Corporate Forensics...
 
Notifications
Clear all

Corporate Forensics - OMG!  

Page 1 / 3
  RSS
whitecap
(@whitecap)
New Member

Is it just me or is it a pain setting up Computer Forensics in the corporate enviroment? After (too) many years in LE I took the plunge and followed the money into the corporate world. Now before I start just let me say I AM enjoying it but feel incredibly frustrated!

So, main gripes

Everything happens so sloooooowly! - In LE if it needed doing it was done, no if's, no buts.

The lack of teamwork. - -Do I need to say more?

How many times do I have to say…….? - Getting sick of telling Directors/Managers why we HAVE to introduce evidence handling procedures.

Obstructive IT departments/managers! - What is it, are they jealous of the fact that someone who has lived/worked in the real world, (as opposed to university), is accessing THEIR network!

Trying to explain…..! - Why, after the company has invested LARGE sums of money in a forensics package do I have to continually justify the purchase of equipment to ACTUALLY CARRY OUT INVESTIGATIONS!…..Ahhh I know, nobody asked anyone with forensics experience to actually spec the purchase, it was left to the IT department.

And….of being told, all the time, don't worry about 'forensicy stuff' it'll never go to court/tribuneral/anything!

Anyone else with similar experiences?

Quote
Posted : 05/03/2007 5:47 pm
deckard
(@deckard)
Member

Well…..
Welcome to the world of corporate. What you are describing is fairly typical. It's a jump that keeps a lot of ex LE guys from functioning well in the corporate environmnet, not in just in CF but in security and PI as well.

The primary goal of LE is to enforce law as well as do things that make the public feel safe. The primary goal of the corporate world is profit and shareholder happiness.

When a private concern has a incident, profit considerations will rule the response. Same with planning, staffing and outfitting the CF dept.

CF is seen in most cases as a necessary evil that is required by compliance issues, not as a moral or enforcement tool of policy. The guys in charge want to fix the problem, get all systems back in operation, keep from having expenses, maxmize revenue and handle any employee isseues quietly without LE involvement. And yes, most if not all corp CF issues will never end up in any kind of court, by choice of mgmt.

FWIW, that has been my long term experience working as a consultant to corps in CF and IR.

ReplyQuote
Posted : 05/03/2007 7:11 pm
Jamie
(@jamie)
Community Legend

I'll second most of that (on the corporate side). Any regrets, whitecap?

Jamie

ReplyQuote
Posted : 05/03/2007 7:34 pm
keydet89
(@keydet89)
Community Legend

Whitecap,

It appears that while you've physically made the move to corporate, you still need to change your mindset, as well.

In the corporate arena, there is no "you must to this"…in some cases, even if the CEO says this, it still isn't the case. The requirement is often things like profits, or other external factors such as Visa PCI, potential for (negative) public exposure, fines, etc. Regulatory organizations and compliance issues play a big part, too.

Good luck,

H

ReplyQuote
Posted : 05/03/2007 8:11 pm
AndyFox
(@andyfox)
Junior Member

Hi Whitecap

good topic - most of our business comes from LE but we are slowly doing more corporate work but the issue we find is that companies don't really want to admit they have a problem and there are two reasons for this. If the are a big company then forensics is all about damage limitation - eg theft of data, databases, dox etc - they don't want to be seen to have a problem - the second is that is they have been defrauded through ecommerce or hackers etc then they don't want mto have to admit to have to spend more moeny on new or upgraded security.

I always look at the UK banking industry as the example - fraudulent activity costs UK banks well over £250 million per year but, unfortunately this isn't enough for them to lose. The technology is available to wipe out fraud it just that the costs of installing/rolling out + the fraud bill is just too small for the banks to get enough of a fincial benefit back. Eg if they are only going to save £300 million and new systems cost £50 million then to them there is really no point when they are making £10billion worth of profit anyway - you get my drift?

ReplyQuote
Posted : 05/03/2007 8:58 pm
whitecap
(@whitecap)
New Member

Thanks for the replies guys,

Guess I am just having a bad day today! I appreciate the business reasons for not taking things to court/tribunals but this, (IMHO), does not mean that we should not apply similar procedures to those used in LE. After all, how embarrassing will it be to stand in front of a tribunal/judge, shrug your shoulders and explain why the evidence requested is not available. I think it was $23 million that that explanation cost UBS.

