Pratum Blog

HR and IT

An employee’s first day at a company presents a flood of new information—and signals what the company values. In a few hours, a worker receives strong messages about where to park, how to use the copier, what to wear and more. During that rush of first impressions at your company, does information security appear on the list of priorities?

Remember that along with giving a new employee access to your health plan, you’re handing them credentials to access company data. Are you teaching new workers how to protect that data? Do they understand that every employee has responsibility for information security, not just the IT team?

Information security should be an onboarding priority for every Human Resource (HR) department. And a strong relationship with the IT department will help HR create a productive, consistent onboarding process that puts the importance of your business’ cybersecurity practices at the forefront of your employees’ minds from day one. Here’s how you can start fostering a secure work environment from the moment the offer letter is signed.

Start secure practices from the beginning

Create an “onboarding checklist” that includes the tasks of everyone involved in the process. This reduces the risk of missing any steps and may be vital in maintaining your company’s compliance.

Explain Documents Before Signing

After the employee clears the background check and shows up for their first day, it’s time to explain and complete a few critical documents. Audits require many of these, which means you need to follow accurate filing and tracking procedures.

Confidentiality (or Non-Disclosure) Agreements Employees gain access to various levels of sensitive and confidential company information such as company trade secrets, client information, financials, and employee lists. It is your responsibility to define what information your company classifies as confidential and make your employees aware of those things from the beginning of their employment.

Information Security Policies On the other hand, there is information that employees are free to share, but must do so in a secure manner. Again, it is important to define those things so employees understand they are accountable to the processes protecting that information. The onboarding process provides a great opportunity to introduce key information security topics to employees. It is very important for employees to read and understand any information security policies your organization has that would be pertinent to their specific job role. Employees should sign and acknowledge these policies on their first day of employment.

Bring Your Own Device Contract If you allow employees to access company data through their personal devices, a Bring Your Own Device (BYOD) contract, though not required, is best practice. A BYOD contract can help protect sensitive company information if a device is lost or stolen. It enables your company to enforce security controls such as password protection and remote wiping of sensitive information. These security functions are necessary for companies to ensure data confidentiality, security, and integrity.

Perform Security Awareness and Training

The moment an employee receives access to the company network, cybersecurity becomes part of their responsibility. Security awareness and training introduces real world cyberthreats and explain why certain policies are in place, what consequences come with not following them, and whom to contact with compliance or security questions. It’s easy to rush through these processes and sign off on documents as you work through your onboarding checklist, but taking the time to stress the importance of security awareness produces vigilant employees who actively participate in keeping your organization safe.

Provision User Access

Best practices suggest using a concept called “least privileged access,” which means users receive access to only the information needed to do their specific job and no more. A process known as provisioning user access ensures proper configuration of each user’s least privileged access. The following controls help with this process:

  • HR and IT should involve management in the access request process. The employee's hiring manager can either approve incoming requests or submit them themselves to ensure that the correct access is being granted.
  • HR should work with IT to implement role-based access control (RBAC), which ensures employees can access only resources and data required to do their jobs. In contrast, many organizations use user-based access, which means that HR and IT copy an existing employee’s permission set onto a new employee. This approach is very difficult to manage as organizations scale in size, and it can result in new employees getting access beyond their immediate needs, which violates the least privileged access principal.

Provisioning user access should be accurate and consistent across all new hires – especially if your company is subject to compliance requirements such as SOC 2, HITRUST, ISO 27001, etc.

HR & IT: Collaboration Through Onboarding and Beyond

Rethinking the relationship between HR and IT during your onboarding tasks (and beyond) is an essential step in providing clear expectations regarding cybersecurity from the very beginning of employment. An effective onboarding checklist is consistent and clearly communicates expectations for each person involved in the process. This will not only help alleviate any risks in missing important onboarding processes but also ensure proper provisioning and information security.

If you’re ready to evaluate your current HR processes and implement an improved set of industry standard cyber security practices, reach out to a Pratum representative today!

Digital Forensics

Someone had drained $40,000 from the company bank account, and the IT team had traced the thief’s path to a compromised e-mail thread. But where was the breach? Nothing in the thread looked suspicious. Every participant appeared to have a legitimate company address—until a digital forensics expert took a look.

The consultant dove into the metadata behind the visible e-mails and revealed that someone had inserted themselves into the thread, then gone back into the thread to alter their e-mail address to look legitimate. To anyone but a digital forensics expert, the thief had successfully erased their digital footprints.

The right data makes a difference, and a digital forensics expert can often provide the insights that identify unknown breaches, keep cases out of court and more. These experts frequently discover information that resolves challenges such as:

  • Potential theft of trade secrets.
  • Suspicion of embezzlement.
  • Accusations of improper contact.
  • Security gaps that leave data vulnerable.

Digital forensics experts specialize in the recovery and investigation of artifacts found on digital devices including e-mails, text messages, and even documents stored on flash drives. If something happened on an electronic device, a forensics expert can probably identify what happened, when it happened and who did it.

Common Cases

These services typically apply to two overall categories of issues:

1. Security Breaches - Digital forensics most commonly focus on hacker attacks.

2. Employee Issues - Digital forensics also frequently address matters such as data loss or theft, policy violations, and litigation that includes e-mail communication and document sharing. A digital forensics expert can retrieve information to discover who last used a file, what was saved, what was deleted, and more.

