Training

To fight cybercrime effectively, everyone who deals with it must be educated. This includes the criminal justice and the IT communities, as well as everyday users. Imagine what would happen to evidence if a law enforcement officer wasn’t properly trained and, as a result of his or her actions, a good portion of evidence was destroyed. Many times, the judge or jury does not understand the topics discussed or lacks the technical expertise to interpret the law. What would happen in a complex case if the jury, prosecutor, and judge did not understand computer-related evidence? More likely than not, the defendant would end up getting away with the crime.

We are faced with many scenarios where this is true, but probably none more vexing than cases involving child pornography. Child pornography issues present circumstances in which the prosecution might have to prove that a photograph is one of a real child owing to rulings on virtual pornography. Pornographic pictures and videos with images that look like children need to be evaluated to determine if the subject is a minor and whether or not the subject is real or virtual. A defendant may claim that the images are of adults or virtual children. Experts may render opinions based on experience and training. Forensic investigators may use techniques such as skin tone analysis or verification against a database of items already recognized as real. The National Center for Missing and Exploited Children (NCMEC) (http://www.missingkids.com/missingkids/servlet/PublicHomeServlet?LanguageCountry=en_US) maintains a database of real images against which law enforcement personnel can compare alleged child pornographic images for verification. A complete analysis may also include more standard forensic tasks, such as generating file listings, extracting web browser histories, processing email and text messages, manually reviewing pictures and videos, and extracting metadata. However, not all cases go to court, and the role of a forensic investigator can vary.

Before deciding what type of specific training you need, evaluate the role you want to fill so you get the most benefit. Here are common roles that can involve computer forensics:

• Law enforcement officials
• Legal professionals
• Corporate human resources professionals
• Compliance professionals
• Security consultants providing incident response services
• System administrators performing incident response
• Private investigators

The next sections discuss the types of computer forensic employees in both the corporate and law enforcement worlds and the types of training available for them.

Forensic Practitioners

The following types of people and organizations sometimes hire computer forensic specialists:

• Civil litigators can utilize personal and business computer records in cases involving fraud, divorce, and harassment.
• Insurance companies can sometimes reduce costs by using computer evidence of possible fraud in accident, arson, and workman’s compensation cases.
• Corporations hire computer forensic specialists to obtain evidence of embezzlement, theft, and misappropriation of trade secrets.
• Individuals sometimes hire computer forensic specialists to support claims of wrongful termination, sexual harassment, and age discrimination.
• Law enforcement officials sometimes require assistance in pre-search warrant preparation and post-seizure handling of computer equipment.
• Prosecutors and defense attorneys in criminal and civil proceedings often use evidence uncovered by computer forensic specialists.
• Criminal prosecutors use computer evidence in cases such as financial fraud, drug and embezzlement record-keeping, and child pornography.

All of these industries rely on properly trained computer forensic investigators. The following sections describe some of the training available to both corporate and law enforcement worlds. The role that you play as a computer forensic investigator will ultimately decide which type of training is right for you.

Law Enforcement

The position an individual holds in the criminal justice community dictates the type of training required. Here are some examples of the types of training needed in several professions:

• Legislators need to understand the laws that are proposed and that they are passing.
• Prosecuting attorneys should have training on electronic discovery and digital data, and how to properly present computer evidence in a court of law.
• Detectives should have hands-on training in working with data discovery of all types and on various operating systems.

When law enforcement professionals are originally trained at the academy, they should receive some type of basic training on computer crime and how to investigate such crimes. Ideally, all criminal justice professionals would receive training in computer crimes, investigations, computer network technologies, and forensic investigations. Here are some ways to get the training needed to pursue a career in computer forensics:

• Key Computer Service Certified Computer Examiner (CCE) BootCamp: http://www.cce-bootcamp.com/
• The SANS Institute’s computer security training courses: www.sans.org
• The International Association of Computer Investigative Specialists (IACIS) forensic examiner courses: http://www.iacis.com

Many local community colleges and universities offer classes in computer forensics. Law enforcement professionals can take advantage of them without having to pay the high cost of classes offered by private firms. An excellent resource for law enforcement is the International Association for Computer Investigative Specialists (IACIS), online at http://www.iacis.com/.

Corporate

Frequently, security and disaster recovery projects aren’t funded because they don’t produce revenue. An Ernst & Young annual security survey of 1,400 organizations states that only 13 percent think that spending money on IT training is a priority. This shows that training is needed not only for IT professionals but for management as well.

In the corporate world, just as in the criminal justice world, the position an individual holds in an organization dictates the type of training they need. For end users to buy into security, management must buy in first. Managers have a legal responsibility to police what is happening within their own computer systems, as demonstrated by the Sarbanes-Oxley Act. Management training is usually geared more toward compliance issues and the cost of putting preventative measures in place. IT professionals, on the other hand, need training geared more toward return on investment (ROI) in order to obtain funding for security projects and computer crime awareness, which includes new vulnerabilities. They should also be trained on applicable laws and regulations, how crimes are investigated, and how crimes are prosecuted. This training can help eliminate the reluctance that organizations have about contacting law enforcement when security breaches occur or when crimes are committed.

