Is the increase in cyber security across all sectors, with the implementation of better encryption and safeguard solutions going to impact negatively on subsequent digital forensic and incident response investigations? If so, then is the trade-off a worth it?
This is a conundrum that has concerned me (and I’m sure many others) for a while, and having worked within both the Cyber Security world and the Forensics world, I have seen and discussed both sides of the argument whilst sitting within each camp. I would love to hear what other people think though and whether or not people share my concerns.
So let us quickly look at the background (bear in mind I am going to be very general and nonspecific here):
The Cyber Crime Threat
Cyber crime, data breaches, data theft and digital espionage is an ever-growing threat and a hugely under-reported problem. Most attacks for businesses are never reported either due to the sheer volume of attacks taking place or the reputational concerns of the organisation, and so the true nature of the threat never gets officially documented. Threat intelligence is sometimes shared and analysed between collaborated consortiums and working groups, which gives an idea of the level of under reporting taking place, and dataflow and traffic analysis provides a more holistic overview of the type of threats and intended targets or potentially infected or compromised servers. The numbers are quite frankly terrifying, but the fact that this is now being brought to the forefront of discussion and formally identified as a National Tier 1 threat is excellent news for all of us.
A Shift in Focus
A huge amount of work is now being undertaken by cyber security experts working with law enforcement agencies, Police Forces, Academic institutions and industry partnerships to try to put a plan together on tackling this massive threat. The focus now is on crime prevention rather than necessarily crime detection. A really good paper from Cardiff University in partnership with the City of London Police gives a really good grounding as to why this shift of focus is so crucial (http://www.cardiff.ac.uk/news/view/145816-as-crime-changes,-so-must-policing-approaches) and makes for a very interesting read. I have quoted it on countless occasions during presentations and training session deliveries, since publication.
This shift in focus is well received by many in various different sectors, because with ever shrinking resources and capabilities in law enforcement and government agencies, if more can be done to prevent the crime happening in the first place, then those limited resources can then focus on those crimes that couldn’t be prevented, and will likely be sophisticated and complex enough to warrant more specialist resource.
Mostly this can be done with simple steps and advice given to SME’s (Small to Medium Enterprises) and members of the public, such as simply enabling encryption on devices, having good password habits and policies, and keeping software up-to-date and patched (which funnily enough, echoes the Government’s advice found at www.cyberstreetwise.com).
This is great and something that I have been encouraging and pushing for over a year now, but will take time to really find wide-spread engagement and positive behaviour change, or even just increase in awareness.
What does all this data security mean for post incident forensics?
Is this all positive though? Well in truth, not entirely, and it is a problem that could be found related to a number of recent high-profile court battles and debates over device access and encryption (naming no names).
The problem that this increase in security and data protection will bring is that once someone suffers an attack, or if criminals begin to implement strong security regimes into their criminal data, then will this pose difficulties for forensic investigators and analysts who are trying to access the data?
The answer is, almost undoubtedly. With every challenge faced by digital forensics, solutions and alternative methods are researched, devised and developed – especially with such a supportive, innovative and enthusiastic community of forensics experts out there. However, I don’t doubt that there will be a period of time ahead of us all where, until such new methods are devised, more and more instances of not being able to retrieve vital data or follow lines of enquiry to their conclusion will likely happen. This is going to frustrate forensic analysts, especially with the likely restrictions that will be imposed on “alternative or untested” methods with the implementation of ISO 17025 standards. It just means that research and development of ways around a problem will likely take longer and be less dynamic in nature.
(And yes, whilst I could talk for days on the ISO 17025 standard in digital forensics, I’m going to avoid discussing it here on this occasion.)
Improvements in security for all of us is a great thing to happen, and is desperately needed to protect both our data and that of others. Removing the risk of data breaches or successful attacks will protect businesses and individuals, be a huge benefit to the economy and help those protecting us over in law enforcement by allowing them to focus on those crimes that cannot be easily prevented, rather than those that could have been.
However, it is a double-edged sword in that these improvements could hinder forensic investigations into data both in civil and criminal investigations, potentially reducing the likelihood of successful results and conclusions in those investigations.
It will be a frustration those of us in the industry will likely be burdened with for some time to come, but one that will be understandably brought to us all for the benefit of protecting the data in our society. We can just hope that the trade-off is ultimately worth it.