Tuesday, June 07, 2005

Case studies, and T&E again

I was going through the E-Evidence.info site again this morning...the site is updated with new stuff each month...and saw the Internal Investigations Case Study presentation by Curtis Rose. This is a very informative read, even for technical weenies such as myself who really love the "down in the weeds" stuff.

Something really jumped out at me on slide number 10, though. When I say "jumped out", I mean deja vu, because I know I've been here before. The specific statements surround an internal investigation conducted by a sysadmin (and please don't think I'm using this as an opportunity to bust on sysadmins, because I'm not...not this time, anyway):

The investigative memorandum generated by the system administrator was biased and clearly written to substantiate the suspect was responsible

Really? Go figure. I've been here before, where a sysadmin reports on an incident in such a way as to support his original hypothesis...the one he developed shortly after receiving the first pager alert. At 2am.

A basis for much of the document was information from connection logs, which the memorandum indicated were manipulated

I can't begin to tell you how many times I've seen this, particularly in public lists. In the same post, someone who has "conducted" an "investigation" will state the source of evidence as being authoritative, but also suspect.

People, you can't have it both ways. Is it just me?

One final bullet that I'll comment on is:

What limited analysis was conducted was performed directly on the victim systems

Again, I can't tell you how many times I've seen or heard of this..."Task Manager didn't show any unusual processes."

"So that one process that looks like 'svchost', but is really called 'scvhost'...that one isn't 'unusual' to you?"

So what's with the rant? It's a need for education, folks! Education of whom? Well...get ready for this one...of IT Managers, from the C-level down. If your organization isn't hiring the right people, and the right number of people, to staff your IT department, they're doing themselves a disservice. Of course, some places may choose to do this as a sort of self-imposed governor (like one of those things they used to put on U-Haul truck engines so they wouldn't go over 65 mph, no matter how hard you pushed on the gas pedal).

When I say, "the right people", I'm referring to folks who don't necessarily look at their day job as just that. It seems sometimes that the job market is tight...so having someone who doesn't even try to keep up on things, even on their own time, doesn't make a great deal of sense when there're lots of people out there who do, and would want that job.

But you can't rely simply on self-education and -training. Hiring the right numbers of people will allow for things like taking time off for training and continuing education. One of the approaches I found to be very effective was to come on-site to provide my training. This way, admins were out of the office and engaged in training, but they weren't completely out of pocket. In fact, in at least one case, an Exchange admin used the new skills he'd learned to solve an issue over lunch during the second day of training. I've even recommended splitting the training into "port-starboard"...instead of sending everyone off-site for two days, I'd come on-site for four days and teach the course. The first two days, I'd train half of the staff, and then train the other half during the second two days.

My point is that there are a variety of options available for training and education...it just depends on where you choose to look, and how badly you want it.

Finally, for the guys and gals who are in those positions where continuing education and advancement in the IT field is non-existant...can I recommend Monster.com?

No comments: