You’re a Zappos customer and you’ve just learned your personal information might have been stolen.
What do you do?
Sword & Shield Director of Computer Forensics and Security Assessments Bill Dean says to change your password… NOW!
Dean gave this advice and more in his conversation with WVLT on Monday:
Bill Dean, Director of Computer Forensics
I am well aware that the use of Microsoft Outlook to review email is a perceivably convenient and low cost method to review small volumes of email. However, this method is laced with potential issues that just aren’t worth the risks – and there are risks. This article will address some of these risks to hopefully encourage the use of better technology to review email, or at least educate you enough to understand the risks.
So your client produced his or her email for you to review in a PST format (Microsoft Outlook Email Database). You are already proficient in the use of Microsoft Outlook as it likely already dictates much of your day. Either you already know how to attach this file to Outlook or your “friendly” IT staff will do it for you. You have the email loaded and you are ready to begin, but before you start, let’s talk about keyword searching.
Google has been a great asset to our culture in many ways. For the litigation field, it has inadvertently educated you how to perform Boolean searches. When you search Google for “Trade secret theft” and “Case Law” in the same query, you have performed a powerful Boolean search. However, Boolean search features such as this are not as intuitive in Microsoft Outlook and require extensive effort to execute. Difficulty performing Boolean searches is the good news. The bad news is that Microsoft Outlook, by default, will not search the contents of attachments for the keywords. Your searches will only address the email fields and the contents of an email message, which could potentially omit responsive information. We will visit the danger of attachments later in this article.
The read receipt option on sent emails presents another concern. If an unread email you are reviewing has the read receipt option set, your review of that email could inadvertently send a message to the sender that the email has been read. Consider the implications for that for a moment. There is one instance in which the custodian was deceased and his widow received a read receipt “from beyond the grave”.
There are some instances in which the metadata aspects of an email are important. These details could include whether the email had been read or the Outlook folder structure in which the email existed. Examples that we have encountered amplify the significance of whether or not a critical email had been read and the archive location of where an email existed. Reviewing and modifying the metadata of these emails could alter critically important information.
If you are working from the PST provided by your client and simply “deleting” the emails that are not responsive, they are not gone. If that PST is provided to opposing counsel, it may still contain those emails unintended for production. Email databases such as PSTs work the same way that computer hard drives work in that the deletion of the email does not mean the email is gone. This even applies to the infamous “double-delete”. Leveraging computer forensics methods, these deleted emails are potentially recoverable unless extra efforts are taken to ensure their destruction.
Las
tly, I want to cover the risk to your computer and the computer network of your law firm. I serve in various roles as an “expert”. These roles include eDiscovery expert, computer forensics expert and incident response expert. I know what you are thinking, “spread a little thing aren’t ya?” Not really, each of these disciplines is based on the same objective, handling large volumes of information to determine what is important to the objective at hand. A large majority of today’s threats to computers and computer networks are introduced via hyperlinks and attachments that are sent via email. The computer security term for this type of attack is “phishing“, and it is very effective. These malicious hyperlinks and attachments are designed to infect computers and networks with malware that both disrupt computer networks and permit unauthorized remote access to the attackers.
Please understand that on average, your anti-virus software will be successful in stopping a whopping 20 percent of these attacks. When reviewing email with Outlook, you will be susceptible to these attacks that were sent to your client via email. To make matters worse, you don’t even have to follow the link or open the attachment in some situations. Depending on system configuration and patch level, the email simply being rendered in the auto-preview pane can download malicious software to your computer.
The solution to these issues is simple; use technology designed for the review of electronic information. If it isn’t clear by now, Microsoft Outlook was not designed to for legal review of email. For small amounts of email that are being reviewed by a single attorney and features such as bates numbering and redacting are not required, I recommend Avantstar’s Quickview Plus. This software is not exactly stellar for search functionality, but handles the review of hundreds of filetypes and will not alter any metadata (read only). They offer a 30-day free trial and the software price is only $49.99. Please understand that this software is adequate for review only, producing the information can be challenging if large volumes of information are involved. For email review that provides more advanced functionality such as multiple reviewers, advanced searching, data analytics, on the fly redaction and embedded production capabilities, choose a more advanced review platform. For assistance in determining the technology that is best suited for your situation, please contact us. Given adequate advice, the costs will be lower than you anticipate.
On the surface, Microsoft Outlook appears to be a low cost solution to review email in various matters. However, you should be well aware of the issues that accompany this decision: inadequate searching capabilities, the altering of metadata, read receipts, the potential recovery of deleted emails from productions and the inherent computer compromise issues. When considering the facts, it is strongly suggested that you choose a review platform that is designed for your needs.
