With security threats on the rise, IT administrators are finding that basic forensic skills are essential in today's Windows shops.
Discovering system breaches and tracking them to their source are new competencies in a growing skill set that is becoming indispensable to IT managers. Knowing how to be part detective and part techie means that IT professionals can be proactive in uncovering illegal activity, such as fraud, and knowledgeable in putting together evidence that can help identify and prosecute criminals.
"Forensic skills are important to have," said John Citron, systems administrator for Latran Technologies, a printing technology company in Bedford, Mass. "You have to be able to tell if there is something going on," he said.
Citron made use of his own forensic skills one day when he noticed what he described as "script kiddies" trying to access the company's network. He found that there were two hackers who were trying to break in from overseas universities. Although the firewall and other protective measures kept those two out, Citron tracked a third infiltrator to an ISP. After notifying the ISP, he said he hasn't seen any more attempted breaches from there.
Crime-fighting skills are becoming highly desired within corporate IT departments. "While many companies are outsourcing certain security, I see more and more companies making sure they have certain forensic capabilities internally as well," said John O'Leary, education director at the Computer Security Institute, based in San Francisco and New York. The institute is a membership organization that holds two annual security conferences and offers forensics and other security training.
"Companies, even when they outsource some security work, want in-house forensic capabilities because you're usually talking about digging into the guts of a business," O'Leary said. "The databases you have to go into will make a company want someone with expertise that they trust to go digging," he said.
To help Windows shops track down wrong-doers, Microsoft provides a free guide on its Web site called the "Fundamental Computer Investigation Guide for Windows." It spells out what IT workers should do once there is an incident, although it is not meant to be a legal guide. The U.S. Department of Justice also offers a free guide to electronic crime investigation on its Web site.
At the same time, it's imperative for companies to develop a strategic plan that delineates what work their employees can do and what work would best be handed off to an outside security company, according to Chris Novak, chief technology officer for CyberTrust Inc., a New York City-based security company.
Mark Mrotek, an IT security administrator for Peoria, Ariz., said when compliance issues or some other legal variable is involved, executives usually prefer to consult a third-party specialist. "They have the tools and proven methodologies, and reputations to perform the function thoroughly, which is critical if the incident results in an employee termination or escalates to court," he said. It's important to prove that evidence was gathered correctly, that the chain of custody was thoroughly maintained and documented and that it hasn't been altered or tainted, he said.
That's why it is so important for IT administrators to know what they shouldn't do as well, Novak said. When an employee is under suspicion, the first instinct of many IT workers is to jump on an employee's workstation and look around, but that can lead to evidence being destroyed or improperly saved.
One of the best reasons to hire an outside company is to show that an unbiased party investigated the incident and gathered the evidence, O'Leary said. "You want to show that someone objective conducted it," he said.
With threats growing, the need for forensic skills will likely grow as well. "I do see a demand for in-house specialists in the future," Mrotek said. "Technologies and computer crime are moving at a pace where technical investigations may become the 'normal course of business' for companies, and organizations will be ahead of the curve when these services are needed," he said.
But, for now, if IT administrators are eager to learn more basic skills, O'Leary urges them "to head for the first book store and haunt the nerd section, and then the security nerd section," he said. "There are a lot of good books on forensics, and that's a starting point. Then, if that interests you, find some basic classes." After that, pursue more complex classes, he said.
"You'll know pretty soon if you're going to like it," said O'Leary. "But even if you don't like it that much, be persistent and stick with it."