Most firms have strategies to prevent their systems being attacked, but they should also develop policies on what to do in the event of a security breach to preserve evidence and prosecute the culprits, according to experts.

The need for successful prosecutions to deter attacks is growing, say many security experts. The increasing threat is shown by the fact that for the first nine months of this year, almost 75,000 security breaches were reported to the security service Cert. This compares with about 52,000 for the whole of 2001 and fewer than 22,000 during 2000.

Laws are widely believed to lag behind advances in technology, but some firms do not report crimes because they lack usable evidence, thus making the job of the police all the more difficult. This is where good policies and digital forensics can help.

Preserving evidence

Security specialist @Stake has said many firms are not adequately prepared to deal with the aftermath of attacks. In many instances, firms believe they must choose between quickly getting systems up and running again or preserving digital evidence of attacks.

But firms can take steps to do both. Phil Huggins, @Stake's managing security architect, said the problem is that businesses are often unaware of what to do in the event of a breach, and this results in evidence being inadvertently deleted.

"Without adequate incident response, the investigation stage cannot take place," he said. "Or systems are put back in such a way that the digital forensic stage won't provide enough information to get to the root of the problem. The correct steps have to be taken so that the evidence is preserved. The more prepared an organisation is for an incident, the faster it can respond."

Companies therefore need to develop better strategies for dealing with attacks, in addition to their business continuity plans. These strategies should include steps to preserve evidence, and should stipulate the data that should be recorded before, during and after each attack to ensure a thorough investigation.

Incident detection

Implementing an intrusion detection system, a backup system and ensuring that system administrators are adequately trained in incident detection and response should be priorities for companies. Companies should also record data from compromised systems as soon as a breach is detected, and before the system goes live again. If preserved in the correct way, the data can then be analysed by forensic investigators and would be admissible as evidence in court.

It is vital that firms are aware of the correct procedures for gathering data after an attack, because their evidence might otherwise be worthless, according to computer forensics company Kroll Ontrack. "If your IT staff have had no training on this, they could make a horrible mistake or obtain the evidence in such a way that it would not be admissible," warned Todd Johnson, Kroll Ontrack's general manager.

Johnson added that evidence collection is an equally important skill for IT workers to have in instances of mergers and acquisitions, or for internal investigations of Internet misuse. But he warned that companies and their IT departments must ensure that any evidence discovery or data recording complies with laws such as the Human Rights Act and the Data Protection Act.

Kroll Ontrack plans to launch a guide for companies in January, outlining actions that may be taken. "In some circumstances you can go through all personal employee data, in others you cannot," explained Johnson. "The guide will tell firms what they can and can't do."

Have your say: contact IT Week