Securing the virtual crime scene is something that is unique to every organization. The first thing an organization needs to do is have policies in place which will help determine if a crime or incident has occurred. After the policies have been put in place, an incident handling policy needs to be formed. Your incident handlers will need these items: * Disposable camera * Notepad * This can not have any missing pages from when it was originally purchased * Each page should be numbered * Full/Partial/Corners of pages should never be ripped out * Pens * Cell batteries or chargers * Blank hard drives that have never been used * Drive duplication hardware or software * Company approval to spend up to XXX dollars without authorization in the event of an incident (the CFO is probably not going to be onsite at 1:00 AM to approve the purchase of something) * Current phone list * Disaster Recovery Plan or access to the DR plan You will also need the following forms. * Security Incident Identification form (Who detected it, an explanation of what they saw/did/etc.) * Security Incident Survey * Security Incident Containment * Security Incident Eradication * Incident Communication Log The policy that deals with securing the virtual crime scene (Incident Handling Policy) will need to include: * Communicate how important documentation is * Define what is an event and what is an incident. * Who should you contact in the event of an incident? (Lead Incident Handler, Incident Handling Team, CIO, CFO, CEO, etc.) * Deploy the proper team to assess the situation * Keep a low profile (Use out of band communications) * Do you immediately shut down the system or watch and learn? This is up to your company and where you go from here will be very different depending on your choice. * If you choose either which way, what is the person expected to do? * If you shut down the system, do not do a normal shutdown, just pull the cords. You do not want any more data writing to the disk, possibly overwriting or destroying valuable data * How do you turn up logging on any devices. * Do a bit-by-bit backup of all hard drives (media) that are believed to be compromised. * Do you contact law enforcement? Check with your legal department before making this decision. * What are the numbers for law enforcement officials, are there any specific contacts * The case is a need to know basis, if the person doesn't need to know, don't tell them. * What logs need to be gathered? Where can they be located and how are they to be handled. * How is the data going to be physically secured? Please Note: Every situation, network and company is different and this is not a complete policy or list of items. I reserve the right to be completely wrong or just plain outdated. Thanks, Nick Murphy MCSE, GCIH Director of Information Technology EthicsPoint, Inc. 13221 SW 68th Parkway, Suite 120 Portland, OR 97223 971-250-4112 (direct) ________________________________ From: owner-crime@private [mailto:owner-crime@private] On Behalf Of Craig Sent: Wednesday, March 30, 2005 12:00 PM To: crime@private Subject: CRIME New Category of Computer Crime From the CISSP forum an interesting post from Les Bell in Austrailia - I 'd like to know, how do you secure the virtual crime scene? Online-gamer-killed-for-selling-virtual-weapon <http://www.smh.com.au/news/World/Online-gamer-killed-for-selling-virtua l-weapon/2005/03/30/1111862440188.html> From: "Les Bell" <lesbell@private> Subject: Is This A New Category of Computer Crime? See http://www.smh.com.au/news/World/Online-gamer-killed-for-selling-virtual -weapon/2005/03/30/1111862440188.html Obviously, the final crime took place in the real world, but note how the offender was angered that the law provided no protection for his "virtual" assets. I'm used to the idea that the law will lag behind technology to some degree, but I suspect that as virtual reality develops further, it is going to pose a lot of problems, culturally as well as legally. How long before we have virtual courts to sort out alleged transgressions in virtual worlds, for example? The mind boggles. . . Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au <http://www.lesbell.com.au/> ] Craig A Schiller, CISSP President Hawkeye Security Training LLC CraigSchiller@private http://www.hawkeyesecuritytraining.com 503.330.3162
This archive was generated by hypermail 2.1.3 : Wed Mar 30 2005 - 14:12:49 PST