With cyber attacks rising across every industry daily, IT managers in the non-profit sector must do more than just deploy defensive measures. Take the offensive and outfit the IT department with low-cost computer forensic capabilities to help fight cyber crime.

Defense Is Only Half the Equation

Most IT managers install firewalls, Intrusion Detection Systems (IDSs), and other countermeasures to prevent attacks on their infrastructure. These security tools, however, lack the ability to properly analyze and document the security breach so that it can withstand the scrutiny of litigation and help to prosecute the perpetrator of a cyber crime.

A complete security strategy includes a strong offense. Computer forensics is the systematic identification, collection, documentation, and analysis of criminal evidence housed in computer systems. This includes everything from data contained on personal computers and networks, to information on portable devices like cell phones and PDAs. Strong computer forensics practices coupled with good defensive countermeasures leads to successful litigation of cyber crimes.

Scarce Resources Makes Computer Forensics Difficult

Non-profit and other governmental agencies have tight budgets and other restrictions. With resources dwindling and cyber attacks increasing, IT managers in these organizations are fighting an uphill battle on the security front. There are two main challenges facing these organizations:

• Personnel. Obtaining the right people with the right skills means acquiring a highly marketable resource through consultancies or via in-house training. Either option is expensive - a significant barrier that prevents most non-profits from implementing computer forensics.
• Data currency. This is even more critical than personnel. The data that is important to the prosecution of the case must be collected intact and remain untainted. Fortunately, this is achievable by establishing proper security breach reporting policies and procedures.

Recommendations

1.Focus on policy and procedure first, personnel later. In the event of criminal activity, the primary goal is to preserve evidence. This requires robust reporting and documentation procedures. Personnel trained in computer forensic techniques are important in helping analyze the documentation.

-Identify and call the appropriate authorities when a security breach is detected. Law enforcement agencies are adding fully trained computer forensic experts to their staff. Info-Tech Advisor subscribers can read "Cybercrime: When Do You Call in the Fuzz?" for more information on when and how to contact local law enforcement.

2.Create a toolkit with free, open-source forensic tools. There are a number of freely available open-source computer forensic tools. Open-source computer forensics software may have a stronger legal footing than their closed source cousins because their operation can be independently verified by impartial third parties. These tools allow cash-strapped agencies to provide solid forensic support without requiring full-time staff.

3.Document everything. Comprehensive policies and procedures will take a significant amount of time. Establishing the rule of writing down all investigative actions taken, including reasons, methods, locations, and times, will help create a written record of the "chain of custody" of the data. Err on the side of too much documentation.

4. Develop a six-step security breach response plan. A response plan should already exist as part of the organization's Disaster Recovery Plan (DRP). If this is missing from the DRP, then enlist senior management and legal counsel to help draft a response plan. Procedures to document in the response plan include:

• How to determine the nature of the breach.
• How to identify the number and location of affected resources.
• How to determine the extent of damage to corporate resources, customers, and partners.
• How to isolate the affected resources and users from the production environment.
• How to communicate that a security breach has occurred.
• How to contain the breach and limit the damage to the IT infrastructure.

5.  Use NIST guidelines to bolster response capabilities. The NIST guidelines are part of a comprehensive report that provides recommendations on computer security incident response. Read the McLean Report research note "NIST Beefs Up Government Incident Response" for a summary of guidelines and for further information on how to integrate these recommendations into the organization's computer forensics strategy.

Bottom Line

IT managers in non-profit organizations should add an offensive element to their security strategy by including computer forensic data collection techniques in their security arsenal.