Incident Response Means Knowing Your Data

4:10 PM -- This morning, I gave a presentation about computer forensics and first responders to a group of university IT workers. The focus was on what to do when incidents arise and the evolution of simple incident response procedures to in-depth computer forensics. (See First on the Scene.)

Currently, most of the focus on incident response revolves around IT workers getting a system back into production as quickly as possible. But this paradigm needs to make a major shift toward understanding the impact of the compromised system on the whole enterprise. What impact will this have on our customers? Was their data exposed? Could the attacker have stolen trade secrets? These are questions incident response teams need to ask.

One attendee at the presentation asked what to do when a help desk call about a problem with slow performance leads to the discovery that the machine has been compromised. The individual was concerned that everyday help desk troubleshooting processes might affect evidence that could be used later. This is where the paradigm shift must come into play.

The IT worker responding to an incident must be aware of what data that user has access to, and whether or not the data could be stored on that machine. This can be problematic, especially when dealing with documents whose native applications write temporary files to the hard drive. If the sensitive information was in a Word document and accessed from a network share, there's a good possibility that the data is still sitting on the local hard drive, even after the document has been closed. At the very least, it could be sitting in memory for a while.

So what is a company to do? Find out where and how your sensitive data is being used! It sounds simple, but many companies find it to be a daunting task. End users often find ways to do things that IT and administration never imagined.

For example, if a husband wants to share his availability with his wife, he may decide to use an online calendar service that both can access. He might put some sensitive information in the comments or description field. In that case, he would not only be exposing the data to his wife, but online calendar applications don't usually default to SSL protection, which means the information would be available to network sniffers.

Not only must you find out where and how the data is being used, but end users must be educated about their responsibilities to keep certain types of corporate data secure -- and how that data can be used or transmitted. It's no easy task, but it could mean long-term success or short-term failure due to leaked data. Which one sounds better for your job security?

– John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading