Forensics key to effective info security, says E&Y

Intelligence-led security strategies are the most effective in eliminating vulnerabilities and preventing IP theft through enabling informed change, says consultancy firm Ernst & Young.

Intelligence-led security strategies are the most effective in eliminating vulnerabilities and preventing IP theft through enabling informed change, says consultancy firm Ernst & Young.

Most companies are facing some form of IP theft, but few are following up data losses with forensic investigations, according to Simon Placks, director, fraud and dispute services, Ernst & Young.

“There is no point changing the locks on the door if the thief is the cleaner, which is why it is so important to understand every data breach fully,” he told Computer Weekly.

Forensic investigations of data breaches, he says, take out the guess work in identifying how and why commercially sensitive information is vulnerable. They also help identify unknown data theft and expand investigations beyond core data assets to other data such that may have been targeted, such as customer relationship data, that would otherwise not have been on the radar.

“But many companies are unaware of the value; they don’t realise forensics can fill in the where, what, when, why and how of data breaches, pinpointing what needs to be fixed,” he said. For example, a company may have locked down all USB ports, but be unaware that data is being copied to cloud storage services, and forensics has shown this is becoming increasingly common.

In addition to revealing connections to cloud-based storage, forensics is also useful in uncovering what data sources have been queried in an organisation, identifying the use of webmail accounts to send out data, highlighting the use of wiping tools by hackers in an attempt to cover their tracks.

Forensics also enables the analysis of email, chat room and instant messaging communications to understand the social aspects of data theft, says Placks, as the security strategies include improving processes and are not just about technical controls.

Placks, who leads E&Y’s IT forensics team, says every data breach is an opportunity to learn exactly what information is being targeted and how, providing vital intelligence on how best to protect it.

While forensics are valuable, he says, few organisations are big enough to afford internal teams, which means most organisations are failing to take data breach investigations far enough.

To help smaller companies improve their data breach intelligence, E&Y has introduced a software-based forensic triage service, designed to highlights all potential instances of IP theft quickly.

“IP theft can mean different things for different companies; it is not only theft of plans and designs, but also of things like customer information

The triage approach is less costly and less time-consuming than a deep forensic dig, he says, enabling internal IT security teams to hone in quickly on what the need to investigate.

Although the triage service is aimed at data breach incidents, Placks says a long-term relationship with forensics advisors is more cost effective.

“Familiarity with a business and its processes will enable forensics investigators to analyse data breaches faster; it will also ensure IT security teams know how to preserve digital evidence, how to bag and tag digital artefacts,” he said.

Building a first-responder capability should be a priority for UK businesses, says Placks. We often find that with the best intentions, in-house teams make forensic investigations more difficult.

Without first-responder training on how to preserve digital evidence, he says, businesses risk clouding the waters in taking actions to halt and recover from hacking attacks.

A long-term relationship with forensics advisors will also ensure that organisations have thought about what data represents their IP, they will know where that data sits, and they will have put controls around it. “This will make investigations very much easier,” said Placks.

Forensic capability, whether in-house or provided by third parties will require additional investment, he says, but making the business case is made easier when this cost is weighed against the cost of IP loss and prosecuting those responsible, and the growing need to demonstrate to regulators like the ICO that the organisation is taking data protection seriously.

Read more on IT for utilities and energy