BUSINESS:
THE 8TH
LAYER
SNIPER FORENSICS
By Lynn Greiner
Security attacks
and breaches
leave clues
for investigators
who know why
they matter.
When an organi- zation suffers a security breach, it may react in one of several
ways, assuming it knows of the breach
at all. In May 2007, the CPA Journal
reported that TJX Companies, parent
of department store T.J. Maxx, needed 18 months to discover that hackers
had been rummaging through its systems, compromising credit and debit
card records from 2003 onward.
To its credit, TJX publicly disclosed what had happened and took
the heat (including numerous lawsuits), but some organizations prefer
to conceal the problem from the
public, knowing full well the impact
public disclosure would have on their
business. Hapless customers then
learn the hard way that their personal
and/or financial information has been
stolen after the bad guys make use of
it, though, fortunately, many jurisdictions have now legislated full disclosure of breaches.
Regardless of whether something
has indeed been swept under the
corporate rug, chances are there will
be significant internal effort to find
and plug the cause of the leak. It is
likely that the victim organization
doesn’t want to risk another disaster
to its public image (and probably to
its share price). Such frantic efforts
might lead to what Christopher E.
Pogue, a senior security analyst of
Trust wave SpiderLabs, calls “shotgun
forensics.” In a session at the annual
Sec Tor security conference in Toronto
last October, Pogue described the
technique as a haphazard, unguided
approach to forensic analysis that basi-
cally tells analysts to image everything
and then look for the bad stuff, which,
he says, is a waste of time and energy.
1 The CERT program is part of the Software Engineering
Institute, a U.S. federally funded research and development center. Following the Morris worm incident (http://
en.wikipedia.org/wiki/Morris_worm), which froze 10 percent of the world’s Internet systems in November 1988, the
U.S. Defense Advanced Research Projects Agency charged
SEI with setting up the CERT Coordination Center to coordinate communication among experts during security emergencies and help prevent future incidents.
