I haven’t gotten my hands on a Beta of the LearnDash software yet, but I am looking forward to doing a further review. It appears though that they are incorporating the needed features.

Many of these open source packages have commercial add-ons that you can use to enhance the network security. These paid add-ons are usually enhanced versions of the free/open source elements of the servers. (FYI: Companies in the open source field make their money by providing paid support contracts for the free products)

Regardless of the solution you choose, you will want a local or remote computer support person who can effectively leverage the available solutions in your environment. With the open source solutions available today, you can secure your network with little or no recurring cost. This is true with a home or business. Although, as a business network there are probably some add-ons such as company support and commercial anti-virus that you may want to consider adding to the system. The cost of these add-ons if very reasonable though and will help support your open source solutions so they stay around.

I will quickly run through a few of the options in this field, but first, I will define a few terms for the newbies in the group:

Linux of GNU/Linux is an open source user interface sitting on top of the Linux kernal. Linux has grown to be every bit as user friendly as Windows or Mac. ( I believe it is actually better than them both today.)

BSD- is another open source operating system. It is especially known for having very tight security.

Server- A server is basically a central computer responsible for handling network wide functions in an organization or organization sub-group. (or a home now days)

Firewall- Is an appliance device or an specialized server that is controlling traffic going in and out of the network to the internet as a whole.

GUI- Graphic User Interface. This is all the pretty windows you drag around and click now days. It is what is commonly thought of as an operating system by the average person today. Think what you see when you open a Windows XP desktop.

Untangle Firewall-

Untangle is an open source firewall/gateway solution that has paid add-on’s and support. It is the product that I personally use to protect my business network. It is known for having a very pretty user interface–very “Windows-esque”. Their Graphic User Interface (GUI) resembles a rack of servers like you would see in a server room. ( When I look at the graphic rack, I think about the thousands of dollars I would be spending on a rack of hardware for the same purpose.) Their package of solutions for securing (and accelerating) your network spans almost anything that you can think of needing. It works great for intrusion detection, web filtering, captive portal, virus blocking, and handling DHCP/DNS functions. Each of these individual pieces is configurable through an convienient GUI. All in one excellent easy to use platform.

PFsense-

PFsense is based on BSD. BSD is well known for its security as an operating system. This makes BSD a great platform for a firewall/ gateway solution. PFsense has long had the reputation for being a gateway for the super techy user. PFsense actually does have a very useable GUI. There are not as many easy to use features as untangle, so it would require a more skilled user to administer. There is paid support offered. It is pricey however, starting at $600 dollars for 5 hours.

ClearOS-

ClearOS is an open source distribution that focuses on being an all around server for your network. ClearOS doesn’t just handle the security aspects for your network, but it is designed to handle the duties of file server, web server, and mail server. This package has a network of providers trained in implementing there solution. There is also direct support from the company. This distribution is a great contender to replace a Windows Small Business Server.

Amahi-

Amahi is a Linux server based on Fedora. (Fedora is the open test bed for Red Hat Linux) This server is open source. They have done a great job of pulling together a lot of the features that a small office would need in a server. There product manages files, calendars, backups, disk pooling, wiki’s, database management, and disk monitoring. They also include DHCP, DNS, and VPN capabilities. These later capabilities are probably fine for home user, but for the high security environment I would stick with a firewall speciality distribution.

Amahi is also able to easily plug-in additional functionality. Although, not tons of Apps there is a nice assortment. These are nice one click install of additional functions. Of course being Linux and specifically Fedora based you can add further functionality through RPM packages.

This has been a few ideas to get you started in an affordable and secure fashion. I love open source!

For the small practice, cost is no doubt a large factor. Many of the players in the field charge $500 to $1000 dollars per month to secure you data. This is not a reasonable cost for a small practice in my opinion.

In my work with setting up sites for some of these professionals, here are the solutions that I have combined with great effectiveness. I have used LuxSci secure email and forms. In order to maintain HIPAA compliance, I have used Gazzang to encrypt the MySQL databases which allows the data to be encrypted at rest. Of course I am using the tried and true SSL encryption to encrypt the data in transit.

The negative to this approach is it is not a “do-it-yourself” security approach for the average doctor or lawyer. It is going to require you to have a skilled web administrator on board. To be totally effective it is going to require securing computers that you use to access the data.

LuxSci is company that provides a host of services. The two biggest for lawyers and doctors is their email and secure form products. These two pieces are easily (for a skilled web admin) customized for your domain and business needs. Their secure email solution is to the end-user just a different webmail program. All the magic of securing your email happens in the background. LuxSci also has the ability deliver the email securely to mobile devices.

Something that really stood out for me about LuxSci is their customer service. They go above and beyond to make their solution work for you. While securing some very large and complex pdf forms for one counseling practice, I ran into some errors in their form submission environment. This isn’t a negative on them at all, this was some pretty non-standard stuff. They immediately starting working on the issue. It was a problem that required some back end recoding of how the software actually handles data. They were able to very quickly find the bug and fix the code.

If you have done a lot of work around software and hosted web services, you know how unique this ability has become. There are so many platforms out in the market place that are redeploying the code of others and can’t really fix core problems. This company can fix it. I have had other occasions to need their support for issues and I can’t say enough positive things about their customer service.

Gazzang EzNcrypt is the solution I use to encrypt my MySql database. What this solution does is break out specific tables out of your MySQL database that need to be encrypted. These tables are then encrypted utilizing a key on their servers (or yours alternatively). This encryption is transparent to the software needing to access it. The ability to encrypt MySQL databases at rest fills a big piece in being able to use open source software to your needs while still maintaining high security and HIPAA compliance.

While installing the Gazzang solution in my environment, I hit a couple of snags from my own lack of understanding of all the details of the install. (Note that this is a command line install. –that means old fashioned DOS interface like we used in the early 90s. You will need a web admin to do this.) Gazzang was very responsive when I contacted them. In a very brief time I got email responses from one of the design team. He was quickly able to help me though the issues I was having.

I have had follow-up contacts with both of these businesses since I selected them for my needs. I can tell you that both companies are very customer service oriented. Both companies are striving fill a niche with a significant need at an affordable price. I truly wish both companies the best and rapid growth. As a note: I have not been compensated in any way by either company.

There will be a couple follow on posts to suggest some solutions, (so I will offer some ways to fix this) but first I think we need to address the root of the problem a bit. I want to be clear that these characteristics are an overall generalization and of course can vary greatly from individual to individual.

Problem 1) Slow to ask for help, or at least help from a computer professional. Then doesn’t take the time to actually interactively discuss what needs to be done.

- These high status professionals are surrounded by various talented office workers who are very skilled at their jobs. Billing specialist, paralegals, insurance specialists, and office managers. There is a tendency to rely on these computer power users to be the network administrators. There is no one working on the computers that really understands how to deploy an effective and secure computer network. The network environment for the office usually ends up looking like one you would see at a very big house with a bunch of Windows XP installations sharing EVERYTHING with everyone. In some of the worst cases, the people who were designated as administrators have created unsecure portals to their home computers and back-doors to login to the system should they ever get locked out. When there is a problem, the doctor or lawyer often does not know how (or that they need to) take the extra measures to completely shut down the former administrator’s access. I have seen this over and over again in small and large businesses alike. It simply highlights the need for the senior executives to have at least a general understanding of how the system operates and what to do in the event of an “incident.” But that is for another post….

-Once the hacked together network which was designed for home use, not organizational security, becomes completely dysfunctional. They lose data, or get hacked; then a computer professional is called. When this computer guy comes in, he finds a huge mess. Not only will this mess take a lot of time to fix, but will probably require new software and hardware (server, server OS, firewall, anti-virus, intrusion detection…). This causes the initial quote for fixing things to result in complete sticker shock to the doctor or lawyer involved.

-Generally, the initial evaluation and quote is further complicated because the doctor or lawyer is “too busy” to take the time to be personally involved in evaluating what they want or need. The job of working with the computer guy to “just make it work” is delegated to the para-legal or office manager. This prevents an interactive discussion of the best ways to set things up, costs, and options with the actual decision maker.

