Information security professionals often find themselves performing investigations of security incidents and participating in other investigations. In this video, learn about different types of investigations, interviewing techniques, and the use of root cause analysis during investigations.
- [Instructor] During the course of their work, information security professionals often find themselves involved in various types of investigations. In some cases, these investigations are led by security teams in response to suspected and actual security incidents. In other cases, the investigation is led by another group and security professionals are asked to contribute evidence and expertise. There are four main types of investigations that often involve cybersecurity professionals. These are operational investigations, criminal investigations, civil investigations, and regulatory investigations.
Operational investigations are undertaken to investigate issues related to the organization's technology infastructure. For example, a service might be returning errors, a server might be responding too slowly, or a network might be congested. Operational investigations seek to get to the underlying cause of these symptoms, and resolve them, restoring normal operations. Operational investigations do not have high standards of evidence because there's no legal action involved.
The organization simply wishes to correct its operational problem and get back to work. During operational investigations, investigators should also conduct a root cause analysis. The goal of this analysis is to go beyond simply solving the problem, and determine what caused in the first place. For example, an operational investigation may determine that a server failed, reboot it, and restore service. The root cause analysis may reveal that a hard drive in that server is actually failing, and that it should be replaced to prevent a future failure.
Criminal investigations are at other end of the spectrum. Criminal investigations are conducted by government agencies with the objective of investigating violations of criminal law. The stakes are very high in this case because at the end of a criminal investigation an individual may be charged with the violation of a criminal law, a crime. Penalties for criminal violations include fines and possible jail time. Because of these high potential penalties, criminal cases use the highest possible standard for evidence, the standard of beyond a reasonable doubt.
The prosecution in a criminal case must present evidence where there is no other reasonable conclusion than that the defendant committed the crime. Civil investigations also investigate the violation of a law, but they are non-criminal offenses, involving a dispute between two parties. Civil cases may be initiated by the government, businesses, or private citizens. Examples of civil cases include contract disputes, employment law violations, and intellectual property infringement cases.
Since civil investigations do not involve criminal law, they do not put any party in jeopardy of losing their liberty and therefore, have a lower standard of evidence. Civil investigations use the standard of preponderance of the evidence. In this case, the conclusion drawn by the jury, simply needs to be that the evidence demonstrates that it is more likely than not that one party is correct. Finally, regulatory investigations are conducted by government agencies, looking into potential violations of administrative law.
Regulatory investigations may be either civil or criminal in nature, and they use the standard of evidence that's appropriate for the type of case that the agency plans to bring. Interviews are one of the most important tools available to investigators conducting any type of investigation. During an interview, investigators ask a cooperating individual a series of questions designed to elicit information valuable to the investigation. It is important to remember that an interview is always voluntary.
When investigators question a hostile subject without that subject's consent, it's known as an interrogation. Cybersecurity analysts should never find themselves in the position of conducting an interrogation, and should leave this responsibility for trained law enforcement officials. Understanding the differences between types of investigations is an important way for information security professionals to know their own role when participating in an investigation.
- Building an incident response program
- Escalation and notification
- eDiscovery process
- Conducting investigations
- System and file forensics
- Reporting and documenting incidents
- Business continuity planning
- Validating backups
- Testing BC/DR plans