> Rarely do companies worry about prosecution
Much of the reason for this is public disclosure…going to court over something like this means that information about a breach or incident will be made public.
and I believe that live response COULD help alleviate some of the corporate anxiety aboutr loss of productivity/profit and get at least some results that could lead to morte than just "patch, erase, reformat and reinstall" mentality that often rules our world
In my experiences I've been asked to do several things
I've been asked to destroy evidence
I've been asked to lie
I've been asked to ignore data
Been in this post for 4 weeks and I have already run into this! Fortunately my post is not incident response but pure invesigations. I can see a time where I will be 'asked' to manage the IT Sec responses but thankfully this is not my main AOR.
There's no reason to not follow the standards for such investigations, but not every investigation in a corporate environment is going to require that level of investigation.
Agreed, not all will and for that I am thankful. If I had to do every investigation to that level, (700+ last year), I would soon burn out.
Guys I thank you for your time and words of corporate wisdom D
Been in this post for 4 weeks and I have already run into this! Fortunately my post is not incident response but pure invesigations. I can see a time where I will be 'asked' to manage the IT Sec responses but thankfully this is not my main AOR.
You know it seems like ethics is something that's always forgotten in the face of financial loss. Seeing it 4 weeks in to your post is kind of amazing.
Educate, consult, even give a presentation if you have to.
I'm faced with similar situation on a regular basis, and for the most part my clients show a blank expression and a big question mark when the words computer and forensics come out in the same sentence. (Maybe it's still too early for this small but growing region.) Nobody wants to admit they've been compromised. If they do admit it.. after some prodding and a absurd amount of explaining, they want it kept quiet as possible.
I suppose this is what some people would call a "tough crowd".
> and I believe that live response COULD help alleviate some of the corporate anxiety
You're right. Many times when I've responded and the client has already "investigated" or shut the system down, I'm _then_ asked, "was any sensitive data leaving the infrastructure?" Issues like theft of intellectual capital, theft of sensitive data (requiring notification per HIPAA, FISMA, SB1386, Visa PCI, etc) are hot points for corporations.
You know it seems like ethics is something that's always forgotten in the face of financial loss. Seeing it 4 weeks in to your post is kind of amazing.
LOL came up in my arrival interview……needless to say I soon put my interviewer right. Integrity is paramount to me, may be wrong but…. (
As many folks have already stated, what whitecap is experiencing is fairly common in corporate environments…
One approach that has worked on occasion is to explain computer forensics from the perspective of risk management. Since the concept of risk management is something a fair number of CxOs (CIO/CEO/etc.) are familiar with, it might be easier for them to relate.
You mentioned resistance from IT managers / departments / etc. Think back to your law enforcement days, did you ever deal with a person who was less than forthcoming? I've dealt with corporate employees who feel that "forensics" and "investigation" groups are the equivalent of corporate law enforcement, since you only see them when something goes wrong. There are a number of things you can do to help reduce this friction. For instance, one organization I worked at had the infosec group (which also handled computer forensics) do a 15 minute presentation at every new hire orientation. Other things included recognizing system administrators who had done something good (e.g. reported an incident, been particularly helpful with an investigation, etc.) by way of a monthly lunch, the occasional "good job" in front of their group, etc. Perhaps nothing will completely eliminate this friction, but making sure you have upper management agree that this type of resistance shouldn't happen goes a long way.
I'm not sure how to handle the lack of teamwork issue, as this really is specific to the particular team. People tend to bond during high stress situations, so the next major incident may help this, but it could also cause the team to crumble. Perhaps working with your manager to try and determine how to increase the sense of "team" would be a good start.
One thing you'll likely have to work hard against are common misconceptions about the legal system. This is perhaps one of the most recurring themes I've seen across a number of corporations.
Today I wrote a new segment of my blog about live forensics and corporate responsibility in performing them. Depending on a companies business they may have a moral and societal responsibility to perform such analysis not just even a compliance issue.
It has to be approached from a bottom line oriented solution to their problems.
> Depending on a companies business they may have a moral and societal
> responsibility to perform such analysis not just even a compliance issue.
How do you convince these companies of this?