Computer crime is on the rise, but collecting evidence
is a tricky business. Helen Beckett gets expert advice on what
threats IT directors face and what they can do to help bring those
responsible to book.
Robbers raiding banks with sawn-off shotguns rarely make the
headlines these days – it is now easier to steal money
electronically. And, according to surveys and police intelligence
reports, IT-based theft and computer misuse is becoming easier and
more prevalent.
The Department of Trade & Industry’s 2004 Information
Security Breaches Survey, published in April, reported that 74% of
UK businesses had suffered security incidents and 68% reported
malicious, rather than accidental breaches, up from 44% in 2002.
And Kerry Davies, managing director of IT security consultancy
Echelon, warns, "The biggest threat is of your own staff working
against you."
According to Davies, computer misuse is increasing year on year
because it is easy to do and people have become more disenchanted
with their colleagues. Whether it is stealing information to give
to a competitor, or use of e-mail to sexually harass a colleague,
the opportunity to do digital damage is becoming far greater, he
says. Every kind of company is vulnerable and the organisations
contacting Echelon are as disparate as the NHS, a firm of
architects and defence lawyers.
Lenient punishment meted out to computer criminals means there
is little deterrent in the criminal justice system but, as Computer
Weekly reported last month, the government has now committed to
updating the Computer Misuse Act with tougher measures against
hacking and fraud. MPs on the All Party Internet Group urged the
government to increase the maximum sentence for hacking to two
years from the present six months, and to categorise denial of
service attacks as a criminal offence. They have also advocated
making it easier for firms to bring private prosecutions against
hackers.
However, the challenge that faces IT directors in the UK is not
just the difficulty of operating in an environment that seems to
nurture computer crime. The task of detection and prevention is
hindered by laws that are not mutually supportive. The Computer
Misuse Act requires stringent evidence to be produced in court, but
the Data Protection Act does not allow a company to release data
about an individual held on a corporate system without their
permission.
On an international scale, the complications of retaining
potentially admissible evidence are huge, says Brian Collins,
professor of IS at Cranfield University and former chief
information officer at international law firm Clifford Chance. "It
is difficult to construct an e-mail retention policy that is
compatible with the laws of all the countries where a company may
operate," he says.
"One way out of the misalignment [between laws] is to ensure
that every employee signs a contract that gives permission, for the
purposes of compliance, for other employees to read their data."
Collins adds that conversations between IT, human resources and
finance departments about how to tackle personal and financial
misconduct are becoming more common. "You have to be diligent, and
that is where HR and IT have to work together."
Although a policy that requires staff to sign a contract can be
introduced with newcomers, it cannot be applied retrospectively.
This increases the appeal of an audit trail that records in a
database every keystroke an employee makes, which would greatly
assist compliance with the kind of regulatory regime being imposed
on the financial community by the US Sarbanes-Oxley Act.
Costs of an audit trail
In the UK, regulatory authorities are struggling to construct
rules that will convict the bad guys without squeezing the good
guys out of business. But for companies outside the regulated
domains of finance and accounting, the cost of implementing and
maintaining audit trails simply does not make business sense. "The
cost of keeping an audit trail of all individuals and their
computer use in perpetuity is not worth it," says Ben Booth, group
IT director of Mori and chairman of the BCS Elite IT directors’
group.
Booth prefers to keep computer misuse in proportion as part of
the bigger picture of risk analysis. "In a normal industry you do
risk analysis and take sensible precautions," he says. "Within Mori
we have a data protection officer and a security officer, not in
full-time positions, but with identifiable roles." Being in the
market research business, Mori and Booth are clued up about data
protection and data security issues. But keeping evidence of
individual computer use is not high on the agenda.
For most IT directors, detective work to find evidence that will
link misconduct to an individual is likely to be an exceptional
scenario and they need to tread very carefully to ensure the
evidence they find is not judged inadmissible by the courts.
Bill Margeson, chief executive of CBL Data Recovery
Technologies, is regularly called on by the police to seize IT and
data assets and is familiar with the legal pitfalls of IT detective
work. "The danger is that an IT person would not be familiar with
the rules of evidence. They would be tempted to look for the
offending e-mail straight away and may alter evidence, which would
make it inadmissible," he says.
"The first thing to do is to get a forensic-quality bitmap of
any material. You must maintain the integrity of the evidence,
which means taking a physical, not a logical or software copy."
There are important processes to observe too. "For example,
anything that is touched has to be recorded," says Margeson.
Margeson recommends that IT directors call in data recovery
experts who know the rules of evidence gathering, but says there is
an important role for the IT department to play in the war against
computer misuse.
"There needs to be a consciousness-raising effort," he says.
"System and IT experts are keen to get new systems up and running,
but their maintenance is often regarded as a boring activity. Data
preservation and the professionals who do it have to be elevated.
The IT maintenance professional needs to be elevated to hero."
His sentiments are confirmed by detective sergeant Paul Wright,
head of the data recovery unit at the City of London Police. Wright
says there is frequently a void between IT security and physical
security. He cites the example of the suspect e-mail that would be
forwarded to IT, and which then might be sent to security for
perusal. "The original subject header, meantime, has been stripped
out. If we want to see the original, we discover it has been
deleted and we have lost the opportunity to trace back," he
says.
Wright urges firms that believe they are being digitally
defrauded to work in conjunction with the police, rather than
resort to cloak-and-dagger tactics. Part of the remit of the City
of London Police is to cause the minimum physical intrusion during
an investigation. This need reflects the unique nature of the City,
where several small companies may be sharing a server in the same
building.
The force’s crime scene and forensic data collection system,
eFex, from Oasis Consulting, shows that the workload of the data
recovery team has already surpassed that of last year. "Phishing
and the use of obfuscated URLs are on the rise," says Wright.
Phishing is where a spoof website is set up and punters are
solicited by e-mail to visit it and record passwords to online
accounts. The criminals then use the data to visit the genuine site
and remove funds. An obfuscated URL is an even more cunning
practice where a fraudulent URL is embedded beneath an apparently
genuine one, so that even the wary may be caught out. One false
click and the hapless victim is sent to the imposter site.
"Phishing will soon reach the levels of the Nigerian 419 sting,"
says Wright.
Data harvesting – where IDs are stolen online and used for fraud
– is difficult and time-consuming to track via digital audit trails
and may better be cracked by pattern-recognition, says Tony Thomas,
principal fraud consultant at SAS UK. Banking habits have changed
and customer account details may easily – and legitimately – be
accessed by staff nationwide. "There are myriad systems and audit
trails that would have to be analysed," Thomas says.
How to spot deviant behaviour
A good way of spotting unusual patterns of staff behaviour is to
centralise all records of access. That way, you can mine data to
spot any patterns that deviate from the norm. Thus, a member of
staff who is accessing the same account details too many times over
a given period may be worthy of scrutiny. "This is less an
evidential action than a preventative stance and involves looking
for signposts of possible wrongdoing," says Thomas.
Wright urges the staff responsible for a company’s IT and
physical security to talk more and call in the experts when
necessary.
Margeson, who has accompanied police on raids to collect
evidence, confirms that preparation and forethought are key to
preventing valuable evidence going awry. "In our suitcase there is
every tool we think we need and there are always complications," he
says. This may range from having the right adaptor or power supply
for a server to dealing with a self-destruct password used by
sophisticated criminals. In a recent case, a suspect provided a
password for a laptop, but it proved to be a password to invoke a
self-destruct program and the evidence was nearly wiped.
Sadly, the IT director is having to adopt the mindset of the
computer forensic specialist when dealing with internal security.
"Criminals are the first to embrace technology," says Margeson, who
cites the example of drug barons who years ago were well ahead of
the game in their systematic use of pagers. "They are always ahead
of the curve and they exploit it for their own twisted agenda."
How to select an IT security company
Specialist companies in this field generally employ two types of
worker: the computer scientist hotshot, fresh from university and
very talented at code. The hotshot should be complemented by
big-picture, architectural thinkers who may not be so good at
spotting rogue IP packets but specialise in knowing where there are
not enough checks and balances in a network.
To ensure that a company does not employ hackers, make sure they
use government vetting procedures. Ask whether the company is
Check-qualified. Check is a certification managed by the Government
Communications Electronics Security Group, part of GCHQ. The
accreditation process for suppliers offering security health checks
to businesses is stiff – it reportedly has a 70% failure rate.
How to ensure evidence is admissible in
court
- Evidence has to be collected and stored in a secure manner
- Original information must not be altered or damaged in any
way
- The chain of evidence has to be preserved
- It must be possible to restore evidence to its original form if
that’s what investigators require
- The defence must be allowed to access the evidence and have it
examined by their own forensic expert.