Five Questions With... 

 
Download Article Article in Digital Form

Robert Schperberg is Chevron’s global IT forensics investigations lead. Previously, he was worldwide director of incident response and digital forensics for Global Integrity, a subsidiary of the Science Applications International Corporation (SAIC). Some of his assignments included conducting high-tech forensics training for the US Federal Bureau of Investigation (FBI) National Information Protection Center’s team of the National Security Agency (NSA) and high-risk and high-tech incident response training for MCI and the Denver Downtown Business Association during the Oklahoma City (Oklahoma, USA) bombing federal trial.

Schperberg was also selected through the Defense Information System Agency (DISA) to conduct high-tech and digital forensics investigations training for some of the top US military bases, including Strategic Command (STRATCOM), Central Command (CENTCOM), Special Operations Command (SOCOM) and Transportation Command (TRANSCOM). He was used in an advisory capacity by the French authorities regarding the 11 March 2004 Madrid train explosion investigation, and he has served as a lead digital forensics investigator and advisor in major national and international investigations. Schperberg is also a certified expert witness and has served as such in several high-profile cases.

Schperberg is a retired law enforcement officer from Northern California (USA) and has received multiple commendations and a Computer Forensics Officer of the Year award for his service. He is the author of Cybercrime:  Incident Response & Digital Forensics.


Question

What do you see as the biggest security threats/ risks? How can businesses and individuals protect themselves?

Answer

In the economic downsizing that organizations are faced with today, insider threat ranks highest and is of the highest concern for the corporate IT and corporate investigative divisions. Those who are inside the security perimeter and are about to be let go due to the reduction in force have access to intellectual properties, research and development documentation, and ongoing business deals that could seriously affect the organization’s bottom line.

Another facet of the downsizing threat is the motivation to exact revenge on the organization. With the availability of malware technology throughout the web, the people who want to commit an act of sabotage do not have to be very technical and can purchase the technology to suit their deed. Additionally, with the advance of technology comes the creation of malware, Trojans, spyware, worms and viruses, which rank a close second. Antivirus companies are struggling to produce antidotes for Day 0 and Day 1 viruses.

Next on the list are the phishing and spear phishing attempts on unsuspecting Internet users and company executives. Phishing is the impersonation of the organization through e-mail or other electronic means in an attempt to obtain confidential information; spear phishing is the targeting of executives by convincing them to click on a link that will download malware or Trojans on their computers.

Last among the top security concerns are fraudulent transactions that result in financial loss or damage to the organization’s reputation or its customers.

All sectors, private and public, have to be prepared when downsizing personnel. That entails limiting access to outgoing personnel while generating countermeasures in the event that a malicious attack is being contemplated. That requires the review of all compliance rules and additional training to the computer emergency response team (CERT). For external attacks, such as phishing and spear phishing, continuous training and education of executives and nontechnical personnel is a must. Finally, having proactive measures established in the areas of monitoring and alerts will ward off the number of attacks, while the alerts will enable the CERT to respond at a much quicker pace.

Question

Please describe your transition from law enforcement, in the early part of your career, to your current role in corporate computer forensics. What led to this transition, and how has your background supported your current career?

Answer

While in law enforcement, I became an expert in crime scenes and digital forensics investigations. I was also fortunate to receive several specialized certifications in the area of investigations—homicide, robbery, sexual assaults, computer investigations and fraud/embezzlement. When I was injured on duty and subsequently underwent back surgery, the medical decision was for me to retire. I used a sum of money allocated for rehabilitation to go through technical certification classes offered by Microsoft, Guidance Software and Access Data.

My first job in the corporate environment was with MCI as a senior investigator for corporate security. As such, I conducted several investigations involving threats, fraud and digital forensics. One of the investigations I participated in was that of the Oklahoma City bombing. I moved on to work for other consulting companies including SAIC. Throughout my experiences, I got involved in major, high-profile investigations, gaining experience through each investigation. I was also constantly attending technical workshops in the areas of IT and digital forensics to keep up with technology. Among the highlights were conducting training to some of the top military bases in the US and becoming a certified expert witness. My experiences and continued education paid off when I was offered a position as the global IT forensics investigations lead with Chevron.

Question

How do you believe the certifications you have attained have advanced or enhanced your career? What certifications do you look for when hiring new members of your team?

Answer

Throughout my career, I obtained several investigative certifications, which included state of California certifications, and US federal certifications from the US Department of Justice (DoJ), the FBI and the US Secret Service. When I transitioned to the private sector, I obtained some Microsoft certifications as well as the Certified Information Security Manager (CISM) from ISACA.

The general trend when searching for cybercrime investigators or digital forensics investigators is to find candidates who have expertise in one of the following fields: digital forensics software and tools knowledge or network and operating systems knowledge. In essence, one candidate or the other will have certifications in their specific field. In today’s environment, however, what is needed are candidates who have the technical knowledge and investigative and digital forensics knowledge.

Question

How do you think the role of the security professional is changing? What would you recommend to security students or new security professionals to better prepare them for this changing environment?

Answer

The security professional’s role has constantly evolved around the general practitioner and the specialized practitioner. To those starting in the field of IT or IT security, my recommendation is that they learn as much as possible while gaining as much experience as possible. Setting five-year goals can help to keep candidates focused on reaching goals while improving their knowledge and enhancing their skills. My advice is to transfer to different IT departments to gain different knowledge. Once a candidate is comfortable with the environment, the specialization process should be started. Most companies in a down economy will turn their attention to the experts first then to the “jack of all trades” next, so being prepared will help one maintain or find a position quicker.

Question

What has been your biggest workplace challenge, and how did you face it?

Answer

After retiring from law enforcement and having had all that experience and investigative expertise, I had to adjust to the private sector and corporate environment. It was time to earn the employer’s confidence by producing results while reinforcing the earned certifications.

Pressure in the private sector and corporate environment is also different. Employers want to see maximum results with minimum expense. The security environment is a necessity, but it does not produce revenue; it does, however, have a cost to the bottom line.

From the technical perspective, I encountered my biggest technical challenge during the Code Red virus/worm time. I had to deploy all my teams, myself included, around the world without any time off to eradicate the infestation from our client’s network environment.


Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.