Five steps to conducting a cyber investigation
With our lives increasingly dependent on computer networks and the internet – both potential targets of terrorist and criminal attacks – cyber security is one of society’s greatest challenges. Now, more than ever, IT professionals are tasked with determining specific cyber security needs and effectively allocating resources to address threats.
It is vital that, in any organisation, when a security incident occurs, there is a clear process that is understood and followed by those investigating and resolving the issues that it creates. There are many proposed methodologies for digital forensics, but generally they can all be condensed into the same logical steps:
What happened?
When a security alert is raised, the first thing that needs to be addressed is gathering the most essential of information:
- What the alert was
- When it was discovered
- If it is still ongoing
- What systems were affected or what impact has been seen
- What other knock on effects it may have
Speaking to the team – or collecting the data logs from the reporting of the affected sector – gives you much of this information. Gathering the data is vital to understand the scale of the problem before taking any action.
Plan your next steps – and follow procedure
Information gathering is vital, as once you start attempting to fix the problem, you physically change the data and the network environment. If the scale of the issue isn’t fully understood, then an insufficient fix can actually mask the security breach without eradicating the problem. Also prioritise your efforts, saving the most stable sections until last and working on at risk or volatile areas first. Procedures should exist to follow legal guidelines, such as gathering and preserving evidence for possible prosecutions.
Evidence
Digital evidence is no different than physical evidence – once touched it can be permanently changed, or potentially leave somebody else’s ‘fingerprint’ on it. This is where documenting, dating and signing off every step is required, if only for auditing purposes. Keeping master files intact and only carry out work on copies to make sure there’s always a single reference point.
Use your data
Networked computers, particularly those across state or national borders often have different time stamps. By working logically, in time and to the actual timeline of events, you can see how things unfolded, what was affected and when, and then hypothesise and test theories. Evidence also relies on things like file names and metadata, so these are important to preserve and record.
Document your findings
The final report should be robust and all the data and conclusions water-tight, but also understandable by non-technical staff or those without IT backgrounds. These reports could also need to be reviewed and used by criminal or legal investigators, meaning that supporting appendices could be very helpful. This kind of forensic evidence and the report should meet court requirements and provide valuable evidence to the business and those affected.
In the UK, the number of digital technology jobs has grown at twice the rate of other roles. The University of York’s MSc Computer Science with Cyber Security online Masters programme is designed for working professionals and graduates who want to launch their career in this in-demand and lucrative field but may not currently have a computer science background. Graduates of this programme go on to a range of positions in software and web development, IT systems, support and programming.
Focusing on network and operating system security, risk analysis and secure software development, it will grow your expertise through specialist modules and projects, and develop your core computer science skills. The 100% online programme allows you to study around work and home commitments, at different times and locations, and has six start dates a year. There is a pay-per-module option available, and you may be eligible for a government backed postgraduate loan which covers the course cost.