-If the doctor or lawyer does get involved in the discussion process, there is generally a very rushed air about the conversation that conveys they really don’t want to be there and they are irritated to be spending time/ money to talk to someone. Since the discussion is outside their expertise area, they don’t seem to want to expend the mental energy to understand the problem and solutions. It is often this lack of willingness to understand the situation that has led to the problem in the first place. My wife is the perfect example. I am the web administrator for her practice, and I cannot tell you how often I have heard her say to me–”I don’t care how you do it, just fix it.”

Problem 2) They are tired of the sale.

- Doctor and lawyers are frequent targets of sales people of all kinds of products. Sometimes, they have already bought various pieces of software, services, or hardware that were sold for WAY more than they were worth and didn’t solve the problem. This leaves them very jaded and skeptical of your advice. Again, it is usually far, far less expensive to have a trustworthy IT person who can evaluate and explain the pros and cons of the different options. One company I worked with was developing a tele-mental health program. I developed a solution for them that would cost about $16,000 per year to handle the secure video conferencing, and secure email and chat at three clinic locations. The IT Director got sold on an out-of-the-box “solution” for $40,000 that only handled the encrypted video. He was told by the sales person that he needed a certain resolution to have insurance accept it. That was totally false, but he did not do his research. To this day they have $120,000 of equipment sitting in the IT department and have not deployed anything.

Problem 3) Doctors may not understand there legal obligations to secure networks and data.

-We have all experienced the medical professional that upon being asked any question states, I can’t tell you that because of HIPAA. Which if very confusing when you are asking for where the water fountain is?? Seriously, though even though almost all doctor’s offices have stuck the HIPAA forms into their patient packet they don’t really understand it in regard to computer security. (Although, I have to admit it is a bit fuzzy to everyone.)

- The big point to understand is that the doctor has an affirmative responsibility to secure patient data in house, in transit, and that is handled by business associates with similar safeguards. This includes faxes, email, chats and standard snail mail. But, what does it mean to “secure it?” Good question. HIPAA and HITECH don’t spell out exact technology standards. It is clear that doing things like sending patient data in unencrypted emails is probably not allowed. Further, even if your email is encrypted on your computer, that does not mean that it is encrypted in transit. Email containing patient information must be encrypted at both ends and everywhere in between.

- The fines for not securing patient data, especially in a large practice could be quite large.

Problem 4) Lawyers tend to think in terms of someone accessing their data in a manner that is legal.

I have been exposed to attorneys who argue to medical professionals that sending patient data in unencrypted email is alright if you add a line saying it is illegal to read the message if you aren’t the intended recipient. Coming from a law enforcement background this is laughable to me. I imagine the computer criminals I interviewed… I am sure that after they hacked a server, computer, or network to get to an email….they will not read it if you add a line telling them not to! (I am being sarcastic if you didn’t get that.)

A law practice computer network houses a ton of confidential data. There is a lot of the data that is protected by attorney-client privilege. If someone tried to compel a lawyer to disclose a privileged communication in court the attorney would fight the disclosure to the end. Many of the same attorneys routinely send their attorney-client privileged communications through unencrypted email. The thought process is no administrator on any system between my client and me will read the message, because “That is illegal.” You get the idea.

Problem 5) Computer Techs and System Administrators are at fault for not sticking to their guns for what they need to do.

Especially as a younger computer guy, it is very easy to get intimidated into making bad decisions. Especially by professionals that tell others what to do all the time. For instance, you know the doctors office needs a business class firewall, anti-virus, and intrusion detection system. You tell the doctor this is what is needed, and it will cost $2,000 dollars to buy the system you need for this office. The doctor responds he is not paying that price. Why don’t you just put a free firewall and anti-virus on every computer. It works for me at home, just “make it work” here.

An experienced computer guy, who probably has a thriving customer base and doesn’t need the work as bad, would probably say he isn’t going to be responsible for a hacked together system with sensitive information on it. An inexperienced tech who really needs the work will probably try to hack together a solution for zero dollars. He will probably continue indefinitely having to hack solutions, to which the doctor will complain that this he is being billed too many hours. An untenable and bad situation will get worse and worse.

