Thesis

Training Material for the Regular Systems Administrator Facing a Breach

Although most of today's successful companies are well aware of common data security issues and put a great deal of efforts towards preventing a data security breach, once a breach has occurred it is not unusual for organizations to enter a mist of confusion and chaos. This happens to all sizes of organizations whether big or small. However, large organizations are perhaps better prepared in terms of available resources to respond to a data breach than small to medium-size organizations. Small organizations do not have IT departments. The regular Systems Administrator is a “jack of all trades” and wears multiple hats. He or she is typically in charge of a broad array of duties including installing and updating software and hardware, maintaining servers, and supporting and troubleshooting the company’s network. They are on call and may even have the responsibility of overseeing the overall computer security of the company. What should the regular Systems Administrator do if a breach happens and a forensic investigation is needed? The training material included in this paper (Appendix B) was created as a response to this question and as response to one of the four recommendations the National Institute of Standards and Technology (NIST) Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response makes on its document: “Organizations should ensure that their IT professionals are prepared to participate in forensic activities.” What if they are not prepared? The training material offers some suggestions on how to initiate the first phase of the forensic process: Collection. The regular Systems Administrator can take on the tasks of identification, labeling and recording and then wait for the arrival of the trained digital forensic investigator who should finalize the forensic process.

Although most of today's successful companies are well aware of common data security issues and put a great deal of efforts towards preventing a data security breach, once a breach has occurred it is not unusual for organizations to enter a mist of confusion and chaos. This happens to all sizes of organizations whether big or small. However, large organizations are perhaps better prepared in terms of available resources to respond to a data breach than small to medium-size organizations. Small organizations do not have IT departments. The regular Systems Administrator is a “jack of all trades” and wears multiple hats. He or she is typically in charge of a broad array of duties including installing and updating software and hardware, maintaining servers, and supporting and troubleshooting the company’s network. They are on call and may even have the responsibility of overseeing the overall computer security of the company. What should the regular Systems Administrator do if a breach happens and a forensic investigation is needed? The training material included in this paper (Appendix B) was created as a response to this question and as response to one of the four recommendations the National Institute of Standards and Technology (NIST) Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response makes on its document: “Organizations should ensure that their IT professionals are prepared to participate in forensic activities.” What if they are not prepared? The training material offers some suggestions on how to initiate the first phase of the forensic process: Collection. The regular Systems Administrator can take on the tasks of identification, labeling and recording and then wait for the arrival of the trained digital forensic investigator who should finalize the forensic process.

Relationships

Items