Critical Incident Response and CIRT Development

Critical Incident Management

In modern organizations, the combination of easily available data, poorly administered safeguards, and malicious individuals make systems vulnerable and attractive to attacks. Almost daily, we hear of businesses being robbed of critical information assets or suffering outages through virus infections or denial-of-service attacks. Computer networks are still relatively new, having their birth only 30 years ago. It sometimes seems hard to put in perspective, but the vaunted Information Highway was just getting its feet of the ground in the early 1980s. And, as information became an extremely valuable commodity, the exploitation of vulnerabilities seemed to keep pace with the growth of network systems.

Illustrating this point is one of the most famous misdeeds, the 1988 "Morris Worm" incident resulted in a significantly large percentage of the network systems with Internet connections being corrupted and removed from service. This was the catalyst that caused Internet users to have postmortem meetings where they decided that preventative, detective, and corrective steps had to be made active parts of their business practice.

For the past seven years, the Computer Crime and Security survey has been conducted jointly by the Computer Security Institute ( and the Federal Bureau of Investigation's San Francisco, California, office. The purpose of this survey is to raise levels of computer system awareness while measuring the magnitude and frequency of computer crimes. The 2002 survey results are based on 503 responses from computer security professionals practicing in U.S. business and government agencies. Responses to this survey confirm that computer systems threats continue to spiral upwardly with corresponding financial losses following.

Here are a few highlights from the most recent survey:

  • 90 percent of the survey respondents detected computer security breaches in the last twelve months.

  • 80 percent acknowledged financial losses attributable to the computer security breaches.

  • Of the 503 respondents, 44 percent estimated their financial losses at more than $455 million.

  • The most serious financial losses occurred through the theft of proprietary information with 26 respondents reporting more than $170 million and 25 respondents reporting more than $115 mission in financial fraud.

  • Of the respondents, 74 percent reported their Internet connection as the more-frequent point of attack than their internal system.

  • In 1996, only 16 percent acknowledged reporting intrusions to law enforcement, but in 2002, 34 percent reported their intrusions to law enforcement authorities.

  • 40 percent detected systems' penetration from outside the organization.

  • 78 percent detected employee abuse of Internet access privileges or inappropriate use of e-mail.

  • 38 percent suffered unauthorized access or misuse of their Web sites in the last 12 months, while 21 percent reported they did not know if there had been unauthorized access or misuse.

Patrice Rapalus, CSI Director, remarked that the Computer Crime and Security Survey has served as a reality check for industry and government:

Over its 7 year life span, the survey has told a compelling story. It has underscored some of the verities of the information security profession; for example, that technology alone cannot thwart cyber attacks and that there is a need for greater cooperation between the private sector and the government. It has also challenged some of the profession's 'conventional wisdom;' for example, that the 'threat from inside the organization is far greater than the threat from outside the organization and that most hack attacks are perpetrated by juveniles on joy rides in cyberspace. Over the 7 year life span of the survey, a sense of the facts on the ground has emerged. There is much more illegal and unauthorized activity in cyberspace than corporations will admit to their clients, stockholders, and business partners or report to law enforcement. Incidents are widespread, costly, and commonplace. Since September 11, 2001, there seems to be a greater appreciation for how much information security means not only to each individual enterprise but also to the economy itself and to society as a whole. Hopefully, this greater appreciation will translate into increased staffing levels, more investment in training, and enhanced organizational clout for those responsible for information security.

Experience Note

The most frequent system attacks originate outside the business organization, but the most successful attacks are those committed by insiders.

Critical Incident Response

The best response to critical incidents is characterized by the "ounce of prevention is worth a pound of cure" philosophy. It is much more financially prudent to implement a sound risk management program characterized by written policies, procedures, and standards, with compliance ensured by comprehensive and unannounced audits, than it is to deal with financially devastating events after they happen.

But there are times when "bad things happen to good people" and a response must be made to a critical incident occurring despite your best efforts. It is virtually impossible to predict when someone is going to attack your system and steal your critical information except to say it is not a matter of if as much as it is a matter of when.

Firefighter Response Model

Responding to a critical incident is similar to responding to a fire. Fire departments work tirelessly to educate us about the best means to prevent fires. Safety training starts with simple programs when we are young by talking about fire-related hazards at home and school. Television and radio public service announcements tell us of the safety measures we can take to safeguard our lives at home. We see fire-safety slogans telling us "only you can prevent forest fires" and similar signs as we enter campgrounds and picnic areas. Sometimes we are visited by Fire Marshals inspecting our facilities, making certain there are marked exits and equipment to extinguish fires and save lives.

When the worst happens, a company of firefighters responds to an emergency:

  • Respond to emergency contact numbers

  • Trained to handle wide-ranging emergency situations

  • Organized in the deployment of their tactics and equipment

  • Frequently cross-trained as Emergency Medical Technicians

  • Confirm that an emergency exists and the nature of it

  • Take all appropriate steps to control the emergency

  • Take all appropriate steps to prevent the fire from destroying priority order:

    • Lives

    • Surrounding property

    • Property where the fire is presently burning

  • Take every possible step to collect and preserve evidence of criminal behavior but not at the risk of life and property

  • Testify at judicial proceedings about their actions and findings

  • Conduct reviews and critique improving their performance

Critical Incident Response Strategy

No one would argue that responding to critical system incidents is a complex area that is not as easy as taking a pill and waking up feeling better in the morning. Critical Incident response methodology closely follows that of the firefighters:

  • Precritical incident preparation. Designated and specially trained response personnel, contact methods, equipment, and tool availability and response posture.

  • Detection of critical incidents.

  • Initial response evaluation. This is a preliminary step in which an initial investigation is performed and an evaluation is made quickly to determine which type of response is appropriate.

  • Response. This is the step where necessary resources are deployed responding to the critical incident. The response goals are very similar to those of the firefighters: contain the damage, prevent it from further spreading, dedicate efforts in a priority manner, and pursue resumption of normal operations.

  • Response posture strategy. This step is where the preliminary facts are ascertained and a "best response" plan is proposed. At this time, the proposed plan is passed to senior managers for their review and approval. It is imperative that this step be accomplished within the framework of response demands and priorities. Time is of the essence, dawdling is not acceptable here. Depending on the nature of the emergency, there will be times that an immediate hammer-to-nail response is made and there will be times when the matter may be handled the next business day.

    Experience Note

    Be careful of "crying wolf" too frequently; if every case is declared an emergency, there are no emergencies.

  • Law enforcement notification. Having previously established a relationship with law enforcement authorities, responders know whether they should collect the evidence first, or secure the crime scene and wait for officers to respond.

  • Legal determination. Responders must include their legal counsel in the decision process surrounding response strategy. On receiving the responder's observations and recommendations, legal counsel should be prepared to render an opinion whether the responders should collect evidence for future legal proceedings, notify law officers so they can collect relevant evidence or take immediate steps to correct damage and restore operations possibly destroying evidence. It is possible that in destroying evidence that responders are violating laws or regulations by not preserving evidence and not coordinating their efforts with law enforcement authorities. For this reason, senior managers and legal counsel must be part of the decision process.

  • Evidence collection. This step collects key evidence with interviews, photographs, sketches, and physical evidence.

  • Forensic duplications. This step provides bit-by-bit, forensically sound, duplications of critical media.

  • Recovery. Responders take appropriate steps to isolate, contain, recover from the incident, and resume business operations.

  • Reporting. Take appropriate steps to draft accurate and timely reports to stakeholders and law enforcement authorities, where applicable.

  • Postmortem. This is the after-action critique and report of the actions taken during the critical incident response.

Critical Incident Planning

  • If you do not plan, you're planning to fail.

Writing and implementing a critical incident plan ensures that emergencies are addressed carefully, thoroughly, and in conformity with risk management programs. As part of the response plan, draft checklists where common incidents are addressed minimizing the required time for response actions. For example, having a response checklist addressing a workstation virus will be significantly different from an employee who is discovered stealing intellectual property and e-mailing it to a competitor.

Here are some recommended elements for a critical incident response plan:

  • Obtain and follow the organization's risk management plans. If your organization does not have one, today is an excellent time to start one. This plan should provide details relative to the priority of critical assets, their restoration, and the steps to be taken for resuming profitable operations.

  • The critical incident response plan should outline the means of detecting emergencies, collecting preliminary information, assessing the gravity of the system attack, systems affected, spread of damage, steps necessary to stop damage, and protect personnel, data, and facilities. The recommended plan structure is simple, direct, and understandable.

  • The critical incident response plan should provide a means to easily contact all relevant employees and outside resources.

  • The critical incident response plan should provide specific instructions about policies, procedures, and legal requirements.

  • The critical incident response plan should provide templates for any documents required during the emergency. For example, the plan should include a template for logging responder's actions and significant events during the response.

Many critical incident response plans fail because they do not include a response-owner and a senior management correspondent as part of the process. A response-owner is the employee responsible in most cases for the response the emergency receives including relevant actions from start to completion. The senior manager correspondent is the employee who will deliver information to stakeholders.

Command Post Operations

This is a sensitive topic relative to the initiation, staffing, and operation of a command post. Do not think that CPs are intended only for military or government operations because all agencies, while addressing emergency situations, should consider this response strategy. Basically, a CP is a temporary business unit assembled to address one of more crises and will remain in operation until all emergencies are stable and settled. CPs work very closely with regular business operations but have the executive "horsepower" to function independently in decision making, assigning resources, taking action, and following up.

CPs are staffed with specialists assigned particular tasks with dedicated resources at their disposal. In their most common configuration, CPs are housed in segregated facilities located within the business' headquarters. If this is not possible, plans should include relocating the CP to a secondary and equipped facility. They should be equipped with dedicated facilities such as office space, electrical generation, high-speed satellite-linked Internet connections, telephones having multiple direct lines separate from other business units, satellite-linked television for news reception, and a LAN connecting CP workstations to the business LAN and the Internet.

CP reporting structure is funnel-shaped. Information flows from telephone calls, radio, news broadcasts, and e-mail to those designated for information processing. Telephone callers may be employees, specialized response teams, members of the press, stakeholders, or the general public. Carefully trained employees are tasked to interview outside callers and collect information. They are trained relative to the information they may disclose because any comments will be attributed to the organization.

Individuals collecting information for the CP should complete a simple contact report form synopsizing the information from their call, news broadcast, or e-mail. This form may be paper-based or electronic with one copy being passed to the function-point (the single point where all collected information flows), another copy is passed to the data input unit, and the last copy is retained and archived as "work papers." If it is significant, she immediately briefs the function-point and follows the briefing with the written contact report form.

The function-point unit is the person or unit that screens incoming information and makes a determination of where the information should be routed, its priority and processing action. The function-point is a critical position requiring decisions to be based on sound business sense. The data input unit is responsible for routing the information to the unit or employee assigned to the task by the function-point. Another unit must be responsible for collecting the work papers and organizing them for future review and retrieval.

Within the CP are several critical business unit representatives. Depending on the nature of the emergency, these are suggested units that should have representatives in the CP:

  • Legal

  • Human Resources

  • Public/Media Relations

  • Senior Management

  • Operations Staff

  • Maintenance Staff

  • Supply/Logistics Staff

  • Communications Staff

  • Data Input Staff

  • Function-Point staff

At least in the initial stages, it will probably be required that the CP is open and staffed for 24 hours.

Experience Note

CP staff will have stages of burnout. Replace all staff members at the end of their 8-hour shifts. At the end of shifts, there should be a briefing by the outgoing shift of the events so the oncoming shift knows what has happened during the past eight hours.

There is a good reason to maintain an events log — so the oncoming employees can review it for reference purposes. Activity logs and other work papers could be made part of legal actions, so care in this area is advised. Employees should be trained that documenting facts is acceptable, while documenting opinions or editorializing are not.

Experience Note

While working in a CP, an employee made a note that was later maintained as a work paper about an event that was only hypothetical and not actual. However, when legal action was sought, the plaintiff introduced the note was as if the event actually happened. Despite the defendant's protestations and objections, the note was accepted as evidence causing significant damage to the defendant's case.

Once the emergency begins to abate, staff, duty-hours, and activities can be reduced. It is a common practice having CP unit leaders meet every half-hour during the first few hours of CP operations. At this time, they should bring important events to briefings along with any concerns. Meetings should last not more than a few minutes and are driven by the nature and treatment of the emergency.

CP employees should understand that press inquiries can have grave consequences for the organization. They should be trained to handle press calls in an appropriate manner. For example, in the face of a disaster, the CP receives a telephone inquiry from a noted news organization; the employee handling the call accepts the information and documents the inquiry by completing the contact report form. Once completed, the form is passed to the function-point where it is screened again and passed to the public relations unit at the CP for handling. One copy of the intake report is passed to the data-input unit that is creating a chronology database of events, and while making an assignment to the public relations unit with a request, they respond when the assignment is completed. In this fashion, assignments can be tracked whether they have been completed or not. Frequently, the input unit will list all uncompleted assignments and pass them to the function-point that will screen them again deciding if they need to be completed in light of the most recent events. Once the public relations unit receives the assignment from the function-point, they contact the news organization and provide appropriate information.

Auditing Workstations

Auditing workstations is one of the most invasive things an auditor can do to an employee. It must be approached with thoughtful consideration and professional demeanor. Auditors must respect the privacy of employees who are not violating policies and procedures. Exercising good judgment by ensuring the auditors have mature attitudes generally goes a long way in workstation audits.

The unannounced workstation audit is an activity that must be predicated on legal and sound policies and procedures. If an organization is going to undertake the workstation assessment process, employees must understand and acknowledge that they do not have a reasonable expectation to privacy for any of their activities conducted on the company's systems.

Audit teams must ensure that they have full concurrence and cooperation of senior managers before engaging in these types of audit practices. Prudent audit team managers will make certain that the organization's legal department is regularly consulted to determine if there have been any recent legislative changes affecting employee privacy before beginning workstation audits. Workstation auditing should not be restricted to stationary desktop systems, but should include all mobile devices including laptop, handheld, wireless, and cellular devices used on the job.

Since Microsoft created its first operating system for Intel processors, there has been an increasing market share for their products. As a result of this rapid and ever-increasing expansion, most offices use Microsoft products and mobile environments. Consequently, this section will concentrate on auditing workstations with Windows operating system environments.

First Steps

Begin at the beginning. Workstation audits must include employee work areas.

  • Are there policies and procedures requiring the proper treatment of paper trash? How often does the employee dispose of her trash?

  • Where does the employee print her jobs? Is there waste paper present at the printer?

  • Does the organization have policies and procedures regarding the shredding or burning of trash?

Auditors should take a careful look at the areas surrounding the workstation. Are passwords written and hidden beneath mouse pads or keyboards? What sensitive materials are left unattended on desk areas?

With a physical review of the work area completed, the first step that should be taken by workstation auditors is the process of "unhiding" files. By clicking the My Computer icon, and selecting View and then Folder Options, the auditor may select the tab for View. Within this pane will be a selection for showing all files. Auditors should select this option to reveal any files the users may have hidden.

Experience Note

An auditor was referred an e-mail for review to determine its compliance with company policy regarding official use. Once received, the auditor opened the e-mail and its obscene attachment in the form of a Microsoft Word document. She started her analysis. She opened the e-mail text in a simple hex editor allowing her to view the hexadecimal coding of the document. She easily located the MAC (Media Access Code) address of the sender. Checking with the inventory control specialist, she located the workstation of the alleged sender. She opened the Word document attachment in a text editor, Notepad, and began looking for the GUID (Globally Unique Identifier). This information is an essential component of Microsoft Word's architecture and is useful in determining the origin of the attachment. After comparing the MAC of the workstation and the GUID, the auditor determined they were the same person, and identified that the attachment had been composed in a copy of Word personally registered to that particular employee. It was composed outside the organization's office space, as all software products are registered in the company's name and not the name of any employee. She began the workstation audit, and located the MAC in the browser cookie file. It was found in a cookie marked, "microsoft.txt." It was the same as the workstation's ethernet card. This went a long way to showing the MAC had not been spoofed. After reviewing obscene attachment text as a final step, the auditor provided a written report to the human resources unit for their action.