Ultimately, it is the vital that professionals work together to build a secure and use-able network.

I will follow up this article with some tips and resources that I advise clients to use.

Look for the new section on our site soon! It will include means to hire us online and contact us securely. We will bring the best of security and open source technology to support investigations of our own and other PI firms.

I want to emphasize that we continue our focus in supporting the investigations of other firms, as well as private engagements.

We are choosing to base additional operations out of Manassas for a few reasons. Quick access to DC, close to Dulles International Airport, rapidly growing, and just a really nice town. Dulles, and the Manassas general aviation airport, will allow us quick and affordable travel to destinations throughout the United States.

In the course of this expansion, we are maintaining a business presence in Florida. We also have an eye on a office in the Research Triangle of Raleigh-Durham, NC. We feel that all three markets offer the chance of long term growth.

We anticipate being fully up and running in Manassas by early August 2011. In the meantime, I look forward to beginning the process of making business contacts and friends in the area. Additionally, we will be back and forth to the area in the meantime. If you believe I can be of service to you, don’t hesitate to contact me before August.

This is not goodbye Gainesville, just turning the page to a new chapter and expanding into more markets.

In law enforcement we would periodically have “Computer Forensic Training Days.” This was a quarterly meeting where examiners got together and trained each other. Examiners with a special interest/ expertise in a block would train the others. The only cost to go was small to cover hosting, as the trainers were paid by their agencies.

I think a similar thing would work very well for data recovery. In data recovery though, there would probably be a little higher cost to cover paying the speakers a lesson prep fee, conference room costs, and refreshments. I am thinking it could probably be done for a few hundred dollars for each attendee. ( I may even be able to work my law enforcement contacts to get us free rooms for the training in exchange for letting some of them come.)

I already run allceus.com with my wife. We (mainly she) puts on seminars already. So, I have some experience at it.

I think with the speed that knowledge grows in data recovery and it being so hands on that this would be extremely valuable to everyone. I know I would be willing to contribute training on file systems, X-Ways Forensics, or whatever else that DR folks were interested in.

Not to mention I am in Florida, just north of Orlando. Nice place to come annually for a winter conference maybe?

Let me know your thoughts. The big thing I would like to know is, would you ACTUALLY come. Keep in mind that with your flight, room, and enrollment fee that it will probably cost $1,000 dollars to attend a 2 or three day conference. (If the group is small I can actually host at my in-office training room. But, that would just be like 20 people… ) I will put a survey below for for everyone who is interested to take. I will publish the results later.

Well I knew my friends from England, CNW recovery, had been working hard on their DVD data recovery routines. I decided to give CNW a try. It has a very user friendly menu that guides your through each step of the process. It recommends at each step the next step in the recovery. I watched as it imaged the disk, carved the MPEGs, then did its best guess at reassembly. The process was very easy to understand and smooth for a low-level data recovery tool.

The resulting MPEGs were much cleaner than the VOB’s produced by ISObuster. There were segments, that by manual review, I could tell needed to be reassembled. There were none that were incorrectly put together though. (A much harder thing to deal with.)

I manually re-assembled the MPEGs together that were really part of one continuous shoot. The resulting product was very good.

I am very impressed with the progress of CNW recovery in this area!!

I am able to announce big changes at DataTriangle. I have been employed by the Alachua Sheriff’s Office as a Deputy Sheriff for the last 14 years. Most recently I was assigned to the FBI CyberCrime Task Force, Internet Crimes Against Children, and the computer forensic examiner. Yes, this has been as busy and stressful job as it sounds!

I am leaving the Sheriff’s Office to devote myself full-time to DataTriangle. I will be doing work in the areas of computer forensics, data recovery, and website administration. I will supervise staff members working on general computer repair services in the Gainesville, Florida area.

My recent computer forensics experience translates most closely to work in criminal defense cases. As I have always done though, my goal is to expand my experience. I have already worked civil cases involving digital evidence. I anticipate working a lot more with the increased availability. I have also had Gainesville Attorneys approach me requesting e-discovery services.

