Meet the computer forensics experts who investigate the U's cybersecurity incidents
When people hear the word “forensics,” they often think of police and medical work, and television shows like “CSI: Crime Scene Investigation.”
What the U community may not know, however, is that the Information Security Office (ISO) employs a team of computer forensics experts that is responsible for investigating campus and University of Utah Health cybersecurity incidents.
As part of Cybersecurity Awareness Month, Security Assessments Team Lead Dustin Udy and Senior Data Security Analyst Nate Remynse share a behind-the-scenes look at computer forensics at the University of Utah, as well as some tips for staying safe online.
What is computer forensics?
Udy: It’s a lot like other forms of forensics where you do a structured investigation trying to figure out exactly what happened during an incident, how it happened, and why it happened. It’s basically figuring out the who, what, when, where, why, and how of a computer security incident.
What does a forensic investigation look like?
Udy: Most investigations start with the UIT Security Operations Center (SOC) receiving an alert that something weird is going on, like a phishing attack. Next, the SOC will contact the IT group responsible for the IP (computer) addresses associated with the alert. Once it comes to us, we then have to determine what kind of data is involved. If it is sensitive or restricted data, then we’ll usually have to do some sort of forensics to figure out exactly what happened and if any data was compromised.
Remynse: We have special software installed on university-owned computers that is sort of like an airplane black box. It records activity on a computer and helps us quickly triage the incident to decide if it is no big deal or needs a full-blown incident response.
What type of computer forensics cases do you handle at the U?
Remynse: We mostly handle cases where there is a potential for university data loss or damage. We will collect artifacts, which is sort of like evidence, from a computer or email account involved in an incident, and use them to piece together what happened. Sometimes the artifacts we find will be used in litigation, but that’s less common. Most of the time we are just trying to make sure no data was lost and to help employees get up and running again.
Udy: Here’s another common example. The SOC will notify us that someone received a malicious email with an attachment designed to steal something like login credentials or banking info. We can determine if the malware successfully downloaded and executed, and if any information was stolen. The point is not to punish anyone, but to understand what happened, make sure it’s resolved, and hopefully prevent it from happening again.
What do you wish people knew about your job?
Udy: It’s complicated, time-consuming, very detail-oriented, and sometimes, it can take days or weeks to piece an incident together.
Remynse: People do not realize how much activity their computer records about what they are doing. Computers track activity in order to help the user do things more efficiently, but that same data also allows us to see what people do on their computers. People would be horrified if they knew how much data big companies like Microsoft or Google are collecting about them.
Also, if there is a security incident with your computer, you should not touch it at all. Doing so would be like moving a body at a crime scene. You may think you’re being helpful, but you’re not. A lot of times, it is more important for us to be able to prove that something didn’t happen, and when people do things like run anti-malware or reboot their computer, it makes our jobs harder.
Udy: We also want employees to know that we are here to help, not to shame or blame. So, for example, if you accidentally download some malware, we are here to help you get your computer up and running again, and help you understand how to prevent future attacks. If people are afraid to contact us, then we need to do a better job of talking with them and reaching out to them.
What tips do you have for staying safe online?
Udy: Watch our phishing video!
Remynse: Always be suspicious. Always be aware of what you’re clicking on. If you did not expect an email or a document with this specific information from this specific person, then be very suspicious. For example, a recent scam involves an email about an Amazon invoice. People see that and often have a knee-jerk reaction to click on it, but if they slowed down, they would remember, “Oh yeah, I didn’t order anything from Amazon lately, and Amazon doesn’t send Word documents as attachments. So maybe I should go log in to my Amazon account directly instead of opening this email.”
Udy: Also, Microsoft will never, ever call you. So, if you get a call from someone claiming to be from Microsoft saying you have a virus on your computer, hang up. Same thing with calls claiming to be from Apple, about a car warranty, etc. They won’t call out of the blue, so just hang up.
Scammers use psychology against you. They try to make you feel rushed or scared, or to catch you when you’re tired or busy and less likely to be aware. If your boss texts you asking you to buy gift cards, ask yourself why. Don’t call the number you received the text from. Call your boss directly on a number you know is correct. Don’t be embarrassed if it turns out something isn’t a scam or phishing or whatever. We’d rather people be overly cautious than not cautious enough.
Remynse: You don’t need tons of specialized training. It’s just a heightened sense of awareness. Is this normal? Is this something that’s happened in the past? Was I expecting this? If any of those are no, then it requires a second look.
2020 Cybersecurity Awareness Month
Creating a cybersecure workspace — at home
Why so many phishing attacks succeed
What to do when an abuser uses technology against you
8 simple tips to improve your online safety and security
Common scams — and how to spot them
CSAM Scavenger Hunt
Join the conversation on Twitter! Follow @uofu_iso.