No Jamie, no regrets at all, it was time to move on.

Oh well………once more into the breech!!

ReplyQuote
Posted : 05/03/2007 9:25 pm
AndyFox
(@andyfox)
Junior Member

I don't think anyone is saying apply alternative procedures or process it's just the buy in from the client in where the problem is.

ReplyQuote
Posted : 05/03/2007 9:35 pm
deckard
(@deckard)
Member

I'll back up what Andy says. I turn down many engagements because the potential client wants me to compromise good fornesic procedure. They have a right to not do it the right way, but I have a right NOT to do it that way. I too understand their profit and PR motives, and applaud their right to hold them, but if I compromise for them every opposing attorney in the land would bring that up at my next court appearance bringing into question my methodologies.

Bill

ReplyQuote
Posted : 05/03/2007 9:49 pm
keydet89
(@keydet89)
Community Legend

> I appreciate the business reasons for not taking things to court/tribunals but
> this, (IMHO), does not mean that we should not apply similar procedures to
> those used in LE.

There's no reason to not follow the standards for such investigations, but not every investigation in a corporate environment is going to require that level of investigation.

One thing that many LE investigations do not address is a live response.

Harlan

ReplyQuote
Posted : 05/03/2007 10:46 pm
hogfly
(@hogfly)
Active Member

Corporate forensics is all about operations. Rarely do companies worry about prosecution. It's about meeting business need, getting the company back on line and making money. It's not so much about the procedure as it is about results for companies, unless they are threatened by a government agency or compliance requirements. Investigations will generally only go so far as to identify how much money was lost and how bad the damage is.

In my experiences I've been asked to do several things
I've been asked to destroy evidence
I've been asked to lie
I've been asked to ignore data
I've been asked to not do certain things that would otherwise make the client look bad.

Welcome to corporate forensics and incident response.

ReplyQuote
Posted : 05/03/2007 10:57 pm
keydet89
(@keydet89)
Community Legend

> Rarely do companies worry about prosecution

Much of the reason for this is public disclosure…going to court over something like this means that information about a breach or incident will be made public.

ReplyQuote
Posted : 05/03/2007 11:10 pm
deckard
(@deckard)
Member

and I believe that live response COULD help alleviate some of the corporate anxiety aboutr loss of productivity/profit and get at least some results that could lead to morte than just "patch, erase, reformat and reinstall" mentality that often rules our world

ReplyQuote
Posted : 05/03/2007 11:41 pm
whitecap
(@whitecap)
New Member

In my experiences I've been asked to do several things
I've been asked to destroy evidence
I've been asked to lie
I've been asked to ignore data

Been in this post for 4 weeks and I have already run into this! Fortunately my post is not incident response but pure invesigations. I can see a time where I will be 'asked' to manage the IT Sec responses but thankfully this is not my main AOR.

There's no reason to not follow the standards for such investigations, but not every investigation in a corporate environment is going to require that level of investigation.

Agreed, not all will and for that I am thankful. If I had to do every investigation to that level, (700+ last year), I would soon burn out.

Guys I thank you for your time and words of corporate wisdom D

ReplyQuote
Posted : 05/03/2007 11:46 pm
hogfly
(@hogfly)
Active Member

Been in this post for 4 weeks and I have already run into this! Fortunately my post is not incident response but pure invesigations. I can see a time where I will be 'asked' to manage the IT Sec responses but thankfully this is not my main AOR.

You know it seems like ethics is something that's always forgotten in the face of financial loss. Seeing it 4 weeks in to your post is kind of amazing.

ReplyQuote
Posted : 06/03/2007 12:09 am
farrahyde
(@farrahyde)
New Member

Educate, consult, even give a presentation if you have to.
I'm faced with similar situation on a regular basis, and for the most part my clients show a blank expression and a big question mark when the words computer and forensics come out in the same sentence. (Maybe it's still too early for this small but growing region.) Nobody wants to admit they've been compromised. If they do admit it.. after some prodding and a absurd amount of explaining, they want it kept quiet as possible.
I suppose this is what some people would call a "tough crowd".

ReplyQuote
Posted : 06/03/2007 12:21 am
Page 1 / 3
Share: