From the course: CISSP Cert Prep (2021): 7 Security Operations

Conducting investigations

From the course: CISSP Cert Prep (2021): 7 Security Operations

Start my 1-month free trial

Conducting investigations

- [Narrator] During the course of their work, information security professionals often find themselves involved in different types of investigations. In some cases, these investigations are led by security teams in response to suspected or actual security incidents. In other cases, the investigation might be led by another group and security professionals are asked to contribute evidence and expertise. There are four main types of investigations that often involve cyber security professionals. These are operational or administrative investigations, criminal investigations, civil investigations and regulatory investigations. Operational investigations are undertaken to investigate issues related to the organization's technology infrastructure. For example, a service might be returning errors, a server might be responding too slowly or a network might be congested. These operational investigations seek to get to the underlying cause of the symptoms and resolve them, restoring normal operations. Operational investigations do not have high standards of evidence because there's no legal action involved. The organization simply wishes to correct its operational problem and get back to work. During operational investigations, investigators should conduct a root cause analysis. The goal of this analysis is to go beyond simply solving the problem and determine what caused it in the first place. For example, an operational investigation may determine that a server failed, reboot it and restore service. The root cause analysis may reveal that a hard-drive in the server is failing and that it should be replaced to prevent a future failure. Criminal investigations are at the other end of the spectrum. Criminal investigations are conducted by government agencies with the objective of investigating violations of criminal law. The stakes are very high in this case because at the end of a criminal investigation, an individual may be charged with a crime. Penalties for criminal violations include fines and possible jail time. Because of these high potential penalties, criminal cases use the highest possible standard for evidence, the beyond a reasonable doubt standard. The prosecution in a criminal case must present evidence, where there is no other reasonable conclusion than that the defendant committed the crime. Civil investigations also investigate the violation of a law but they are non-criminal offenses involving a dispute between two parties. Civil cases may be initiated by the government, businesses or private citizens. Examples of civil cases include contract disputes, employment law violations and intellectual property infringement. Since civil investigations do not involve criminal law, they do not put any party in jeopardy of losing their liberty and therefore, they have a lower standard of evidence. Civil investigations use the preponderance of the evidence standard, where the conclusion drawn by the jury simply needs to be that the evidence demonstrates that it's more likely than not, that one party is correct. Finally, regulatory investigations are conducted by government agencies looking into potential violations of administrative law or by independent regulators looking into violations of industry standards. Regulatory investigations may be either civil or criminal in nature and they use the standard of evidence appropriate to the type of case that the agency plans to bring. Interviews are one of the most important tools available to investigators conducting any type of investigation. During an interview, investigators ask a cooperating individual a series of questions designed to elicit information that's valuable to the investigation. Now it's important to remember that an interview always happens on a voluntary basis. When investigators question a hostile subject without consent, this is known as an interrogation. Cybersecurity analyst should never find themselves in the position of conducting an interrogation and they should leave that responsibility for trained law enforcement officials.

Contents