Organizing and Searching File Systems

It is important for auditors to be able to organize, search, and display files lodged on media contained within the target workstation or server.


There is a simple, free application known as Wilbur that easily accomplishes the task of organizing a disks files available at It is a freeware Windows-based utility that creates an index of the target media, hard drives, floppies, or CDRs. Wilbur will search every file on the target media by the type of file, for example, spreadsheet, word processing, images, html, zipped files, etc. This is very useful if the auditor is looking for images with the extension of jpeg or gif. Having an index of image files will provide the auditor with additional insight into the user's Internet browsing practices. This is particularly useful if the auditor is looking for browsing outside the organizations stated policies. This application can also look into the content of files for specific words displaying the file and the text. Wilbur permits descriptions to contain wild card searches and logical expressions facilitating the auditor's efforts to find the specific files. Searches can be constrained by combinations of, file names, contents, folder names, file size, attributes, and file modification dates (Exhibit 1 and Exhibit 2).

Exhibit 1: Wilbur Configuration

Exhibit 1: Wilbur Options

Little Images

In most cases, reviewing hundreds of images is tedious and somewhat tiresome for auditors. In many cases, large organizations have frequent complaints dealing with employees who engage in unauthorized pornographic Web site browsing. In other cases, employees may be engaged in stealing intellectual property or other sensitive information. Using a simple application known as ThumbsPlus, auditors can create a catalog of image files. ThumbsPlus is available at Auditors using this program can select the workstation's drive unit, or directory and the program creates an image catalog displaying all image files. Conscientious auditors can quickly scan the images produced in small aspect and determine if any are offensive.

Unformatting and Undeleting

Many users believe that once the file has been deleted, it is gone forever and cannot be restored to a useable state. Further, users may also believe that once a drive has been reformatted, the information previously contained there is gone. Information may be recovered from deleted files and reformatted disks by using simple utilities. Norton Utilities, currently owned and distributed by Symantec (, provides applications that will unerase deleted files and unformat media that have been formatted. Norton's is not the only software suite that has these utilities. Auditors can easily locate other suitable programs on the Internet.

It is not practical for auditors to restore all deleted files within the hard drive's multi-gigabyte structure; nevertheless, if auditors identify suspicious files, they have the option of restoring them and possibly recovering their contents. Using unerase and unformat programs are fairly easy and are usually well documented in the help file or literature accompanying the program.

Windows Registry Investigations

The Windows Registry is a database containing information about every program installed on the workstation. Wise auditors will not go idly poking around in the workstation's registry without some degree of expertise, as this is one sure way to make the machine completely unusable if you do not know what you are doing. In essence, the registry contains information about the workstation's users and their configuration preferences.

The Windows operating system registry consists of at least two files: System.dat and User.dat. If the workstation has been configured for multiple users, each user will have their own copies of these files in the Windows\Profiles\user name file. Auditors can boot the workstation into DOS and type scanreg/restore from the DOS prompt launching the DOS version of the registry checker. This will provide a list of existing registry backups and their effective dates. Highlighting the one selected to deliver the restoration and follow the prompts after that.

The best way to view the registry is with the editor provided by Microsoft and already found in Windows. If the auditor is reviewing Windows 9X or ME, it is a matter of going to the Run selection from Start, and entering regedit. In the case of NT, regedit32 is entered. It is a good idea to create a backup of the registry in the event something goes wrong. While in the Registry menu, select Export Registry file. This will prompt for a file name. Saving this file will provide a copy of the Registry.

Operating within the Registry Editor is similar to exploring files in the Windows Explorer. Registry entries are arranged like file system trees. Located on the left side of the are folders indicated by icons. These are called "keys." Keys contain other keys or values and values may be of three types: binary, string, or DWORD (double word 32 bit). If there is a plus (+) sign next to a folder, clicking on it opens other folders and drops down the list of subkeys.

There can be a host of information stored in the Registry; for example, locate the HKEY-CURRENT-USER key, and expand it to find the Software key; expand it, locate the Current Version key, and finally select the DocFindSpecMRU. In the right window pane, you can see the contents of this folder. Reviewing the contents of this file will provide the search history of the workstation. This can also be confirmed by reviewing the search terms contained in the file search utility found in the start, find, and folders utility. Basically, looking at this Registry entry shows where the workstation users have used the Find function and what their search parameters were. Reviewing the search function will reveal if the user has forgotten where she concealed files in the operating system's file system. For example, Alice is engaged in periodically siphoning money from accounts payable and later makes credit entries that offset these debits. She has concealed a small spreadsheet where she tracks the stolen amounts being careful not to take too much too frequently. This spreadsheet is hidden within her workstation's file system. After a three-week vacation, she returns to work and has forgotten where she has hidden the spreadsheet. She clicks on the Find function and begins searching for her spreadsheet. By performing this search, her search parameters are logged in the Registry and can be retrieved by others.

The Explorer/RunMRU is another registry key worth reviewing as it contains information about user activities. This window will display the most recent commands launched from the Run function that is accessible from the Start button. The Run history will show those commands entered by the users. This information is also available from the Run function and clicking on the little box to the right of the entry box. This information is useful in determining if users were running unauthorized software or if they were mapping the interior network using utilities found in the Windows operating system such as Ping, Netstat, Tracert, and Nbtstat. These networking routines are used by Windows to perform its networking function, and if used manually, will provide a very good map of the architecture and naming conventions used in the organization's system. Ping is used to verify connections to hosts; Netstat displays protocol statistics and current TCP/IP connections to the workstation; Tracert determines the route taken to a network destination; and Nbtstat displays protocol statistics and current TCP/IP connections using NetBIOS over TCP/IP. Auditors should be mindful there are very few reasons that employees, outside of those having direct system responsibilities, should be routinely using these commands. It is important to note that these network commands may be run from the DOS prompt function within Windows and these commands will not be recorded in the Registry. Employees interested in the organization's system architecture would likely use these commands to discover details in order to facilitate an attack. Auditors should be mindful that an employee using these commands might just be curious about the system. If there are tools present on the workstation or stored elsewhere in the system, they should be located before making any recommendations.

