By Mat Clarke, Information Security Analyst
Let’s face it, putting in place the plans and procedures necessary to support a forensic breach investigation isn’t a job which is likely to end in glory (in most cases, the best outcome is that you never have to use them). Nevertheless, it should be recognised that laying the foundations for “forensic readiness” can not only have a positive effect on the success of any investigative work required in the event of an apparent Account Data Compromise (ADC) but can also lessen the level (and therefore impact) of potential fines imposed on your business as a result of a proven breach.
But let’s back up slightly and think about why a forensic breach investigation might be required in the first place. There are many different scenarios that can lead to your business receiving a nudge in the direction of a reputable forensic professional, but usually they boil down to one thing: loss of valuable data. This can come in many forms, but the data this article is specifically interested in is payment card data.
In situations where payment card data is either lost or stolen, most businesses will usually hear about this through their acquiring bank, who have themselves been informed by the payment card schemes. Prior to ADC notifications being sent, the card schemes will have generally collated fraudulent payment data (e.g. payments which have been cited by cardholders as having not been made by them) and used it to identify what’s called a common point of purchase (CPP) e.g. a merchant which appears within the transaction history of a significant population of fraudulently used payment cards.
If the worst happens and a forensic breach investigation is required, having plans and procedures in place can help to stop an already bad situation from getting worse. They help to facilitate swift recovery of the valuable, pertinent data forensic professionals need in order to support you in both containing and eradicating the breach. The following tips are aimed at helping you to kick-start the process of improving your levels of “forensic readiness”.
1. Start a formal policy document and assign an owner
Even at an early stage, it’s usually worth starting a formal policy document, which can be used as the blueprint for your plans and kept up-to-date with any new procedures developed, data identified or changes made during the process of readying yourselves for the possibility of future forensic work. At this stage, it’s important to assign an “owner” e.g. someone who takes overall responsibility for the upkeep, accuracy and eventual dissemination of the policy document. This is usually someone with enough authority within the business to enforce changes and/or commit resources (financial or human) to the project.
2. Work out what types of valuable information you keep
This stage is absolutely key to the process and shouldn’t be skipped over. At its essence, this stage is a fact-finding mission with the overall goal of identifying what types of valuable information you might hold as a business, for example payment card information, names and addresses, dates of birth and so on. Once complete, you should not only know what types of valuable information you hold, but also where, why and how it’s stored. Setting aside forensic investigations for a second, this information will also help you to comply with laws governing the protection of personal data.
3. Think about how the valuable information you hold could be at risk
Once you’ve identified the types of valuable information you hold, the next step is to spend time thinking about how that information could be lost or stolen. Scenarios will vary from one business to another and therefore it’s important to assess potential threats to the security of your data in relation to your own environments, systems and processes. This is key to identifying how a malicious third-party (internal or external) could get their hands on the information you least want to lose.
Examples to think about include a potential breach of your website, malware (malicious software) being installed within your computer network or even hard drives containing information being physically stolen from your premises.
4. Determine what information you need to start storing to help protect your valuable data
Once you’ve identified what information is important to you, where it’s stored and how it’s likely to be targeted, you need to start paying specific attention to the types of information you will need to collect and preserve in order to aid a forensic investigation.
Dependent on the types of breach scenario you identified in step 3, there will be a range of evidence gathering techniques which you will need to employ within your physical environment(s) and computer network(s). Examples of these include:
- Logging of website/web server activity
- Records from CCTV and/or access control within environments storing valuable data
- Logging of internal network activity (especially involving machines storing high-risk data)
- Logging of database activity
- Logging of access requests
- Logging of privilege escalation e.g. a user’s rights and permissions being upgraded
If in doubt, it’s worth consulting with a qualified security specialist in order to help you identify what to implement and how best to achieve it. Often, a good way to check that you’re recording the right information is to run a few “test” scenarios, using some of the methodologies you thought about in step 3.
5. Take measures to protect the information you store
Protecting the valuable information you hold is of paramount importance and in the case of payment card data, ensuring that your systems and processes comply with the PCI DSS is a great way to start achieving this. However, this step is focussed more on protecting the types of information you started to store using the processes set-up in step 4.
Essentially, you’ll need think about how logs, CCTV records, access records and so on are securely stored and handled by employees. If the information is not readily available to a forensic examiner, or even worse, has been modified, lost or destroyed, then any required investigation could take a lot longer or even be impossible in some cases. As such, access to information created as a result of any logging or tracking type activities you undertake, should be restricted to those processes and people with a specific need for access, where possible, and the information included within any backup schedule or contingency plans you have in place.
6. If the worst happens, act promptly and carefully!
Finally, if the worst happens and you’ve received notification that your business has likely been breached in some way, then ensure every step you take afterwards is a careful one. In most cases, unless you have suitably qualified personnel on your books, the recommended first step is to contact a professional. In the case of lost/stolen payment card information for example, you’ll be required to make contact with a PFI (PCI Forensic Investigator) company in order to kick-start an investigation.
If changes to your computer network or physical environment prior to the investigation are unavoidable for some reason e.g. to prevent further data exposure or to prevent further spread of an attack, then ensuring that any changes made are logged with as much information (e.g. type of change, name of the individual making the change, time/date etc) as possible. This is extremely important to a forensic investigator, as it will help them to piece together the jigsaw whilst working to identify the cause and impact of the potential breach.