Bill Dean is the Director of Computer Forensics for Sword & Shield Enterprise Security. Dean has more than 15 years of experience in the technical field in roles such as programmer, systems support, enterprise systems design and engineering, virtualization, digital forensics, and information security. Dean is a frequent speaker and published author on the topics of computer security, digital forensics and electronic discovery for numerous legal and technical associations. Follow him on Twitter.
Vulnerability assessments and exploitation, like so many other areas of technology, have progressed from being understood by a few elite practitioners to being automated for the masses.
Each day information security professionals are releasing new software or improving on existing software to make identifying and exploiting network vulnerabilities easier. Unfortunately, these automated tools have produced a “there’s an app for that” attitude toward information security. Many business owners and managers believe that an automated tool can determine if their network is secure, which is ridiculous. Information security encompasses not only vulnerability scanning and exploitation but risk management, user management, and other business processes. No automated tool can identify vulnerabilities in business processes – only a qualified information security professional can do that.
Vulnerability scanners are designed to identify specific issues in network services, operating systems, web applications and software but cannot identify vulnerabilities in the underlying vulnerability management and configuration management processes. Exploitation frameworks, like Metasploit and Core Impact, can exploit a machine but have no ability to determine the value of the data on the compromised machine or the affect the loss of that data would have on the business. In other words when it comes to information security there is not an app for that.
Many IT service companies use automated tools to identify and exploit network vulnerabilities, and then provide a report that is nothing more than a rewording of the output from the tools. In contrast, a thorough information security assessment will include automated vulnerability scanning but will go further and identify the root causes of the vulnerabilities, which typically include: ineffective access controls, ineffective security update management, and poor configuration management. A thorough assessment will also include exploitation but will again go further and identify the types and value of the data accessible on exploited machines. In other words, a proper information security assessment identifies vulnerabilities in and recommends changes to business processes. It attempts to identify the sickness and not only the symptoms.
Information security assessments should only be performed by qualified information security professionals. Unfortunately, the “there’s an app for that” attitude, the constant push by certification bodies to certify more people, and the prevalence of automated tools make it easy for anyone to hold themselves out as an information security professional. A true professional is identified not only by his or her certifications, but by his or her body of work as well: what contributions has she made to the information security community or at what conferences has he spoken? These tell the true story of an information security professional’s abilities.
Whether a business chooses to keep its information security program completely in house or outsource portions of the program, it must recognize that information security is a complex problem and can only be solved by competent security professionals providing thorough information security assessments. When it comes to information security there is not an app for that.
Stephen B. Haywood is a principal security analyst for Sword & Shield Enterprise Security where he is active in professional and technical security services for government and commercial clientele. He is skilled at security design and programming secure applications and is experienced in working all aspects of the system security life cycle from planning and design to implementation and testing. His blog is http://averagesecurityguy.info/. Follow him on Twitter @averagesecguy.
Sword & Shield will host a webinar Thursday, Dec. 15 at 2 p.m. EST with its new partner, Prism Microsystems, to featu
re EventTracker, a comprehensive security information and event management (SIEM).
EventTracker combines log consolidation and log management, real-time threat monitoring and behavioral correlation, incident management with forensic analysis, regulatory compliance and reporting, monitoring of file integrity and USB devices and performs system change audits and management with automatic remediation.
Attend the webinar and see EventTracker in action. Participants are also registered to win a Kindle Fire.
Prism CEO A.N. Ananth will host the event and will demonstrate EventTracker’s real-time log analysis and automated response to:
If you’re an IT professional, financial executive or business manager with responsibility for regulatory compliance, risk management or technology investments, please click here to register.
Sword & Shield and our vendor partner, Barracuda Networks will host a Lunch N’ Learn Thursday, Nov. 10 at Ruth’s Chris Steak House in downtown Knoxville to address the latest 
trends in content security, data discovery and protection and application delivery solutions to improve your company’s productivity.
Bill Dean, Sword & Shield’s director of computer forensics, will speak about the importance of eDiscovery. Participants will also learn how to streamline backup strategies by eliminating removable media and how to achieve massive storage reductions by using data deduplication technology. Whether it’s recovering from a single or lost file, or a hurricane-damaged building, backups can be simplified and provide quick data recovery.
A Barracuda representative will discuss the Baracuda product line and how it can benefit your company by archiving emails for compliance readiness and how the operational efficiency of your email server can be improved by offloading email messages. Learn how users can archive calendar items, contacts and tasks from Microsoft Exchange and other email servers, and how to eliminate the need for PST file storage.
