420 likes | 664 Views
Enterprise Forensics and e-Discovery. B. Ramani Addl. Director. Presentation Overview. About C-DAC Current Threat Landscape Enterprise Forensics and E-Discovery C-DAC’s Enterprise Forensics System Q & A. National Coverage. C-DAC, Pune. C-DAC, Bangalore. C-DAC, Delhi.
E N D
Enterprise Forensics and e-Discovery B. Ramani Addl. Director Resource Centre for Cyber Forensics
Presentation Overview • About C-DAC • Current Threat Landscape • Enterprise Forensics and E-Discovery • C-DAC’s Enterprise Forensics System • Q & A Resource Centre for Cyber Forensics
National Coverage C-DAC, Pune C-DAC, Bangalore C-DAC, Delhi C-DAC, Hyderabad C-DAC, Mumbai C-DAC, Chennai C-DAC, Kolkata C-DAC, Mohali C-DAC, Noida C-DAC, Trivandrum
C-DAC Trivandrum An ISO 9001-2000 certified premier R&D Institution involved in the design, development and deployment of world class Electronic and IT solutions for economic and human advancement, under Department of Information Technology, Government of India Established in 1974 as Keltron R&D Center; Taken by GoI in 1988; Formerly Known as ERDCI Work force of 800+
AREAS OF RESEARCH • Control & Instrumentation • Power Electronics • Broadcast & Communications • Strategic Electronics • ASIC Design • Cyber Forensics
Resource Centre for Cyber Forensics The Resource Centre for Cyber Forensics (RCCF) is the premier centre for cyber forensics in India. It was setup in C-DAC, Thiruvananthapuram by the Ministry of Communications and Information Technology and has been functioning for the past three years. The primary objectives of RCCF are • Develop Cyber Forensics tools based on requirements from Law Enforcement Agencies (LEA) • Carry out advanced research in cyber forensics • Provide technical support to LEA Resource Centre for Cyber Forensics
Current Threat Landscape Resource Centre for Cyber Forensics
E-Commerce Today • Practically every organization and every network connected user are engaged in some form of e-commerce • Some of the categories are • Consumer e-commerce (Web stores and auctions), digital products (software downloads), content, back-end systems (payment, catalogues), B2B commerce, trading networks, and advertising • Communications systems (email), social networking sites are also getting into e-commerce Resource Centre for Cyber Forensics
E-Commerce Growth Source : Forrester Research Survey Resource Centre for Cyber Forensics
Current Cyber Crime Threats Malware Botnets Cyber warfare Threats to VoIP and mobile devices The evolving cyber crime economy Prime Motivation for Cyber Crime - Data ! Source : Georgia Tech Information Security Center 25-Sep-14 Resource Centre for Cyber Forensics 10
Major Security Concerns Threats and criminals are becoming faster, smarter and more covert Criminals are exploiting vulnerabilities along the entire Web ecosystem to gain control of computers and networks “Invisible threats” (such as hard-to-detect infections of legitimate websites) are making common sense and many traditional security solutions ineffective. Source : Cisco Annual Security Report 2008 25-Sep-14 Resource Centre for Cyber Forensics 11
Malware for financial fraud Infostealer malware – Banking Trojans – Keyloggers (Form grabbing) – Remote Login websites Botnets – Spam – Hosting Phishing websites, Malware – Operation of infected system Automated attack toolkits – Propagation of malware – Stealing information Automated Phishing/Fraud Toolkits Resource Centre for Cyber Forensics
What is Typically Stolen • User IDs • Passwords • Credit card numbers • Bank Account details • Personal Information Numbers • Social Security Numbers • Email ids Resource Centre for Cyber Forensics
Security Issues in Banking • ReadiMinds a, specialist, transactional security & fraud prevention software company, recently conducted a survey on 'State of Online Security in Financial Institutions in India - 2008'. Respondents represented cross-section of India's top 40 banks. The study primarily focused on the issues pertaining to online identity theft and online financial frauds. Key findings of this survey: • 30% of banks reported to have been victims of identity theft during the last one year. • 30% of banks reported to have been victims of phishing during the last one year. (The figure for Asian Banks is 25%) 25-Sep-14 Resource Centre for Cyber Forensics 14
Need of the Hour Enterprises must have a procedural and technical infrastructure in place to respond immediately to computer-related security breaches and investigate malicious activity and employee misconduct An Enterprise Investigation solution with incident response capability is required for a complete security solution. This solution has to bring computer forensic technology to the enterprise along with incident response and investigation capability – an Enterprise Forensics and E-Discovery solution 25-Sep-14 Resource Centre for Cyber Forensics 15
Enterprise Forensics Resource Centre for Cyber Forensics
Enterprise Forensics - Advantages • Enterprise Forensics provides very effective monitoring of networked computers. The actions allowed on remote machines can be configured and monitored from a server. Any nefarious activity on the monitored machines is immediately tracked and necessary actions to counter such activities can be automatically initiated. • Securely investigate/analyze many machines simultaneously over the LAN/WAN at the disk and memory level. • Acquire data in a forensically sound manner. • Limit incident impact and eliminate system downtime with immediate response capabilities. • Investigate and analyze multiple platforms using a single tool. • Efficiently collect only potentially relevant data upon requests. 25-Sep-14 Resource Centre for Cyber Forensics 17