There is a great deal of overlap between e-discovery and computer forensic practice. A lot of the difference lies in acquiring a few new software tools and becoming proficient in them. I am in the process now of buying these tools and practicing. I don’t presently see myself trying to get into large scale e-discovery work. I am more interested in supporting law firms with their small to medium size e-discovery matters.

It is with great excitement that I enter into the private practice of computer forensics! The excitement is somewhat tempered by sadness at leaving all the great comrades and professionals that I have worked with through the years in law enforcement. I wish all of them the best of luck and safe patrols!

It seems that every data breach produces a ton of emotion for a variety of reasons.  I am going to outline some of these emotions.  I think this is important for an investigator to understand because it has such an impact on these investigations.

Emotion 1)

The IT staff is going to feel very guilty about what happened, rightly or wrongly.  The finger is almost immediately pointed in their direction by management.  This comes in two forms.  One believing they must be involved because of course security couldn’t have been penetrated!  Secondly, they are responsible for the computers; so, it follows it is there fault.

Is it IT’s fault?  Maybe it is, maybe it isn’t.  I think the organization managers must stop and assess their responsibility first.  Was IT adequately staffed and trained?  Did management stress that security was important?  Was management willing to fund positions and hardware focused on security?  Did management demand ease of access over security?  Did you allow any middle manager in the organization to override IT and become local/ domain admins?  Did management provide for physical security of computer assets?

That is a lot of questions for management to ask, but I think that is where to start the assessment of whether to blame IT for the breach.

2) Emotion 2-

This is really going to hurt our business.  Maybe we can cover it up?

Not many business’ or involved decision makers are going to openly admit to this, but I think it goes on in almost all cases.  Even with individuals that are very morally motivated to always do the right thing.  There are two major reasons for these feelings.

a) It is going to hurt the business so badly financially and in public image, can the business even survive.

b) It is so damaging to the business, any manager involved has to wonder if they are going to lose their jobs (along with the IT staff).  So, you have the feeling of need to protect your job and indirectly those you support with that job.

3) Emotion 3-

A sense of helpless confusion and anger.  This comes in from a few sources.

a) Not understanding how it happened and where the organization went wrong.

b) Not having the training and experience in responding to a high tech crime incident.

c) Anger that you didn’t take the time to or didn’t know how to take steps that could have prevented the breach.

d) Anger at the person who lost the laptop, left it where it could be stolen, or at the IT admins who didn’t secure the system.

4) Emotion 4- Hopelessness and Fear

For the IT admin and managers they are used to being the decision makers and people who know the answers.  Now suddenly they are having to be the ones to ask for help and seek to understand what do now.  Not being used to this kind of situation, it is difficult to adjust to the new role/ situation.

I point this out not to be negative in any way to anyone.  I point these emotions out because if your company is the one involved in the data breach these emotions will be present in various shapes and intensities.  This is when one of my core rules of dealing with humans comes into effect.  It is one that I have seen over and over again in a 15 year law enforcement career.  You can’t accurately predict how any person is going to respond to a specific high stress situation.  So, be prepared for individuals to react in unexpected ways.

I further point the emotions out because as the investigator you will be dealing with them!  I think you will get a lot more honest and open responses to your investigative questions if you take the time to express an empathetic understanding of what the IT staff and managers are going through.  Just like a cop arriving on the scene of traumatic incident, the involved persons are looking for you to normalize there feelings and demonstrate that you understand and have empathy for their situation.

I know everyone is saying right now, “I thought this was a tech blog, not a psychology blog!”  It is, but I just have really found that understanding the above is the first skill in being a good responder to a data breach.  After all, there are PLENTY of blogs with a dry technical report on what happened!  Or maybe the 1-2-3 of which log files to grab.

I am going to follow this post up with some of the lessons learned and priorities of investigation.  For now, if you are reading my blog think about how you would express empathy and what you would say to the involved persons.  In any kind of investigation one of the first things to remember is: “Everyone is a person first with unique experiences, emotions, and perspectives on events.”

Good luck to you all, and do some good investigating!!