Examining evidence

Forensic services and ethical hackers perform crucial roles in ensuring organisational security, but the Middle East is slow on adoption

Tags: Computer forensicsCyber crimeKaspersky LabMcAfee IncorporationParamount Computer SystemsUnited Arab EmirateseHosting DataFort
  • E-Mail
Examining evidence “Ethical hackers provide the technology and the guidance.” Ahmed Baig, head of business management and advisory services at eHosting DataFort (eHDF)
More pics ›
By  Sathya Mithra Ashok Published  May 25, 2009 Network Middle East Logo
In the labs, forensics implies the tasks involved in taking apart a particular crime after its incidence to understand how and why it was perpetrated. This is done with the ultimate aim of using the evidence to bring in the criminal.

In information technology, forensic services involve similar ambitions and goals.

“Cyber forensics is the term used for the technology related to forensics activities. It is the application of investigation and analysis techniques used to gather evidence which is to be presented in a court of law or relevant authorities to arrive at a conclusion after a particular incident,” says Ahmed Baig, head of business management and advisory services at eHosting DataFort (eHDF).

“Cyber forensics employs digital evidence from multiple areas such as deleted files or erased partitions on hard drives and other memory storage devices, reviewing log files from various devices like firewalls, intrusion prevention, as well as security events and information management (SEIM) tools,” continues Baig.

There are others in the industry who believe that forensic services can incorporate both post-event analysis as well as prevention techniques.

“Certain expressions can mean different things to different people. I think for many businesses you could bring this down to one of two things. It is either pre-emptive analysis of their environment, which many people do and is called penetration testing. This is basically going into an organisation and looking for weaknesses that could lead to some sort of security breach and that can be everything from the technical, to implementation and processes. Equally we could be called in after the fact as well to understand how and why things have been done, to help them understand how security is achieved and to make sure that it is not done again in the future,” opines Greg Day, EMEA security analyst, McAfee Avert Labs.

While most security companies offer penetration testing as a service in the region, there are also a few that offer forensic services to analyse what went wrong after a particular attack.

“People ask us to analyse some incident or other and we perform a full examination of the material provided. We pass on our findings which are then used in court or by other agencies. Our descriptions are also used by organisations to formulate preliminary expert appraisals,” explains Stefan Tanase, researcher, global research and analysis team over at Kaspersky Lab EEMEA.

Similar services are offered by eHDF, which has a team based within the region, as well as McAfee which calls in experts from Europe. While a significant number of large enterprises in the Middle East, especially those who are sensitive to data loss, call in the resources offered by these firms, especially for pre-emptive penetration testing, many of them still do not believe in having an in-house person to constantly test their network and applications for vulnerabilities.

“Ethical hackers are traditionally security experts or analysts who perform penetration testing activities on the applications, systems and networks upon formal approval by the business. They are important elements of security as they provide the technology and the guidance required to proactively strengthen related elements before an external hacker exploits the same,” points out Baig.

The role of ethical hackers within an organisation is to constantly test the integrity of the systems to ensure that they are not prone to attacks. Much of this testing is done by simulating attacks and trying to get through the company’s defences, just like any true-blue hacker.

“Ethical hackers in a customer’s internal environment are a definite value add as they will enable the company to answer the question of where the organisation stands today with respect to information security. We need to bear in mind at all times that we cannot protect ourselves from an external threat environment that is dynamic with an internal security architecture and protection process that is static,” says Premchand Kurup, CEO of Paramount Computer Systems.

While the relative availability of ethical hackers remains limited in the region, enterprises that do need such in-house resources can tap into talent pools in either India or Europe. Despite these advantages, hackers remain in the minority within regional organisations.

Counting advantages

Forensics, whether performed remotely or by an in-house team, comes with various advantages.

“People will think twice before committing a crime if they know they may end up being punished. You could say that legal aspects help keep societies in check to a certain degree,” points out Tanase.

Despite this, most enterprises in the Middle East shun forensic services and never invite experts in to understand what could have gone wrong when attackers do manage to infiltrate their protective walls.

One major reason for this is the prevailing mindset, wherein most organisations in the region do not feel the need to reveal any breaches and prefer to keep this information locked within the organisation.

