Robert Betts wrote: >> I learned after he gave me a research paper to read,
because there was a computer technician there working on his PC to help him
reinstall his backed up files. >>
 
How do you know this technician isn't the hacker in question? Which
underscores the next point...
 
Stilgherrian wrote: >> If you wish to pursue some legal sanction, consider
the legal concept of "chain of custody" that applies to evidence.>>
 
The hacker will get off based on the following:
1)                  Chain of custody: any evidence you have (logs, reports,
disk files, etc) can not be proven to reflect the changes you indicate
because these records could have been manufactured or tampered with after
the fact
2)                  Direct evidence vs. hearsay evidence: The physical hard
disk is the only direct source of evidence. Any report derived from hard
disk records can be challenged. For a report to be admissible it must either
be reproducible from a physical source that has had a proven "chain of
custody" or else the report must have been created in the standard course of
doing business and have been regularly audited (mitigating controls)
3)                  Glorification of the hacker: the jury/judge/police/etc
lack of awareness that what has taken place is a serious crime
 
The very act of responding and recovering from an attack will usually
compromise both the chain of custody and direct evidence, and the ad-hock
nature of printed reports will also undermine their weight in court.
SOLUTION
To catch and successfully prosecute an attacker you must take proactive
steps including:
1) Have an incident response policy and security awareness training so that
people know how to preserve evidence and chain of custody
2) Set up intrusion detection procedures that are regularly checked so that
printed reports can be admissible in court
 
Better yet, prevent the intrusion. In addition to applying you regular
security patches, consider internal firewalls and personal firewalls. In a
university setting the internal network is rife with hacking. Apply a
firewall right in your office or local subnet. This can be done very
inexpensively with an old Pentium 75 and Linux/IPCHAINS.
 
-Karl Muenzinger, CISSP
 





____________________

ADDENDUM:

The Tokai Bank Limited disclaims all liability for the views and content of this message, except where the message states otherwise and the sender is authorized to make this statement on behalf of the bank.

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you receive this in error please contact the sender and delete the material from any computer.

Unless otherwise stated, any pricing information given in this message is indicative only, is subject to change and does not constitute an offer to deal at any price quoted. Any reference to the terms of executed transactions should be treated as preliminary only and subject to our formal written confirmation.

Reply via email to