Breach Forensics – Preventing the Worse from Happening

In every incident response after a breach, the aftermath is indeed challenging in uncovering the crime, but from there the challenge becomes tougher. Whenever cyber criminals clear the digital vault, the only thing they have to do is to get away clean – that is very simple to most criminals in the cyber-underground society.

However, there are still a few things an incident handling team can do to prevent the worse thing from ever happening after data breaches and still track the footprints that were left behind.

There have been many data breaches that happened to different sectors in industry and even if the some evidences point out to a certain origin of the attack, it is not enough to initiate an arrest or point out the involvement. Sometimes these crooks use and control botnets to cover their tracks after the dark deed has been completed. Soon security experts will have to play a catch-up game with these crooks.

However, not all evidences are deliberately erased by the crooks and it happens a lot in many cyber crimes. Network admins would try to assess the depth and severity of the breaches and sometimes their access could accidentally or perhaps deliberately destroy some evidences that would quickly resolve the situation. You can compare it to an innocent bystander who could complicate the police investigation by accidentally stepping on the evidence. Sometimes the network administrator could have failed to recover the evidence that will determine how, when and where the attack happened. It is important for experts to properly collect and also maintain the evidences because the evidences are the only key in revealing not only the means of the attack and who is behind it but also reveal the scope of damage in the system.

According to experts, incident handling teams must undergo the right incident handling training to acquire the right skills in performing analysis on malware attacks or data breaches. Moreover, they must know how to determine a threat of a malware to a system by analyzing it in a sand-boxed environment, thus it is possible for them to determine ex-filtrations methods of a certain malware and aid their efforts in remediation. Since, malware are dynamic and can communicate on many hosts, the results of the analysis can be of help to create an excellent block list. This block list will be used to limit the amount of exposure of some applications and also detect malware ex-filtration. This is one of the best solutions on detecting any exiting data.

In the event that the infected systems have been finally identified, the network administrators must turn off those systems and map them in a specific way so that they can picture out how the structure has been modified. Then the infected system must be replaced with a cleaner and more secure structure. If the attacker has breached the database and is retrieving important data remotely, then administrators have to cut the connection of that server or database temporarily. By analyzing the network traffic, experts could pinpoint the domains, addresses or any ex-filtration points that are used to retrieve information. These addresses and domains must be added to the existing firewall so that the compromised system will prevented in making any outbound connection to these ex-filtration point. With this, it is possible to limit the loss of data and determine how the breach happened and also how to rectify it.

Analyzing the log is also important in breach investigation; however, log systems must not be in the default system so that evidences will not be overwritten and preserved. Thus it is important to set a proper retention policy and implement log aggregation or right management in any security event. But logs have a limit and that is because they only provide intelligence on how the systems generate them.

Log data is definitely one of the places an attacker will leave his or her mark. It is very obvious and any smart administrator would check the log data first because most of the time, the log data is the first place where attackers would try to hide his or her tracks first. An attacker may delete or perhaps modify log entries, entries that would indicate the breach on the system.

Important data will provide leads on the breach’s source, the construction of malware, ex-filtration point of data and the identification as well as the nature of the compromised data.

The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cyber security and e-commerce. It is the owner and developer of 20 security certifications. EC-Council has trained over 90,000 security professionals and certified more than 40,000 members. These certifications are recognized worldwide and have received endorsements from various government agencies. They also offer trainings in penetration testing.

More information about EC-Council is available at

Lessons Learned From Data Breaches on the Year 2010

A year without data breaches; that is not possible. However, last year we have seen more than 90 percent drop in the amount of data stolen compared to the year 2009. You would be wondering how did it happen and why such a large drop in number. Basically, there are two reasons; first there are no mega breaches that happened last year, which resulted to huge theft of data and information. Second reason is that companies have seen the value of shifting data and they have applied it with their systems.

However, this article will not focus on those reasons; rather this article will focus on some of the data breaches last year and what we should learn from them.

Federal Aviation Administration

Sometimes data breaches happen to companies because of their employees. The damage will not only result in to outward damages but it will also leave an impact within the company. The employers are responsible for the private records and information supplied by their employees. Last year there was one big incident that led to loss of 3 million confidential records due to employer mishap and that was the Federal Aviation Administration or FAA. Back in June 2010, FAA published a report about their security findings conducted by graduates of master’s degree in information security.

The private information of their employees, which include the numbers of their social security as well as healthcare information were available to many hackers in the hacker industry because of their former staff. That staff installed malicious code in the system of FAA. When compared to 2009’s biggest data breach, FAA’s breach was way smaller; still the information gathered is damaging. Who knows what the hackers did with those information.

So what was the lesson learned? The data must be accessed by authorized personnel only. It should be blocked from former employees and the data must be limited to only some people in the company. Illegitimate application must be blocked and tougher security measures must be undertaken to block any unauthorized process.

SQL Injection 2.0

Sooner or later all web-based application will be hacked. Back in August last year, more than one million websites were affected by a series of mass SQL injection. This attack will let the hacker insert malicious codes or scripts into vulnerable websites. Once an internet user will visit the infected site, the script hidden on the web page will install a malware on the user’s computer. This sort of attack happens every year and automation is a hacker’s best friend. This case, Google served as the automation to search vulnerable internet sites and also serve as the platform to launch the attack.

It is the responsibility of the internet site and its server to provide safety for their traffic – which in most cases human visitors. A website known to have malware will prevent internet users from viewing the site or even conduct business transactions with that company. Even if companies find ways to secure their online applications by hiring master’s degree information security graduates; there are still gaps that hackers can exploit.

Thus to be able to provide more safety for their viewers, companies must protect their website. They have to block any requests that appear malicious. There should be virtual patching to deter hackers to exploit a website’s vulnerability.

Network Solutions Widget

Who knew that hackers would even target small and medium enterprises? Summer of 2010, the company Network Solutions reported that they have found a malicious code in their systems which appears as a building widget. The widget promises small business owners to build their very own site. Because of this, millions of websites were infected by this widget. The breach had 2 interesting facts; first the hackers made use of a simple application and the second is that Network Solutions never learned. As the saying goes, “lightning may strike twice”.

The lesson learned by many is that companies and websites must create and provide safe and secure applications, thus it lessens the vulnerability of their application and systems. They should always be alert and that the fact that they suffered an attack before doesn’t mean that they will be immune in the next attacks.

Last years, security breaches were minimal compared to the other years. But because of these breaches we learn to value the importance of internet security and the help of those people with ms in information security.

EC-Council University is a licensed university that offers degrees and master’s degrees on Security Science online. The degrees are recognized worldwide and may be used in any employment worldwide as well as the graduate certificates that they offer. With excellence and dedication as the core values, many professionals and degree holders have benefited from undergoing the programs in this university.

More information about master’s degrees in information security available at