Alternatives to Proprietary Digital Forensics for SMEs

Published Date: 29 Mar 2018

Realistic alternative to expensive Proprietary Digital Forensics and Security products for SMEs.

• Alan David Blais

Abstract

Organisations have recently developed an awareness about the necessity of having their systems secure and protected from external as well as internal threats. This sudden awareness is believed to be due to recent major events about breaches and security issues faced by many organisations. The consequences of these breaches and security issues had so many negative impacts that it has created a real awareness. Although the UK is among the leading countries in this regard Europe, it still has a long way to go, according to training director for the Sans Securing The Human Program, Lance Spitzner. (Cybersecurity Awareness SANS 2015)

Many organisations have already invested very considerable amount of money into making their systems securer while other are still thinking whether investing money in security has a return on investment (ROI) or not. On the other hand, for small and medium enterprises (SME), it is an entirely different story, with the world financial crisis, it is already particularly difficult for SME to survive, and some of them are struggling to keep their companies running and many of them cannot afford the cost for improving the security of their system as it should be.

Most of them, try to use short-term fix like cheap firewall and anti-virus, free patches and updates despite knowing that having a single/some layer/s of security is not enough. Some of the SME's also uses free available tools and applications but most of these tools are specialised in only one aspect of security, thus several different applications are needed to provide better security. It is difficult to manage several different tools and applications at the same time. This projects aims at finding a solution to solve the above mentioned problem by designing a software/platform for managing different tools and applications remotely using the designed software/platform.

1. Background – 2 Pages

1.1 Introduction

According to a new study on the main causes of European privacy, breaches come from organisation's own errors, insider abuse and other internal mismanagement issues. The director of the study, P. Howard believe that only 41% of the incidents reported are external attacks by hackers and that 57% of the incidents which were caused by administrative error, exposed online, insiders or caused by missing hardware configuration. (Most European Breaches Caused by Organizational Error, Insider Attacks 2015)

Based on the above study findings, we can therefore assume that having proper internal security mechanism within an organisation can significantly reduce the number of incidents. Despite knowing that, some organisations are still not improving their security as it should be. The main reason is the cost associated to security; some people at management level still think that investing on security has no direct impact on the main objective of business which is to make profit.

It is true that many organisations awareness about security have recently changed due to the consequences of breaches on other organisations but Cyber Security awareness is still in its infancy in most organisations and not all organisations can afford the cost associated to security, Small and medium enterprises are generally not able to afford it.

Moreover, much of the software available on the market focus on one particular aspect of security rather than having a single platform that caters for different aspect of security at an affordable price for SMEs. It seems that a growing trend is growing within SMEs, which is the use of open source software (An evaluation of open source software adoption by UK SMEs in the IT industry.) such as Volatility. But even that, it is not an efficient way to manage several applications all at the same time. A possible solution would be to use an application as a platform for using other open source software with the capability of managing all these remotely.

This project is about designing that platform to provide incident response, digital forensics, host and network security as well as malware analysis capability. The platform will provide all the above mentioned capability remotely and having a server-client architecture.

1.2 Relevant past and current work

Alien Vault has a software which provides a platform to manage different aspect of security all on one platform called Unified Security Management (USM). The software is a commercial one and provides the management of tools which themselves are commercial software whereas this project aims at using available free software and in-house built features to provide a platform for managing different aspects of security at an affordable price.

Below is the management features available in Alien Vault USM and other traditional SIEM.

As we can see from both screen capture, many traditional SIEM require 3^rd party product to provide some features. Below are the security features provided by alien vault.

The USM provides a single platform for managing and monitoring different aspect of security.

2. Project Description – 1 Page

2.1 Project Overview

This project aims at designing a platform for managing open source and free applications/tools as well as providing in-house built features. The platform will be dealing with different aspect of security such as incident response, digital forensics, host and network security and malware analysis.

The digital forensics capability will be the central part of the project from which incident response and malware analysis will be derived from. The host and network security will be on top of the base structure which comprises the three other aspects.

The digital forensics and malware analysis can be split further at a high level view as we can see from the diagram to the left side. Live and static forensics for digital forensics on the other hand Static and dynamic analysis for malware analysis.

2.2 Importance of this project

Security should be the concern of everybody, SMEs should be given alternative option to expensive security products to enable them to provide more secure services to clients, which in-directly or directly can affects anybody. This project aims at providing a cost effective solution by providing a platform to manage open source tools and application. The main assumption will be, despite knowing that free applications and tools have limitations, it is a better option than having no security at all or limited one due to having a limited budget for security.

