Monday, September 03, 2007

On Assurance vs Indication

Yes, this will tell the whole world how behind am I am blogging, but so be it :-) So, I wanted to respond to Rob's comments related to e-discovery here. So, Rob says: "In a nutshell, it [A.C. - e-discovery] is the process of collecting, searching, preserving and analysing digital information. [...] And there are some real security issues here: 1) If I have collected information from a system, how do I know that information hasn't already changed en route to collection? " [2-5 skipped, see the original post]

He then concludes with "So who's interested in this? Well, apparently not the real security guys" which is obviously absurd.

In reality, e-discovery is moderately hot and doing it better and more secure is of interest to vendors (more) and customers (less). However, there are perfectly good solution to the "issues" Rob brings, which kinda makes them not issues, really :-) Specifically:

  1. "If I have collected information from a system, how do I know that information hasn't already changed en route to collection?" Anton: encrypt it in transit; SSL, SSH work.
  2. "How do I know it hasn't been seen and manipulated, or copied?" Anton: encrypt + hash it in storage; SSL, SSL work too.
  3. "Between collection and searching, how do I know the index hasn't changed, and therefore the information I am now looking at is redundant?" Anton: log all access to system, check the access logs before searching. if you have doubts, reindex. Index is dynamic so you cannot checksum it.
  4. "How can I preserve information without it becoming prohibitively expensive?" Anton: burn a DVD! Or use one of those funky EMC or NetApp WORM storage boxes.
  5. "When I want to analyse this information, how do I know I'm analysing the right things?" Anton: this one is up to you :-)

At the same time, e-discovery is a little like forensics, you absolutely don't need it until the moment you can't live without it. Maybe this pushes the interest to dedicated e-discovery technologies down a bit?

Dr Anton Chuvakin