IMGCAP(1)]
When merchants, transaction processors or other entities handling payment card data discover evidence of possible data hacking, their first impulse is to have information-technology managers turn off the computers and poke around the network for clues.
That, say professional forensic investigators, is a common mistake.
"Preservation of evidence is one of the biggest problems we run into," says Andy Bokor, chief operating officer of Trustwave Corp., a security firm the Payment Card Industry Security Standards Council has certified to assess network security and data breaches. "Merchants try to fix the system or they power the system off, and that may erase, alter or damage the evidence."
Bokor says merchants that know of or suspect a breach can unplug network cables, but they should keep equipment running to preserve evidence.
Unless the merchant's IT staff is highly trained in computer forensics, and they have the equipment and technology to assist them, they should leave investigative work to professional security assessors, which PCI standards require them to hire in case of possible breaches anyway, Bokor says.
"The types of systems and protocols we use to capture data are things novices don't use," he says. "We do a bit-level image of the system, which preserves absolutely everything."
Forensic investigators also seek information that technology might not reveal, such as a disgruntled employee's departure, a suspicious e-mail message or times when equipment on the network seemed to be acting up. "We ask them to walk us through what happened," Bokor says. "The breach and stealing of information could have occurred over a number of years. We need to know what steps they took, what they did, what happened." CP
