption locking out the investigator by investigating at a network level. Material that is encrypted while sitting on the disk would be readable as text while passing over the network. Even if the user took the time to encrypt the document, evidence about where communications are coming from and going to, as well as information about the size of attachments and so on, could be enough to identify a sales manager sending confidential client information to a competitor, for example.
IT forensics is not a new invention. Some large organisations, particularly in the financial services sector, have had dedicated forensics departments for years, investigating activity such as employee fraud. Within the conventional law-enforcement community, the lack of expertise and resources for investigating computer crimes has meant private organisations have to take it upon themselves to investigate suspected cases of IT fraud or misuse, gathering the necessary evidence to take action against employees or hand over for prosecution.
While organisations should take all the proactive action they can to investigate employee fraud or security breaches, it is human nature to do only what we have to do, not what we ought to do. It has taken compliance requirements and Microsoft Vista to take network forensics from an 'ought to do' to a 'have to do'.
I'm not suggesting that every organisation will soon have its own forensics department and be running network forensics in-house. For many, there simply wouldn't be the daily requirement to warrant employing the people with the correct investigative skills to make use of the software. In most cases, services will be provided by companies that will use their software and expertise to conduct investigations on a client's network. However, persistent incidents such as security breaches, employee fraud and the exploitation of HR and security policies have led to the emergence of such services.
I anticipate that network forensics will be an area of significant investment and development for security vendors, and I wouldn't be surprised to see the few niche vendors in this area quickly acquired by larger players. The threat may be old but the reasons for dealing with it differently are new and that could be all it takes to make network forensics the 'next big thing'.
Biography: Simon Perry is vice president of security strategy for CA Europe
Talkback
An interesting article, and an interesting idea. Who knows, in fact, where the next "big thing" in IT is going to come from - you could be right. Or, it could be something entirely different.
One thing that this article suggests is that encryption in Vista is turned on "by default." Actually, it is not. In fact, it is not even available in most versions of Vista. Vista is available in five SKUs, only two of which support encryption (a feature known as "BitLocker", or "BitLocker Drive Encryption" - BDE). Vista Home Basic, Media Edition, and Business *do not* support BDE. Vista Enterprise and Ultimate - the two more expensive editions - do support BDE.
Also, encryption is not turned on by default. An important step during encryption involves defining the encryption and decryption keys. This cannot be done by default by someone other than the owner of the system. If it could, then that someone else would be able to gain access to the secure data - exactly what is trying to be controlled.
So - an interesting idea, that Network Forensics is the next big thing. We shall see.
Best,
Paul Yao
Utimaco Safeware, AG
Of the 4 flavours of Vista currently released, only the Ultimate edition has the Bit Locker functionality enabled. This is an optional element, set up through the control panel and, upon doing so, will create 2 partitions on the hard disk; one for the OS the second for data.
The encryption key will reside on a trusted platform module built in to some motherboards or can be held on a removable USB storage device.
Simon is correct in advocation a network based approach to forensics as this is transparent to the user community and allows the forensic investigators to seize a system at the appropriate time; i.e when the system is live and logged on, thus affording the investigator the ability to seize all component parts of the system (including attached storage media).
Jim Griffiths
Digital Forensics Practitioner
If the encrypted drives function like the Encrypted File System in Windows XP, then a network administrator can specify a third set of public keys as a data recovery key which all users have to import. This third set of keys then allow the third party owner to decrypt any of the data encrypted by their users.
im already using windows Vista and i have to say i liek it, i liek it alot!!
however network forensics? ill use point to point tunnels if needs be :D