Progressively our lives and livelihoods are moving over to the online realm, particularly within recent years that have seen the increase in online shopping and downloading at the expense of physical shops such as Blockbusters. Without a proverbial safe to hide our sensitive details in though our personal information and bank details are up for the taking by anyone willing to look. Firewalls and security systems can serve as a secure lock and key for most of these details but for the one that inevitably does manage to break through, you’ll want CCTV footage which is where Network forensics come in. Monitoring and recording network events can be used in the same way as dusting for finger prints to track down the culprits of an attack. But, like CCTV, what’s better? To record everything just in case, so-called “catch it as you can” methods, or to only record a break in: “Stop, look & listen” methods?
“Catch it as you can” methods such as the open source programs wind up and TCP dump that constantly record the network work in the same way that networks were recorded on magnetic tape in the early 1990s. All data packets passing through a point in the system are recorded and stored for analysis if the networks security has been breached. Even though we don’t need to store multiple rolls of magnetic tape to do this anymore, this method still takes up space. A lot of space. So much that a redundant array of independent disks (or RAID system) is necessary to improve performance enough for the system to still function.
Alternatively, Marcus Ranum’s Network Flight Recorder or the open source program ‘snort intrusion detection system’ work to only record significant events. Like CCTV cameras that only record movement to prevent the build-up of hours of unimportant footage, these “Stop, look & listen” programs cut down on the disk space required and can thus more easily be run my slower systems. They can also even be installed to specifically monitor a LAN to monitor the junction between your internal network and external networks. Programs of this ilk are also praised for having greater privacy by only monitoring events that are significant to network security rather than personal details from emails and photos along many other personal information. The Electronic Communications Privacy Act (ECPA) explicitly bands Internet Service Providers (ISPs) from disclosing information collected without user permission which is easier to uphold when using a system like this over “Catch it if you can” programs which may be more at risk of accidental data breaches. For example, the Federal Bureau of Investigations (FBI) even employ this method of tapping into the internet to monitor hackers by using their “Carnivore” system. Despite this, “Stop, look and listen” methods may be less sensitive to subtle events which could be useful in identifying hackers and in some ways may make it less useful than a “Catch it if you can” method.
Their appropriateness of each obviously depends on the levels of security required and what the severity of a data breach would be. That said, it will be exciting to see the advent of programs in the next few years that could combine the benefits of both. Take, for example, a common system in commercial establishments is to record everything, and subsequently, delete when a crime has not occurred. A program that could recreate this would be the perfect combination of the advantages of “Catch it as you can” programs and “Stop, look and listen” programs.
Want a career in Cyber Security? Submit your CV today.