Article jun2007.tar

Defending Your Weakest Link

Alex Muentz

We're only as secure as our weakest link. I've heard this statement from some of the most competent sys admins I've known. People who keep up to date on the latest exploits and would never fall for social engineering. When we bet lunch tabs on who could compromise each other's test servers, they never lose. Any organization could feel safe having them protecting their data.

Yet I can compromise their systems any time I like. The best part is that I'll get them to help me. Have I become a master at trickery? Do I have incriminating photos? No. All I have is a suit and a bar card.

We, as sys admins, need to understand that legal processes resemble attacks to IT infrastructure, and we need to know how to respond effectively to them. In this article, I'm going to discuss search warrants, subpoenas, and transitive trust problems. Admittedly, this is just a quick overview of a complex subject, so don't take it as legal advice. Instead, think of this article as the start of a talk that you're going to finish with your organization's legal counsel.

Civil Litigation

If you're unfamiliar with the topic of civil litigation, one thing you need to know is that each side in a civil lawsuit must give the other side all the information that might help them defend against the law suit. This process is known as discovery. Other organizations that hold important information may also be forced to divulge information with a subpoena. It may be like playing poker with all cards face up, but it does hasten settlements, and that's how most civil lawsuits are resolved. So, why do you, as a sys admin, care? Most of your organization's information is on your systems. You'll be a hero if you handle these situations correctly, and you'll risk legal liability if you don't.

Discovery: Slow, Invasive, and Exhausting

What's going on? Your organization has been sued or is suing someone. You're required to hand over all information that may lead to proving or disproving the case.

Defenses:

  • The ability to quickly search all information on your servers.
  • Data retention/destruction policy.
  • A good relationship with legal counsel.

The Federal Rules of Civil Procedure (FRCP) were recently amended to require litigants to preserve and disclose electronic information when a lawsuit becomes probable. The FRCP are the ground rules of litigation in the U.S. federal court system, and state courts often adopt parts of the FRCP. The first part of discovery is the litigation hold, which requires you to prevent destruction of relevant information when litigation becomes likely. If someone in your organization inadvertently deletes relevant documents or information after that time, they're in trouble. If they deliberately delete, they're in more trouble.

But, how do you know what's relevant to any given lawsuit? How do you know what is relevant but not discoverable? This is where the ability to search all of the data in your organization's possession will save you time, money, and headaches. How you implement it is up to you or your legal counsel, but if you approach them with a workable solution, they'll love you. If you can give counsel all the documents that they want and can guarantee that none are missing, you'll be golden.

Also, a workable data retention policy is crucial. Talk to your counsel about what you have to keep and for how long. Be willing to explain how backups, archives, and the like work in layman's terms. Once you have a policy that you can live with, follow it. If it says keep data for no longer than 3 years, make sure you've erased or destroyed older media, unless you have a litigation hold.

Subpoenas: Do You Mind If We Poke Around for a While?

What's going on? A subpoena means you have some information that someone else wants.

Defenses:

  • Being able to find and produce the information that is requested.
  • An attorney who understands your organization can help.

Subpoenas do the heavy lifting in legal investigations. Grand juries, regulatory agencies, and courts can issue them. The two basic types of subpoenas are Duces Tecum (bring us evidence) and Ad Testificandum (testify under oath).

Your responses are similar to discovery, except that there's less lead time -- you generally know when you're about to sue or be sued, but a subpoena typically must be responded to within a week or two. Your counsel can try to limit or discard (quash) the subpoena if it is overburdensome, abusive, or requires protected information.

Search Warrant: No Matter How Bad Your Day Is, It Just Got Worse

What's going on? The police think there's some evidence of crime on your systems or that your systems facilitated a criminal act.

Defenses:

  • Redundant systems in multiple places.
  • Good backups.
  • Attorney familiar with your operations on retainer.

During the attack, do not interfere. Protect your rights and be careful. Afterward, restore from backups or move to failover systems.

A search warrant allows police to search a specified area for evidence, fruits or instrumentalities of crime and seize it or any contraband found. There's a lot of case law about what evidence must be shown before a judge can issue a search warrant, but this is irrelevant to you because you can't stop or interfere with a search while it's being executed. You've got two concerns: preventing disruption to your organization and not waiving your rights.

A police officer with a warrant to search and seize electronic evidence has discretion on how they acquire their evidence. They can take copies of the evidence, media, or entire systems that they believe contain what they're looking for. There's a lot more downtime if they take your machines as opposed to making forensic copies of your hard drives, but there's a risk in playing along. You may be admitting knowledge of criminal acts or contraband. You may also unintentionally allow the police to search more than the warrant allows. They can ask your permission to search beyond the warrant while they decide whether or not they're going to seize your boxen. It's understandable to try to win their favor, but it may be a losing bargain. It may be safer in the long run to keep your mouth shut and let them take your machines, especially if you know there's incriminating evidence on your machines. Remember -- don't interfere or lie during the search. If possible, call counsel who knows your business. They may be able to help limit the search while protecting your rights.

Afterward, with good backups or alternate sites, you can recover or cut over. If the police took any systems, your lawyer can sue for their return and possibly attempt to exclude the evidence from trial if there's a flaw in the search warrant.

Transitive Trust: There May Be a Weak Link

You're only as secure as the people you trust. Unfortunately, you have to trust everybody they trust as well. An attacker may go after the weakest target or those unwilling to fight to get the data they want. A recent case comes to mind: A security researcher has a Web site that someone else doesn't like. Instead of asking the researcher to shut it down or fighting the content in some way, the other folks get their domain name registrar to take the site offline. Similar attacks can take place with subpoenas and search warrants. If I want your email, I might just subpoena your ISP, who will just process the request. If I subpoena you, you might fight back. Ideally, you should have arrangements with everyone who deals with your data to alert you when someone else is trying to get it. You might also want to offer the same for your own customers.

Working with Your Legal Counsel

When your organization has been served with a subpoena or discovery request, someone must collect all the information that "responds" to the request. If the request is extensive, that person will be pulling long hours looking through every file you bring them. They'll need help with viewing, sorting, and interpreting the mountain of data. This may require them to hire temp workers or to export the files to their outside law firm. This is where the ability to index all of your data will come in handy. Identifying information that would be difficult or expensive to retrieve early on may help the legal team get the request dropped or limited. You may want to make some spare time to assist them with their requests. You may also be asked to explain what you did in collecting the information, either to opposing counsel, to a grand jury, or at trial. Keeping detailed notes will help here.

To close, I hope the information offered here will allow you to be proactive in dealing with your organization's legal department instead of waiting for them to come and impose difficult rules upon you. Let them know that you want to coordinate defenses and protect your users and the organization as a whole. They may be pleasantly surprised.

Alex is both a practicing lawyer and a sys admin. Currently, he is employed by On-Site3, an E-discovery and consulting company.