“Just like many other areas, lack of awareness and maturity in the security domain could be the possible reasons. Many organisations don’t realise the importance of security until it fails and results in a major catastrophe,” says Baig.

Even if they do call in external experts for forensic services, most organisations never employ an ethical hacker to monitor internal networks. The major reason for this is that most organisations suspect that any hacker could not be all that ethical.

“The problem with ethical hacking is that some of these “white hats” were once “black hats”. Companies wishing to use such services should be very careful in choosing their ethical hacking partner. The risk they are getting exposed to should be treated seriously. Gathering all historical information and feedback about the partner before getting involved in such a procedure is just the minimum,” warns Tanase.

Moreover, Kurup points out, “Assembling in house talent and retaining this talent will continue to be a challenge for end-user organisations. This space calls for expertise fine-tuning on a regular basis and is best suited for outsourcing.”

Organisations are also likely to be faced with other challenges when using forensic services, enough sometimes to prevent them from entirely using them.

“There are a couple of challenges that you need to get over. The first one is that even when I get information from the analysis it requires some knowledge and expertise to really translate into what it means for my business. This maturity of expertise is still evolving in the Middle East,” says Day.

He continues, “The other challenge is to constantly work on improving your baselines. Businesses often do assessments to get started off and may continue to do that. But they often don’t improve on standards or a set baseline of security. This needs to improve in the Middle East.”

Other common mistakes, that can turn dangerous later on, involve the making of process-oriented decisions.

Baig points out, “In most cases, companies try to hire and evaluate security services like a product or other common services, where the commercial aspect of the proposal is given more importance than the technical evaluation of the security partner. The hiring and background verification process of the people engaged in these services need to be closely reviewed prior to making a choice. The track record of a security partner and their previous engagements and history also need to be comprehensivly evaluated.”

However, the biggest mistakes that are most prevalant regionally are those that involve general apathy and the prevailing mindset that refuses to acknowledge these tests as a continuous process.

“Many organisations say, ‘I am not the biggest business in the world, why would somebody target me. And since I am not a big target, then I won’t need to do this kind of testing.’ What people don’t understand is very often attackers are not targeting businesses per se, they are targeting a weakness that they have discovered and then they will go hunting around to see which businesses are vulnerable to that,” says Day.

He continues, “One of the other mistakes is not realising that this is something that needs to be done on an ongoing basis. It is easy to say we have gone out, we have got the assessment, we have ticked the box. Threats evolve on a day-to-day basis. This is not just a one off assessment.Kurup agrees, adding, “Audit of networks and applications should be seen as an activity that you perform with ritualistic regularity- quarterly, half yearly or annually depending on the criticality of your information assets. This has not yet become a practice in the Gulf. Today it is just a knee jerk reaction to a problem but I am confident that we will eventually get there.”

Along the maturity curve

Most industry experts believe that the Middle East is on the maturity curve with regards to information security, and it won’t be long before more enterprises, large and small, adopt forensic services as well as ethical hackers.

“The nature of most emerging markets dictates that such services will take a lot more time to be fully adopted. Computer forensics or ethical hacking are such niche services that can reach popularity only in a mature market,” states Tanase.

The ongoing recession is likely to curb any growing interest in this area. However, there is every chance that the region will see increased adoption of forensic service and in-house ethical hackers, along with resources that facilitates this interest.

Things to watch out for

When conducting forensics there are a few key points that organisations need to keep in mind. Some of them are outlined below.

1. Outsourcing or not: Decide early whether you want to use a service provider or you want an in-house team to do forensics and regular testing. The in-house team can provide you with regular feedback, while calling in an expert can give you a valuable third-party idea of your defence measures.

2. Check references: Only hire an ethical hacker if you are sure of his or her background. Research his references and collect as much information as possible before hiring. You would have to do the same even if you are hiring a service provider.

3. Set up a safety net: Create an escalation methodology in-house when you call in a service provider or ethical hacker. Make sure that you monitor their tasks to ensure that you know what is going on and to prevent anything amiss from occurring.

4. Implement results: Conducting an assessment or doing forensics is no use if you don’t use the recommendations and results that come out of it. Implement changes based on expert feedback.

5. Regular repetition: Conduct tests on a regular basis such that you are not caught unawareness from one assessment to another far-flung one.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code