Another Registry area worth the time for an auditor to investigate is one that records the URLs entered by the user during Web browsing sessions. Remember that this will only be useful if Microsoft's Internet Explorer is operating as the default Web browser. The keys pertinent to this folder are located in the Microsoft Registry under the key named TypedURLs. It also reveals the user's Web browser Startpage. In this folder is a list of all the URLs the user typed into the Internet Explorer's Address field. As an auditing tool, this resource is very useful as it provides a partial record of the Web sites visited by the workstation user. The importance of this investigation is it reveals that the user intentionally typed the URL into the address blank calling the Web page to view.

The HKEY_LOCAL_MACHINE key records information about the individual workstation and the network. The Network/Logon key contains the last user name used to log onto the network and is a good place to look if the auditor is attempting to correlate the workstation's user with workstation activity.

E-Mail Sent by Employees

E-mail is a reasonable place for a workstation audit. It is often the source insight into the employee's daily activities. It is likely that the organization has a policy relating to employees using only the internal system's e-mail services. In this fashion, e-mail content may be examined for inappropriate use and the possibility that users may be using e-mail to transmit sensitive or intellectual property outside the company.

At times, a suspicious e-mail is the first indication that an employee is outside of organizational policies and might be guilty of other things. Auditors may think of e-mail as the database of the employee and their contacts while on duty. Individual messages are often stored in the folders that were installed as a matter of application default or in the folders the employee created. Auditors should investigate the default folder structure within the e-mail client. Looking at the Sent, Outbox, Drafts, Inbox, and Deleted folders may provide some insight into the employee's e-mail activities.

Auditors should note that just because a workstation has an e-mail client, such as "Eudora" or "Outlook" installed, does not necessarily mean all the e-mail activity of the user is recorded. Web-based e-mail has distinct advantages for employees. By not using the e-mail server of the organization's network, the employee can bypass any backup and recording of e-mail being sent. Employees may transmit and receive e-mail without any concern their traffic is going to be examined later from inside the company.

Web-based e-mail allows users to send, receive, and store e-mail from multiple computers and from a wide variety of locations. Because the e-mail is stored on a server with Internet access, the user is free to conduct her e-mail business from any computer having Internet access.

Interested workstation auditors may wish to access the browser's History file and look for the dates and times the user accessed their Web-based e-mail service. Viewing the History file will provide the URL and date the Web site was visited by the user. Auditors may also wish to look into the browser's Favorites or Bookmarks file where the user may have bookmarked those Web sites she wishes to visit again. Having bookmarked a Web site is a fair indication the user intended to visit it again. Frequently, users will not delete the History file, and auditors will discover that the user has at least visited an Internet e-mail site.

Auditors may wish to visit the Cookies file easily located by the Windows Find function. Often, Cookies are deposited on the user's workstation by Internet e-mail sites to facilitate user recognition and logon. By examining this file, auditors may see if the user has visited Internet e-mail or other sites.

This is another more subtle purpose for Internet e-mail use: the users wishing to visit Web sites and avoid being detected by the interior gateway filter. By visiting an Internet e-mail site and sending URLs for prohibited Web sites to herself, an employee may circumvent content filters located on the interior network. She merely visits the Internet e-mail site, sends herself URLs for Web sites that are going to be filtered by the company's system, and clicks on them through the Internet e-mail site.

Looking in all the Right Places

Auditors performing workstation audits should be mindful of areas that generally retain information providing useful insight into the workstation user's day. Before attempting to perform an audit on the target workstation, auditors should visit the business' Help Desk Unit and inquire about recent requests for assistance made by the users of the workstation they are going to audit. Employees requesting efficient file transfer applications such as FTP, file transfer protocol, should have their workstations carefully screened. Unless an employee is engaged in system or Web page development, there is not a legitimate reason to have FTP software.

Experience Note

Auditors suspecting an employee was using unauthorized software performed an audit on her workstation after normal work hours. They did not discover any unauthorized applications on her workstation. However, using the Find feature of Windows, auditors found an interesting file called ""."//.old." The file's extension was not conventional, so the auditors opened the file and looking at the Properties of the file determined that the extension of the file should have been exe. Changing the extension of the file to exe opened an FTP client containing an IP address located on the Internet and password. Perusing the transfer log revealed the employee had been transferring proprietary information outside the company including soon-to-be-released products, suppliers, price lists, and client lists. The employee was subsequently prosecuted and convicted. Additionally, she and her partners were sued for damages with monies recovered by her former employer.

Experience Note

Reviewing the Internet activity logs is another logical place to start the workstation audit. Auditors should coordinate their efforts with appropriate levels of system administrators in obtaining and sorting the employee's Internet activity logs. Auditors should be looking for Web sites that are contrary to organization policy and Web sites that "just don't look right."