Education for every level of practitioner can be found on the SANS (SysAdmin, Audit, Network, Security) Web site at http://www.sans.org/security-resources.php (Figure 1-2). The SANS Institute was established in 1989 as a cooperative research and education organization. Its programs are designed to educate security professionals, auditors, system administrators, network administrators, chief information security officers, and chief information officers.

Figure 1-2: SANS Security Resources Web site

End Users

Legislation such as Sarbanes-Oxley will not change behaviors simply because it is the law. This is like speeding. Laws against driving over the speed limit do not stop some people from speeding: Many speeders are repeat offenders. Why? It’s because certain behaviors are difficult to change. A person’s behavior is based on their principles and values. People adopt new patterns of behavior only when their old ones are no longer effective.

The goal of training is to change behavior. An effective training program helps the workforce adopt an organization’s principles and values. As already mentioned, management must be trained, buy in, and become an integral part of user education and the training process for everyone to take such training seriously. Only then will users adopt more secure behaviors.

The hardest environment to control is the end user’s environment. Training and education are vital to any organization with computer users and Internet access.

Security Awareness

A network is only as strong as its weakest link. We hear this phrase time and time again. Humans are considered to be the weakest link. No matter how secure the hardware and software are, if users aren’t taught the dangers of social engineering, e-mail scams, and malware, the network can be jeopardized with a phone call or simple mouse click.

Social engineering plays on human nature to carry out an attack. Which is easier, getting an employee to give you a password or running password-cracking software? Obviously, getting an employee to give you a password eliminates a lot of effort on the part of a criminal. Social engineering is hard to detect because employers have very little influence over lack of common sense or ignorance on the part of employees. That said, employee education is the best counter against ignorance. Most business environments are fast-paced and service-oriented. Human nature is trusting and often naïve.

Take this scenario as an example. A vice president calls the help desk and states that he’s in big trouble. He’s trying to present a slideshow to an important client and has forgotten his password; therefore, he can’t log onto the company Web site to make the presentation. He changed his password yesterday and can’t remember the new one. He needs it right away because he has a room full of people waiting, and he’s starting to look incompetent. The client is extremely important and could bring millions of dollars in revenue to the company. However, if the help desk staff member supplies the password as requested, without verifying that the caller is who he says he is, the help desk staff member could be giving access to an intruder.

If you think that this is an unlikely scenario, consider that in July 2010, a contest at the annual Defcon convention pitted social engineers against Fortune 500 companies. Participants in the contest had no problem getting data from Fortune 500 companies. Data that the contestants collected from employees included the operating system and service pack number they use, the e-mail client and antivirus software they use, and the name of their local wireless network.

Network World reported on this contest on July 30, 2010 (http://www.networkworld.com/news/2010/073110-how-to-steal-corporate-secrets.html). The first contestant, Wayne, was an Australian security consultant given the task to call a major U.S. company and get any data that could be used in a computer attack. From inside a soundproof booth in front of the audience, Wayne contacted an IT call center and talked with an employee. Wayne claimed to be a consultant from KPMG, an international firm that provides audit, tax, and advisory services, who was performing an audit and faced pressure from an approaching deadline. The call center employee was new and had only been with this employer for a month.

Ignoring the call center employee’s request for his employee number, Wayne immediately launched into a routine about his boss being on his back, and how he really needed to wrap up this audit. Within a few minutes, the new worker appeared willing to give out whatever information Wayne requested. The call center employee even visited a fake web page for KPMG to which Wayne directed him. At the end of the call, Wayne asked the employee what beer he preferred and promised to buy him one.

When creating a security-awareness program, organizations should keep these goals in mind:

• Evaluate compelling issues.
• Know laws and policies for protecting data.
• Look at values and organizational culture.
• Set baseline knowledge requirements.
• Define best practices.
• Make lasting cultural and behavioral changes.
• Create positive approaches and methods.

For each topic in the awareness program, the two most important ideas to convey to end users and IT employees are what a potential incident looks like, and what the end user should do about it. If you need help putting together these policies, the National Institute of Standards and Technology (NIST) has some great information in its Computer Security Resource Center (CSRC) at http://csrc.nist.gov/groups/SMA/ate/ (Figure 1-3).

Figure 1-3: NIST Computer Security Resource Center Web site

All organizations that rely on computer technology or use sensitive data should have a security awareness and training program. Such a program is required by various laws for specific industries, such as the Sarbanes-Oxley Act for all publically held companies, the Gram-Leach Bliley Act for financial institutions, and the Health Insurance Portability and Accountability Act for health-care entities. If you need more information on these federal security and privacy laws, see the “Corporate Concerns: Detection and Prevention” section earlier in this chapter. Many individual states also have laws that require businesses to protect sensitive personal and financial data, and to report data breaches. An effective awareness and training program can reduce an organization’s risk profile, allow earlier identification of an attack or breach, and may even prevent loss of important forensic data when an attack occurs.