Incident Analysis & Digital Forensics in SCADA and Industrial Control Systems

SCADA and industrial control systems have been traditionally isolated in physically protected environments. However, developments such as standardisation of data exchange protocols and increased use of IP, emerging wireless sensor networks and machine-to-machine communication mean that in the near future related threat vectors will require consideration too outside the scope of traditional SCADA security and incident response. In the light of the significance of SCADA for the resilience of critical infrastructures and the related targeted incidents against them (e.g. the development of stuxnet), cyber security and digital forensics emerge as priority areas. In this paper we focus on the latter, exploring the current capability of SCADA operators to analyse security incidents and develop situational awareness based on a robust digital evidence perspective. We look at the logging capabilities of a typical SCADA architecture and the analytical techniques and investigative tools that may help develop forensic readiness to the level of the current threat environment requirements. We also provide recommendations for data capture and retention

Investigating the factors that influence digital forensic readiness in a South African organisation

Includes bibliographical references.Computer crimes affect the bottom line of organisations across the globe. The ability of criminals to exploit organisational systems and avoid prosecution is a concern for most organisations. This is due to the increased use of information and communication technology (ICT) by individuals and organisations. The rapid growth of ICT has affected our communication and information exchange. These advances have not only influenced the way we conduct our daily activities, but has also led to new opportunities, risks and challenges for technical and legal structures. Unfortunately, some individuals and groups have decided to use these ICT advances in order to engage in criminal activities, such as cybercrime. The increase of cyber-related crimes puts a lot of pressure on law enforcement agencies and organisations across the globe to produce credible digital forensic evidence

A Strategic Model for Forensic Readiness

Forensic readiness has been defined as: ‘…the capability of an organisation to use digital evidence in a forensic investigation’. For businesses, especially medium or small enterprises, gaining this capability can seem time consuming and expensive: it may involve a number of processes, it may require new hardware and software and people with specialised skill sets may need to be hired in order to implement any plan. Yet developing and maintaining a forensic readiness capability is vital in the digital age. Fraud and cybercrime cost almost £11bn in the UK alone last year. Across the European Union, the national annual cost of cybercrime now accounts for 0.41% of GDP. Recent figures have also shown that up to 62% of digital incidents are caused by insiders, either accidentally or knowingly. An astonishing 91% of cybersecurity attacks begin with a single email. This research proposes a structured, strategic approach to forensic readiness for businesses that is economic to implement and run. It is based on people and processes rather than complex electronic systems. Key to this approach is a firm’s best asset - its own staff. It is theorised that the foundation stone of forensic readiness is a strong internal security culture. In order to achieve this aim, a unique, scalable model for efficient and inclusive planning is put forward with a reporting construct which aims to assure company-wide involvement

Are You Ready? A Proposed Framework For The Assessment Of Digital Forensic Readiness

This dissertation develops a framework to assess Digital Forensic Readiness (DFR) in organizations. DFR is the state of preparedness to obtain, understand, and present digital evidence when needed. This research collects indicators of digital forensic readiness from a systematic literature review. More than one thousand indicators were found and semantically analyzed to identify the dimensions to where they belong. These dimensions were subjected to a q-sort test and validated using association rules, producing a preliminary framework of DFR for practitioners. By classifying these indicators into dimensions, it was possible to distill them into 71 variables further classified into either extant or perceptual variables. Factor analysis was used to identify latent factors within the two groups of variables. A statistically-based framework to assess DFR is presented, wherein the extant indicators are used as a proxy of the real DFR status and the perceptual factors as the perception of this status

Rethinking Security Incident Response: The Integration of Agile Principles

In today's globally networked environment, information security incidents can inflict staggering financial losses on organizations. Industry reports indicate that fundamental problems exist with the application of current linear plan-driven security incident response approaches being applied in many organizations. Researchers argue that traditional approaches value containment and eradication over incident learning. While previous security incident response research focused on best practice development, linear plan-driven approaches and the technical aspects of security incident response, very little research investigates the integration of agile principles and practices into the security incident response process. This paper proposes that the integration of disciplined agile principles and practices into the security incident response process is a practical solution to strengthening an organization's security incident response posture.Comment: Paper presented at the 20th Americas Conference on Information Systems (AMCIS 2014), Savannah, Georgi

Could the Outsourcing of Incident Response Management provide a Blueprint for Managing Other Cloud Security Requirements?

Postprin

Security Incident Response Criteria: A Practitioner's Perspective

Industrial reports indicate that security incidents continue to inflict large financial losses on organizations. Researchers and industrial analysts contend that there are fundamental problems with existing security incident response process solutions. This paper presents the Security Incident Response Criteria (SIRC) which can be applied to a variety of security incident response approaches. The criteria are derived from empirical data based on in-depth interviews conducted within a Global Fortune 500 organization and supporting literature. The research contribution of this paper is twofold. First, the criteria presented in this paper can be used to evaluate existing security incident response solutions and second, as a guide, to support future security incident response improvement initiatives

Towards a Threat Intelligence Informed Digital Forensics Readiness Framework

Digital Forensic Readiness (DFR) has received little attention by the research community, when compared to the core digital forensic investigation processes. DFR was primarily about logging of security events to be leveraged by the forensic analysis phase. However, the increasing number of security incidents and the overwhelming volumes of data produced mandate the development of more effective and efficient DFR approaches. We propose a DFR framework focusing on the prioritisation, triaging and selection of Indicators of Compromise (IoC) to be used in investigations of security incidents. A core component of the framework is the contextualisation of the IoCs to the underlying organisation, which can be achieved with the use of clustering and classification algoriihms and a local IoC database

Cybercrime awareness and reporting in the public sector in Botswana

Includes abstract.Includes bibliographical references.Different authors have reported on the problem of cybercrime and other concepts that are associated with it. The studies looking at the area of ICT and cybercrime are examined and assessed to identify gaps that exist. Nevertheless, most of these studies focused more on developed countries, and did not emphasise on the public sector. Therefore, their findings might not be appropriately applicable to governments in developing countries especially within the Africa context. This study seeks to investigate factors that are necessary to enable the Botswana public sector to properly report on cybercrime attacks. The ICT environment of Botswana government is explored to determine the extent of ICT utilisation in the public sector. Based on the literature survey, a research framework for reporting cybercrime for the Botswana public sector is formulated