First Steps: Securing Devices

To make the most of an investigation, it’s important to understand the process and prepare your company for potential assistance. When you find yourself in a legal situation, the top priority is bringing in a digital forensics expert right away. It's critical to preserve volatile digital evidence immediately. Segregate the device quickly by removing it from the network while keeping the device’s power on. If the device cannot be removed from the network for a business reason, work with a digital forensics expert to preserve the data as soon as possible.

As the investigation begins, a digital forensics expert casts a wide net for relevant pieces of evidence. For example, a case may first appear to revolve around a cell phone. But a forensics expert knows they also need to investigate the phone owner’s computer. It may contain backups of the phone, or documents created on the computer may be on the phone. Looking at all possible angles could produce new evidence.

Remember that even if a device appears broken or destroyed, there’s still hope. Digital forensics can retrieve a surprising amount of information from seemingly destroyed media.

Be very careful about how you store the physical device. At trial, you must be able to show and explain everything that happened to evidence while it was in your care. A weak chain of custody could mean evidence gets thrown out.

Use activity logs to track everything, including serial numbers, make and model, who has had access to the digital evidence, and where it has been. When the device is not being examined, keep it locked up to make sure only authorized individuals have access. Improper handling could destroy key evidence, or trigger “spoliation of evidence,” which refers to the loss or alteration of evidence. Your attorney can advise you on each of these areas.

Diving Into the Data

Once key devices are in your possession, a forensics investigator can make an “image” of the information, which is much more than a simple copy. Preserving as much data as possible in its exact state, including metadata, enables forensics teams to perform thorough investigations at any time after the imaging process. For example, along with reading an e-mail's text, it’s critical to know when it was sent and how many times it was modified—all information contained in metadata.

A digital forensics expert may find other clues that show what the user did, even if it’s not stated in any text. For example, devices such as external hard drives can leave evidence about a user’s activity. A digital investigator can often create a list of every device plugged into a computer, including the make, model and serial number of each device attached over time.

Building the Best Case

To get the most out of your forensics investigator, share as much information as possible with them. Important dates, names, documents and filing systems are all critical in helping an expert understand exactly what they’re working with and how it is being used in the proceedings. Creating an effective partnership with your digital forensics expert will make your case even stronger.

If you find yourself facing a legal issue or security breach and need a digital forensics expert to assist you in the investigation, Pratum has a team of experts with years of experience in this area. Feel free to reach out to our representatives today for more information on how we can help keep your business’ security strong!

Digital Forensics Acquisition

When I first began dabbling in digital forensics, the year was 1999. At the time it was little more than tepid curiosity for me. It wasn’t but a couple of months before I was thrust into my first “investigation”. The matter turned out to be a non-issue but it sure had us worried. Looking back on my procedure, I still had a lot to learn about digital investigations.

Here we are in 2020 and the practice of digital forensics continues to change with the advances in technology. For example, we used to think that live analysis of a system was taboo. First rule of thumb was turn it off and write block everything before you attempt to do any discovery. Changes in technology have necessitated a shift in thinking of live acquisitions during a forensic examination. Let’s look at a couple of the scenarios which offer highly compelling arguments for live acquisition.

Standardization of Localized Encryption

Years ago it would have been rare to find a desktop with any sort of local drive or file encryption. Today however, full drive or volume encryption is commonplace on nearly any laptop or mobile device. The device to be analyzed may be unencrypted while booted and logged in but will revert to an encrypted state once the system is rebooted or locked. Encryption is the bane of every digital investigator’s existence. Sure, you can get around some of it, but the time and frustration added to your investigation is a reality. Governments and law enforcement continue to lobby for restricted backdoor access to defeat encryption. While it would certainly make digital forensics simpler, it’s a bad idea for many reasons.

Use of Volatile Memory for Malware Applications

We used to tweak and tune our machines to scrape together an additional 2 or 3 megabytes in RAM to get an application to run. Attackers typically had to rely on placing some part of their payload on a physical disk to ensure a high rate of success. Today a PC comes with 8, 12 or even 16 gigabytes of RAM, and we have plenty to spare. Attackers have become adept at building small but powerful apps, which are completely memory resident. Shutting down a system may eliminate any evidence that once existed only in memory.

Advent of Flash Storage as System’s Primary Storage

Devices often use “blade” type solid state drives (SSD) to replace hard drives. These blade drives use a myriad of connectors, some of which are proprietary. In many cases, you can’t just pull a drive out and stick it in a duplicator. Some of the drives require connectors with special firmware or controllers, which are on the motherboard. Booting to a forensic image on a USB stick may not allow the controller firmware to load correctly, and the drive will not be recognized. Mobile devices use flash storage directly on the motherboard making this process even more difficult. Sometimes a live acquisition is the only way to get data.

As you can see, shutting a system down prior to acquisition could cause significant loss of evidence. Our first goal in digital forensics is to preserve evidence. It is equally important to prove what is present as it is to prove what is not present.

Rob Lee of SANS once gave a presentation to the ISSA chapter in Des Moines. He explained it well by saying when an EMT shows up at a shooting and the victim is still alive, they don’t worry about contaminating the crime scene when trying to save a life. Their footprints and residual evidence left behind can be identified and explained in the bigger picture. The traces left by our “prodding and poking” of a live system can be tracked and explained once the full forensic detail is laid out.

So, the next time you prepare for an investigation, think about this. Would you have a better overall picture of that system’s current state by doing a live analysis and explaining away your tracks, or by shutting it down and doing a more conventional acquisition? And so, my dear Watson… what’s your answer?

For more information on our digital forensics services, reach out to a Pratum representative today!

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.