Reviewing the contents of the Windows Recycle folder will give the auditor an idea of the discarded items no longer wanted by the user. Looking in this folder will often disclose discarded items from Web pages and any other discarded items. Reviewing the Recycle folder may possibly disclose if the user had attempted to install unauthorized software. Auditors should be mindful that reviewing the Add/Remove Software function located in the Control Panel/Systems folder generally reveals if the user has installed unauthorized software. If the user is not careful, there can be hardware device conflicts that have not been resolved that can reveal any attempts to install hardware. Reviewing the Device Manager will generally disclose if the user has installed or attempted to install unauthorized hardware.

Auditors should be mindful that most browsers have a History file containing the Internet browsing history of the user. This file may be located by the Find function of Windows and may be accessed by clicking on one of the entries. Generally, the entries are cataloged by the week they were accessed. For example, there will be headings such as "54 Weeks Ago," indicating that these were the Internet Web sites visited 54 weeks ago from the time of the current date. Because the listed Web sites are identified only by their URLs, it is a wise auditor who takes a representative sample for examination.

Directories that can provide the auditor with valuable information are Temp and Temp Internet. These directories hold items that are meant to be discarded in the future. For example in the case of Temp downloaded applications or applications needing a temporary file for installation are going to be found here. Frequently, users frequently ignore this file when they delete the program not realizing a copy was deposited on their hard drive. In the case of the Temp Internet file, this file acts as a depository for a variety of Internet-related items, including downloaded images, Web pages, and cookies. Searching through these items can provide information about the user's Internet browsing habits. Depending on the browser, sometimes there are Cache files that serve essentially the same purpose as Temp or Temp Internet. Browser Cache files may be accessed and reviewed for the same purposes as any other "temp" file.

Most Windows systems keep many of the images relative to visited Web pages. These images can be easily displayed by using an application such as ThumbsPlus or they can be found using their extensions. Auditors may input gif or jpeg in the Find function of Windows and the lower pane will display the image files.

Telling the Tale with Cookies

Cookies are text files useful in holding the user's name, password, and other information pertinent to a specific Web site. Sometimes cookies contain custom settings for a given Web site and other data the Web site uses in tracking the user's visit.

From an auditing perspective, cookies may hold information relative to Web sites, as they contain information for the browser's preferred configuration of the site. For example, they may contain preferences for Web site viewing without music or with a particular background color. Cookies do not indicate whether the user intentionally went to the Web site or not. They merely indicate that the viewer was at the Web site for the cookie to be deposited at the browser's cookie file.

Because cookies are text files, they can easily be viewed in a text editor such as Windows Notepad. When viewed in the Windows pane, they will appear similar to the following example: aliceandbob@adlinks[1].txt or alice@yahoo[2].txt. When viewed in the text editor, they will appear similar to the following example:*0. Looking at the text will reveal the visited Web site:

There are no formal requirements for cookies, so it is sometimes difficult to obtain consistently useful information from them other than to see the Web site's URL.

It may be sufficient for auditors to know the URLs visited by the user and correlate this information with the properties of the images contained on the user's workstation. If auditors will right-click on the cookie, they will view the properties of the cookie including the date it was created and the day it was last modified. Because it is being viewed by the auditor, the date it was last accessed will be the date it was viewed by the auditor.

Auditing Windows NT and XP

An integral part of these Windows operating systems is the feature of activity logging or auditing. As a matter of policy and procedure, organizations are advised that operating systems having the ability to enable auditing are strongly recommended. When enabled and correctly configured, auditing causes entries to be made to an event log. Event logs are divided into sections: System Messages, Application Messages, Security Logs, and Iexplore.

The event viewer function is used at "administrator" privilege level to view logs. The time that the event log is retained depends on the configuration settings, telling the workstation when to overwrite the oldest entries. The success auditors have in viewing logs depends on the implementation of policies and procedures relating to proper operating system configurations.

It is important for auditors to have a fair sample of user-activity on which they may draw their assessment sample. If too small, the sample will not reflect the user's activity and if too large, the sample contains too much information to be useful. Default configuration settings will generally overwrite logs in a few days or a week at most. Often the purpose supporting logs is that of debugging systems, not monitoring user-activity. Auditors should be mindful that if suspicious user activity has triggered an audit, it might be advised to have the security manager activate and configure the target workstation's logging feature to capture a larger number of events with greater granularity before actually performing the audit.

Keystroke Monitors

Auditors must be mindful there are hardware and software solutions that provide for the capture of every keystroke made on a given keyboard by the user. It is possible to configure them to either retain all the keystroke information on the workstation's hard drive or send the information via e-mail to the intended recipient. Other versions take snapshots of the target's monitor. Such keystroke software applications are available from

Auditors should know these programs are not one hundred percent accurate, but provide a significant degree of insight about what the user is doing on her workstation. Keystroke monitors are generally invisible to the user, but if a user is very computer-savvy he can be discovered with a degree of effort. These users provide an important tool to auditors who are actively looking for illicit or unlawful activity. Because there are legal issues when using keystroke monitors, consult with legal counsel before installing them.

Auditing E-Commerce Web Sites

Auditing E-Commerce Web Sites

Using the Internet for E-commerce is not an obscure concept; it is a matter of good business sense. However, if retail organizations ignore the malicious abilities of attackers, they are selling themselves short. There are dozens of Web sites, and an equal number of news groups and chat rooms, dedicated to verifying stolen credit card information so they can use it to commit fraud or sell it to someone else who would commit fraud in the future.

There are a number of entities involved in online credit card transactions:

  • Credit card holder. The person or organization to which a credit card has been issued.

  • Issuing financial institution. The financial institution that issues the credit card to the credit card holder, also known as the "issuer."