Enterprise Forensics - Advantages • Proactively audit large groups of machines for sensitive or classified information, as well as unauthorized processes and network connections. • Identify fraud, security events and employee integrity issues wherever they are taking place and investigate/remediate with immediacy without alerting targets. • Identify and remediate events, injected DLLs, Rootkits and hidden/rogue processes. 25-Sep-14 Resource Centre for Cyber Forensics 18
E-Discovery Required to enforce legal holds and automatically search, identify, collect, preserve and process electronically stored information across the network E-discovey allows to search and collect relevant Electronically Stored Information (ESI) across the network without disruption and preserves ESI. It also helps in avoiding over-collection of information 25-Sep-14 Resource Centre for Cyber Forensics 19
E-Discovery Advantages Highly scalable Operates from a central location, with no disruption to end- users Highly flexible, automated search & collection based on: — File type (e.g., .doc, .xls, .ppt) — Key words (target specific content) — Metadata (created, last-written/last-accessed times etc.) — Patterns (e.g., social security or credit card numbers) — Hash values (i.e., “digital fingerprints”) — Custodians (by user name or SID) — Foreign Language Support (Unicode & code pages) 25-Sep-14 Resource Centre for Cyber Forensics 20
C-DAC’s Enterprise Forensics Solution Resource Centre for Cyber Forensics
Enterprise Forensic System • Policy Auditing • Security Monitoring • Forensics Analysis 25-Sep-14 Resource Centre for Cyber Forensics 22
Enterprise Forensic System ESFA – Enterprise Security Forensics Application ESMA – Enterprise Security Monitoring Application ESPA - Enterprise Security Policy Auditing Application 25-Sep-14 Resource Centre for Cyber Forensics 23
Enterprise Forensic System Cyber Forensics Analysts Users with Agents Authentication Server ESMA ESPA ESFA Domain Admin ChiefInformationSecurityOfficer Digital Evidence Store 25-Sep-14 Resource Centre for Cyber Forensics 24
Enterprise Forensic System TEAMS – Transparent Enterprise Activity Monitoring Solution 25-Sep-14 Resource Centre for Cyber Forensics 25
Enterprise Forensic System TEAMS – Transparent Enterprise Activity Monitoring Solution 25-Sep-14 Resource Centre for Cyber Forensics 26
Enterprise Forensic System (ESFA) • Forensic Analysis of Enterprise machines • - Windows, Linux , Unix , Sun Solaris , MAC • ORACLE/MS SQL • Remote Preview of computers • Remote Acquisition of evidence • Remote Desktop Monitoring • Snapshot of remote machines 25-Sep-14 Resource Centre for Cyber Forensics 27
Enterprise Forensic System (ESFA) • Secure Data Transfer while Acquisition • Secure storage for digital evidence with encryption • Report generation with time stamping. • Hashing using MD5/SHA • Support for multiple image file formats 25-Sep-14 Resource Centre for Cyber Forensics 28
Enterprise Forensic System (ESFA) • Preview of Unallocated spaces and deleted files. • Multiple Analysis of a single image file • Computer Incident Response • Acquisition of live memory. • Analysis of Processes. • Analysis of Logs 25-Sep-14 Resource Centre for Cyber Forensics 29
Enterprise Forensic System (ESFA) • Preview of Unallocated spaces and deleted files. • Multiple Analysis of a single image file • Computer Incident Response • Acquisition of live memory. • Analysis of Processes. • Analysis of Logs 25-Sep-14 Resource Centre for Cyber Forensics 30
Enterprise Forensic System (ESMA) Servers Packet Capture Controller Packet Capture System Backbone switch Network TAP Packet Capture Systems Firewall Distribution switch Port mirrored switch Packet Storage 25-Sep-14 Resource Centre for Cyber Forensics 31
Enterprise Forensic System (ESMA) • Traffic pattern analysis • Traffic filtering • Detection of mangled packets • Ability to dissect and analyze protocols • Report generation • Logging facility • Packet logging • Session logging • File logging • Traffic logging • User defined logging facility • Alert mechanism, depending on the criticality 25-Sep-14 Resource Centre for Cyber Forensics 32
Enterprise Forensic System (ESMA) • Classified log storage • System logs (User activity, System activity, Operations) • Security logs • Facility to add more protocol support easily • Printer data monitoring • Interface to IDS and Penetration testing tools 25-Sep-14 Resource Centre for Cyber Forensics 33
Enterprise Forensic System (ESMA) • Extendibility • Multithreaded architecture • Co-ordination among the agents • Remote agent controlling • GUI and backend independence • Cross platform development • Scalable computing power based on the network load • Agent authentication 25-Sep-14 Resource Centre for Cyber Forensics 34
Enterprise Forensic System (ESPA) • Acceptable Use Policy • Account Management • Administrator / Users / Special Access • Use of Email • Internet Use • Use of External Memory Devices / Floppy/CD 25-Sep-14 Resource Centre for Cyber Forensics 35
Enterprise Forensic System (ESPA) Ability to set policies for • Hardware Authentication & Verification • Software Verification • Resource Sharing • Security Setting • Removable Media Monitoring • Email Handling & Monitoring • Web Access Management • Mobile computing • Server Management • System Activities Monitoring • Event Log Management • Backup 25-Sep-14 Resource Centre for Cyber Forensics 36
Q & A Resource Centre for Cyber Forensics
THANK YOU Resource Centre for Cyber Forensics