Join Sword & Shield, one of the most trusted and fastest-growing security consulting firms in the United States!
Position Title: Senior Consultant, PCI Risk & Compliance
Skills: PCI Risk Assessments/Gap Analysis/Remediation Plans
Tax Term: Full Time
Pay Range: $80-$110k commensurate with experience
Length: Indefinite
Travel Required: < 50%
Telecommute: Negotiable
POSITION DESCRIPTION
Join Sword & Shield, one of the most trusted and fastest-growing security consulting firms in the United States!
Position Title: Senior Consultant, HIPAA Risk & Compliance
Skills: HIPAA Risk Assessments/Gap Analysis/Remediation Plans
Location: Negotiable
Tax Term: Full Time
Pay Range: $80-$110k commensurate with experience
Length: Indefinite
Travel Required: < 50%
Telecommute: Negotiable
POSITION DESCRIPTION
Sword & Shield Director of Computer Forensics Bill Dean will discuss how both industry and government can better understand today’s advanc
ed threats at a Lunch N’ Learn, Friday Nov. 4 from 11:30 a.m. to 1:30 p.m. at Club LeConte.
Today’s cyber attacks are more stealthy and malicious than ever before and are programmed to remain unnoticed for as long as possible until an opportune time in the future to inflict damage. In addition, data breaches can mean the loss of reputation and revenue and result in legal expenses.
Sword & Shield analysts have discovered that many computer security breaches occur today because of the time lag between discovery of a vulnerability and installation of security patches. Simply stated: traditional anti-virus vendors continue to lag behind online criminals when it comes to detecting and protecting against new and quickly evolving Internet threats. Add this time lag to the patching schedules of diligent IT administrators, you have approximately a three month vulnerability window through which malware can be injected into the network.
“A network vulnerability assessment/penetration test determines the vulnerabilities that may be exploited in the future, while a Data Breach Threat Analysis works to determine whether or not your systems have already been compromised,” Dean said.
To reserve your seat for the Lunch N’ Learn, please RSVP by emailing forensics@swordshield.com. Space is limited and registration must be approved by Tuesday, Nov. 1.
Henderson, NV – October 10, 2011 – MAD Security, an information security firm that provides full-service
information security solutions, services and training, announced today that it has partnered with Sword & Shield Enterprise Security to offer and implement security solutions and training for government agencies through Sword & Shield’s NASA SEWP IV contract.
Providing industry-leading customized training offerings – including The Hacker Academy, a cloud-based training system for information security professionals – and security awareness programs, in addition to MAD Security’s leading solution implementation and architecture services on SEWP IV allow agencies to learn, practice and stay up to date on the latest in information security.
“MAD Security’s comprehensive security services and training offerings have been helping government agencies reduce overall security risk and improve technology infrastructure security for years,”, said Mad Security Managing Partner Dean Pace. “Provisioning MAD Security training and solutions on SEWP will greatly simplify the process for agencies that want to find the right methods to enhance the protection of their critical business assets”.
“While Sword & Shield maintains core competencies in Network Security services and products, we engage in strategic partnerships with industry leading companies. Our new partnership with MAD Security will allow us to provide an even greater depth and breadth of offerings across the Federal IT landscape,” said Sword & Shield President and CEO John McNeely.
PCI Compliance Expert to Address Petroleum Retail Industry
Sword & Shield Principal Risk & Compliance Consultant Penny Walton will be a keynote luncheon speaker at the Petroleum Convenience Alliance for Technology Standards (PCATS) annual conference Jan. 23-26 in Tucson, AZ.
Walton will address the issues surrounding PCI compliance in the convenience store and petroleum retail industries at Monday’s session.
PCATS is a non-profit organization devoted to the development, maintenance and implementation of standards, education and best practices for the convenience store and petroleum retail segments.
Walton has more than 25 years experience in the technical field in roles such as software engineering, database design & administration, network engineering, enterprise information security management, risk management and compliance oversight. Additionally, she has extensive business experience in utilizing technology to increase the bottom line and reduce risks while controlling cost. She possesses many technical certifications including the CRISC (Certified in Risk & Information System Controls), CISM (Certified Information System Manager), CISSP (Certified Information Systems Security Professional), CEH (Certified Ethical Hacker), CIW (Certified Internet Web Master), PCI – QSA (Payment Card Industry Qualified Security Assessor) and HiTrust Security Assessor (Health Information Trust Alliance).