  • Acquiring financial institution. This institution contracts with merchants to accept and process their credit card transactions. It is possible for acquirers to contract with third-party processors to provide these services. Acquiring financial institutions are also known as "merchant banks" and the organizations' accounts are known as "merchant accounts."

  • Payment gateway. This is a service allowing an E-commerce merchant to connect to the acquirer or its merchant processor to complete a credit card transaction in real-time.

  • Service provider. Includes any third-party support entity, e.g., shopping carts, Web servers, payment processors, fulfillment houses, etc. This term is also used to describe a payment gateway alliance.

Of course, online credit card transactions not only include the entities above, but they also include three essential processing actions:

  1. Authorization. This action takes place at the time a credit card transaction occurs. It is the process by which an issuer approves, or declines, a credit card transaction.

  2. Authentication. This process involves the verification of the cardholder and the credit card. At the time of authorization, the E-commerce merchant should use fraud prevention controls and tools to validate the credit cardholder's identity and the credit card being used to make a purchase.

  3. Settlement. When a product has been purchased by a cardholder, the E-commerce merchant can initiate the settlement of a transaction through an acquirer and initiate the transfer of funds from the issuer to the merchant account.

This is an example of a real-time processing for an online credit card transaction. It is not as complicated as many people think. Processing events may vary slightly depending on the acquirer relationship, business requirements, and systems used, but they generally follow the credit card authorization process:

  • The cardholder orders items from an E-commerce merchant by entering the credit card number, identifying information, and any shipping information.

  • The information transmission is transmitted through the Internet to the merchant server. The payment gateway receives the information from the merchant server; the information is formatted, and transmitted to the acquirer.

  • The acquirer electronically sends the authorization to the issuer, who approves or declines the transaction.

Credit Card Authentication

It is the responsibility of the E-commerce merchant to apply tools and controls in verifying the cardholder's identity and validity of the transaction and avoid fraud. These are a few generally accepted tools and controls in avoiding fraud:

  • Address Verification Service (AVS). This service allows the E-commerce merchant to check a cardholder's billing address with the issuer. AVS provides online merchants with a key indicator verifying whether the transaction is valid or not.

  • Credit Card Verification Value 2 (CVV2). This is a three digit number printed on the signature panel of the credit card helping to validate that a customer has a genuine card in her possession and that the credit card account is valid. CVV2 numbers are present on most major credit cards.

  • Advanced fraud screens. These fraud-detection services examine the transactions generated by online E-commerce sites. These services calculate in realtime the level of risk associated with each transaction and provide the merchant with risk scores. These scores permit merchants to identify potentially fraudulent orders and behavior patterns.


This process is the operation by which money flows from the issuer to the acquirer. Once the goods or services have been delivered, the E-commerce merchant captures and batches the related transactions for settlement. The batch is electronically submitted to the various acquirers for processing.

The acquirer electronically submits the transaction to issuer for payment. The issuer transmits the payment to the acquirer who credits the E-commerce merchant's account.

Chargeback Issues

With literally millions of credit card transactions, it is inevitable that there will be chargebacks. Chargebacks are transactions that are returned to the acquirer, to the issuer, then to the merchant. There are many reasons for chargebacks:

  • Customer disputed transactions

  • Fraud

  • Authorization issues

  • Inaccurate or incomplete transaction information

  • Transaction processing errors

The majority of chargebacks are initiated when the cardholder reviews her bank statement and notifies the issuer that there is a problem with a transaction. When this happens, the issuer usually requests an explanation of the problem from the card-holder. If the issuer determines there is a basis for a chargeback, then the matter is referred to the acquirer who debits the merchant's account. It is generally the responsibility of the merchant to resolve the chargeback.

Audit Program Items

E-commerce merchants must take all possible steps to reduce and treat risk. Auditors can play a significant role in this arena and should include audit program items that tip the scales in the E-commerce merchant's favor.

  • Record all key elements of fraudulent transactions, names, addresses, shipping addresses, e-mail, credit card numbers, and items purchased. Auditors should verify the existence and currency of a database containing this information.

  • Document that all fraud database items are used for comparison before any transactions are processed by the merchant.

  • Establish internal transaction controls to identify high-risk transactions prior to authorization. These controls should include:

    • Setting review limits based on the number and dollar amount of transactions approved within a specified number of days. Adjust these limits to fit prior cardholder purchasing patterns.

    • Setting review limits based on a single transaction amount.

    • Ensuring that velocity limits, frequency by which the credit card number and associated information, are checked across multiple characteristics, including shipping address, telephone number, and e-mail address. The term "velocity" in this context is degree of frequency that a credit card is used at an E-commerce Web site. It can also mean the number, within a given time period, that credit cards are submitted from a single IP address. Is there a mechanism prescribed by policy that requires contact with customers who exceed these control limits in an effort to determine whether the cardholder's activity is authorized and legitimate?

  • In the Web server interface, does it require the cardholder to input the card type, e.g., MasterCard, American Express, etc.? Does it also require the customer to input the card number and CVV2? Does the merchant's Web site verify that the card type and numerical sequence identifying the card type coincide?

  • Does the merchant's Web site require the cardholder to enter the card's expiration date and is there a mechanism to verify that the credit card number, name imprinted on it, and the expiration date coincide?

  • Does the merchant's Web site require a customer to enter a legitimate e-mail address?

  • Does the merchant's Web site require a customer to enter a legitimate CVV2 number and are these numbers verified with the credit card's other pertinent information?

  • Has the merchant implemented AVS verification?