2.3 Aims and Objectives

It is important in a project to properly design the aims and objectives since it allows the setting up of the directionthe direction in which the project must go through. Objectives allow us to measure and assess the outcome of the project. Please refer to Appendix A for the aims and objectives.

3. Programme and methodology – 3 Pages

3.1 Spiral Methodology

The spiral methodology seems to be the best option to suit the project. The spiral methodology as compared to waterfall methodology has the advantage of demonstrating that development projects work best when they are both incremental and iterative, where the development is able to start small and benefit from enlightened trial and error along the way.

The spiral methodology reflects the relationship of tasks with rapid prototyping, increased parallelism, and concurrency in designing and building activities. The spiral method should still be planned methodically, with tasks and deliverables identified for each step in the spiral.

Throughout the entire project we are going to use the spiral methodology for the design and development of the software/platform. The next part of this section will be the planning of tasks and deliverables as well as expected Milestone.

Why do you think the spiral best suits your project? Not the other methodology give concrete examples.

3.2 Project Management

3.2.1 Budget Planning

3.2.1.1 Milestone

The table below is just an estimation of how much time each task will take and gives us enough information to plan the project in a more realistic way. Generally tasks will be performed in parallel rather than in a linear way which has its advantages and disadvantage such as time saving and whereby some tasks must be completed prior to some other tasks.

3.2.1.2 Gantt Chart

Please find below a Gantt chart representing the planned tasks over the budget allocated to us.

3.3 Project Approach

The first part of the project will focus on the literature review where we are going to analyse tools, applications and process/features which are relevant to the project.

The next part, we will be talking about why the features/applications/tools might be important for SMEs and their security from a technical and non-technical perspective.

The third step will be to developed the features and integrate the tools/applications within the designed platform.

The final step will be the testing and documenting of the results obtained and makes sure that the aims and objectives are satisfied.

4. Ethical and Legal Consideration – 1 page

Before starting a project, it is crucial to properly understand the internal policies of the organisation you are developing something for and any local laws that might apply to the project.

Some features of the project might invade the privacy of the users which in our case will be employees. It is a good practise to have policies about the possibility of company’s resources being monitored and might be investigated without prior notice or user permission but this might not be enough in a trial.

One alternative would be to make sure the company where we are going to implement this project displays a well-defined warning banner. Without a banner, the right to investigate or monitor a system used by employees might conflict with user’s expectation of privacy.

The EU and its member nations which include UK impose a strict fine for information that crosses national boundaries without the person’s consent.

4.1 Law in UK

According to the UK Government’s website (https://www.gov.uk/data-protection-your-business/monitoring-staff-at-work), it is possible for employer to monitor employees at workplace if the below conditions are met:

• Be clear about the reasons for monitoring staff and the benefits that this will bring.
• Identify any negative effects the monitoring may have on staff. This is called an impact assessment.

• Consider whether there are any, less intrusive, alternatives to monitoring.
• Work out whether the monitoring is justified, taking into account all of the above.

Monitoring employees’ activities on a computer system is cover by the data protection act. Data protection law doesn't prevent monitoring in the workplace. However, it does set down rules about the circumstances and the way in which monitoring should be carried out. Based on UK law, it is also for employers to monitor their employees without their consent for specific reasons. (Please refer to Appendix B for the reasons)

4.2 Ethics

The question about whether it is ethical to monitor or investigate on employees can be debate on different point of view which can include the privacy of users, the need to protect client’s data, to provide reliable and trustful services to client by minimising the risks of external as well as internal threats such as insiders.

But at the end of the day, the majority always win over the minority, what would be more ethical? Monitoring hundreds of employees or having more than one million client’s credit card details unprotected from insiders?

5. Impact - 0.5 – 0.75 page

5.1 National Importance

Services provided by SMEs such as data storage, client’s data management, POS information management, companies’ secret industrial process and many others will be more secure since the SMEs will improve on their security using a cost saving solution and providing several layers of security.

Risks associated to insiders will be minimised.

5.2 Commercial Impact

The platform could be sold at an affordable price or via a donation mechanism. The money can then be used for developing new features, improves existing features and provide upgrades.

5.3 Academic Impact

This project can provide a platform for further research opportunity such as:

• Research can be done about why despite knowing that security is crucial still SMEs are not improving their security? Cost associated with security products?

• The assessment of the impacts on security in general if security products were cheaper and easily available for on SMEs.