Implementing Fraud Screening to Identify High-Risk Transactions

In the E-commerce world, the greatest risk is that of fraud committed by customers. There are a variety of tools and techniques that will help identify and deal with online fraud.

  • Implement fraud screening tools to identify high-risk credit card transactions. This can include online transactions:

    • Matching credit card data stored in the organization's internal negative files.

    • Exceed velocity limits and internal controls.

    • Identify the persons, potential credit card attackers, who are submitting Authorize-Only transactions that are never captured or settled.

    • Identify the persons, potential credit card attackers, who are submitting transactions of low amounts, less than $5, to a Web site in an attempt to merely verify the credit card number and cardholder's information.

    • Notification of an AVS mismatch.

  • Develop and implement an effective manual transaction review procedure to investigate high-risk credit card transactions. The purpose of this activity is to significantly reduce online fraud as a percentage of revenue, thereby minimizing the impact on legitimate sales.

  • Treat anonymous e-mail addresses as high-risk. It is important to note that many online merchants have discovered that anonymous e-mail addresses have a substantially higher fraud rate than e-mail accounts with well-known Internet Service Providers. Organizations should take more steps requiring these types of e-mail addresses to pass additional verification requirements before permitting them to transact online credit card business.

  • Identify and screen high-risk shipping addresses. Fraud can be reduced by comparing the client's shipping address to high-risk shipping in third-party databases and in the organization's own negative files. Of particular note is the shipping address located in a different mail-code than the billing address's mail-code. Particular attention should be paid to mail drops, prisons (of particular note in a prison address is the inclusion of the inmate number), hospitals, and addresses of known fraudulent activity.

  • Organizations should develop and implement policies and procedures addressing shipping addresses different from the billing address.

  • Organizations should treat addresses outside the merchant's country as being high-risk. Transactions involving cards issued outside the merchant's country of origin and having foreign shipping and billing addresses should be regarded as high-risk. Organizations must be careful the AVS will not likely be useful in such cases. Organizations should require higher transaction scrutiny and customer verification for international online transactions. Controls should be enforced regarding transaction velocity thresholds for these transactions. Internal policies and procedures must address cases where there is not third-party AVS available, where billing and shipping addresses differ, and the client uses an anonymous e-mail address.

  • Organizations must assess risks based on the purchase of merchandise that is easily remarketed, for example electronic products or jewelry.

  • Organizations should have a policy regarding contacting the credit card issuer to confirm cardholder's information prior to shipping goods related to a high-risk transaction.

Signs of Possible Online Credit Card Fraud

These are some of the possible indicators that attackers are attempting to commit fraud at the E-commerce Web site. Organizations need to be mindful of these signs and take appropriate steps to avoid becoming a victim of fraud. Auditors should include these signs as being addressed by the organization's policies and procedures in their audit programs.

  • Multiple credit cards being used from a single IP address. Multiple (more than two) cards are a good indication a fraud scheme is afoot.

  • Orders consisting of several of the same item. Having multiples of the same item increases the fraudster's chances of success.

  • Orders composed of "big-ticket" items with rushed shipping. These are usually items identified as having maximum resale value with little regard for shipping costs increasing the profit potential for the criminal.

  • Orders shipped to a single receiving address but purchased on multiple cards. These transactions could also be characteristic of account numbers generated by special software or stolen.

  • Multiple transactions on one card or similar cards with a single billing address or a single card with multiple shipping addresses. This activity represents an organized fraudulent activity rather than one individual at work.

If an online transaction is approved by the credit card issuer, the organization should consider sending a confirming e-mail to the customer before completing and sending the order. If the transaction is declined, the organization should have policies and procedures that specify the means by which the organization handles such transaction declinations.

Auditors should review the method by which the company handles declined transactions. Consideration should be given to having customer service employees review online transaction authorizations declined by issuers and obtain corrected information or an alternate payment that allows the organization to safely proceed. These employees must be mindful of transactions containing incorrect card expiration dates, incorrect billing addresses, incorrect name spelling, incorrect mailing addresses, or incorrect CVV2 information. Incorrect information should be retained as part of the organization's negative information database that is used for comparison with future transaction attempts.

Attackers can gain access to a business' online Web site through shopping carts or payment gateway processor systems. Attackers are also very adept at finding security holes in weak or default passwords. With an attacker invading an E-commerce site, it is possible for the attacker to emulate the merchant and begin processing debits and credits without the merchant's knowledge. It is a fraudulent practice for attackers to offset the deposit credits with debits, thereby attempting to avoid detection by deposit-volume monitoring by the true merchant's bank.

Here is a short checklist for merchants to monitor online authorizations and transactions:

  • On a daily basis, organizations must review their transaction logs for Authorize-only transactions and small amount transactions (less than $5). An unusually high number will likely indicate attackers testing the merchant's system.

  • On a daily basis, organizations must review their transactions for an unusually high amount or volume of credits. This could indicate fraud.

  • On a daily basis, organizations must review their transactions for identical transaction amounts.

  • On a daily basis, organizations must review their transactions for multiple transactions from a single IP address.

  • Organizations must thoroughly review their online transactions before they are settled. This affords the opportunity to void potentially fraudulent or erroneous transactions before they are submitted for settlement.

  • All pertinent passwords must be at least ten characters in length, with a combination of special characters, numbers, and capital letters. These passwords must be changed at least every 30 days or less.

  • All credit card numbers and related cardholder information must be stored on a secure server inside a guarded interior system and away from the DMZ where the Web site is located.

Popular Posts