• Does security improved if managed and monitored using a single platform rather than using several different security products (Efficiency and conflict arise when using several security products).

References

Cyber security awareness still in its infancy, says Sans Institute. 2015.Cyber security awareness still in its infancy, says Sans Institute. [ONLINE] Available at:http://www.computerweekly.com/news/2240234932/Cyber-security-awareness-still-in-its-infancy-says-SANS-Institute. [Accessed 18 May 2015].

Information Security Awareness Training | Cybersecurity Awareness | SANS. 2015.Information Security Awareness Training | Cybersecurity Awareness | SANS. [ONLINE] Available at:http://www.securingthehuman.org/. [Accessed 18 May 2015].

Study Finds Most European Breaches Caused by Organizational Error, Insider Attacks | The State of Security. 2015.Study Finds Most European Breaches Caused by Organizational Error, Insider Attacks | The State of Security. [ONLINE] Available at:http://www.tripwire.com/state-of-security/latest-security-news/study-finds-most-european-breaches-caused-by-organizational-error-insider-attacks/. [Accessed 18 May 2015].

Brunel University Research Archive: An evaluation of open source software adoption by UK SMEs in the IT industry. 2015.Brunel University Research Archive: An evaluation of open source software adoption by UK SMEs in the IT industry. [ONLINE] Available at:http://bura.brunel.ac.uk/handle/2438/4509. [Accessed 18 May 2015].

Brian Buffett, UNESCO Institute for Statistics (2014)Factors influencing open source software adoption in public sector national and international statistical organisations, [ONLINE] Available at: http://www.unece.org/fileadmin/DAM/stats/documents/ece/ces/ge.50/2014/Topic_1_UNESCO.pdf [Accessed: 18 May 2015].

SME’s help Governments make huge IT savings. — PretaGov. 2015.SME’s help Governments make huge IT savings. — PretaGov. [ONLINE] Available at:https://www.pretagov.co.uk/news/sme2019s-help-governments-make-huge-it-savings. [Accessed 18 May 2015].

How SMEs can drive growth through new technologies. 2015.How SMEs can drive growth through new technologies. [ONLINE] Available at:http://yourbetterbusiness.co.uk/how-smes-can-drive-growth-through-new-technologies/. [Accessed 18 May 2015].

Unified Security Management (USM) Platform. 2015.Unified Security Management (USM) Platform. [ONLINE] Available at: https://www.alienvault.com/products. [Accessed 19 May 2015].

James R. Chapman 1997, Software Development Methodology, Project Management Training. [ONLINE] Available:

http://www.hyperthot.com/pm_sdm.htm [Accessed 19 May 2015]

NELSON, B., PHILLIPS, A. ET STEUART, C , 2010. Guide to Computer Forensics and Investigations. 4th Edition. Course Technology

Data protection and your business - GOV.UK. 2015.Data protection and your business - GOV.UK. [ONLINE] Available at:https://www.gov.uk/data-protection-your-business/monitoring-staff-at-work. [Accessed 20 May 2015].

Monitoring at work - Citizens Advice . 2015.Monitoring at work - Citizens Advice. [ONLINE] Available at:https://www.citizensadvice.org.uk/work/rights-at-work/monitoring-at-work/. [Accessed 21 May 2015].

Appendix – A

A1 - Aims of the project

Please find below the aims of the project:

• Provide a cost effective IT Security solution.
• Provide security in its different aspects all under one platform.
• Provide remote management capability.

A2 - Objectives of the project

Please find below the objectives of the project:

• Secure communication between server and clients.
• Ability to monitor and detect suspected behaviour/activities.
• Ability to remotely manage clients from server (Platform).
• Ability to capture relevant information from clients to server for investigation.
• Ability to provide Confidentiality and integrity on clients.

More detailed and technical objectives are to be derived at a later stage of the project, which will in-turn be translated into features that will be provided by the platform.

Appendix – B

B1 – Reasons for monitoring employees

• To establish facts which are relevant to the business, to check that procedures are being followed, or to check standards, for example, listening in to phone-calls to assess the quality of your work

• To prevent or detect crime.

• To check for unauthorised use of telecommunications systems, such as whether you are using the internet or email for personal use.

• To make sure electronic systems are operating effectively, for example, to prevent computer viruses entering the system.

• To check whether a communication you have received, such as an email or phone-call is relevant to the business. In this case, your employer can open up your emails or listen to voice-mails but is not allowed to record your calls.

• To check calls to confidential help lines. In this case, your employer can listen in, but is not allowed to record these calls in the interests of national security.