Computer crime is on the rise, but collecting evidence is a tricky business. Helen Beckett gets expert advice on what threats IT directors face and what they can do to help bring those responsible to book.
Robbers raiding banks with sawn-off shotguns rarely make the headlines these days – it is now easier to steal money electronically. And, according to surveys and police intelligence reports, IT-based theft and computer misuse is becoming easier and more prevalent.
The Department of Trade & Industry’s 2004 Information Security Breaches Survey, published in April, reported that 74% of UK businesses had suffered security incidents and 68% reported malicious, rather than accidental breaches, up from 44% in 2002. And Kerry Davies, managing director of IT security consultancy Echelon, warns, "The biggest threat is of your own staff working against you."
According to Davies, computer misuse is increasing year on year because it is easy to do and people have become more disenchanted with their colleagues. Whether it is stealing information to give to a competitor, or use of e-mail to sexually harass a colleague, the opportunity to do digital damage is becoming far greater, he says. Every kind of company is vulnerable and the organisations contacting Echelon are as disparate as the NHS, a firm of architects and defence lawyers.
Lenient punishment meted out to computer criminals means there is little deterrent in the criminal justice system but, as Computer Weekly reported last month, the government has now committed to updating the Computer Misuse Act with tougher measures against hacking and fraud. MPs on the All Party Internet Group urged the government to increase the maximum sentence for hacking to two years from the present six months, and to categorise denial of service attacks as a criminal offence. They have also advocated making it easier for firms to bring private prosecutions against hackers.
However, the challenge that faces IT directors in the UK is not just the difficulty of operating in an environment that seems to nurture computer crime. The task of detection and prevention is hindered by laws that are not mutually supportive. The Computer Misuse Act requires stringent evidence to be produced in court, but the Data Protection Act does not allow a company to release data about an individual held on a corporate system without their permission.
On an international scale, the complications of retaining potentially admissible evidence are huge, says Brian Collins, professor of IS at Cranfield University and former chief information officer at international law firm Clifford Chance. "It is difficult to construct an e-mail retention policy that is compatible with the laws of all the countries where a company may operate," he says.
"One way out of the misalignment [between laws] is to ensure that every employee signs a contract that gives permission, for the purposes of compliance, for other employees to read their data." Collins adds that conversations between IT, human resources and finance departments about how to tackle personal and financial misconduct are becoming more common. "You have to be diligent, and that is where HR and IT have to work together."
Although a policy that requires staff to sign a contract can be introduced with newcomers, it cannot be applied retrospectively. This increases the appeal of an audit trail that records in a database every keystroke an employee makes, which would greatly assist compliance with the kind of regulatory regime being imposed on the financial community by the US Sarbanes-Oxley Act.
Costs of an audit trail
In the UK, regulatory authorities are struggling to construct rules that will convict the bad guys without squeezing the good guys out of business. But for companies outside the regulated domains of finance and accounting, the cost of implementing and maintaining audit trails simply does not make business sense. "The cost of keeping an audit trail of all individuals and their computer use in perpetuity is not worth it," says Ben Booth, group IT director of Mori and chairman of the BCS Elite IT directors’ group.
Booth prefers to keep computer misuse in proportion as part of the bigger picture of risk analysis. "In a normal industry you do risk analysis and take sensible precautions," he says. "Within Mori we have a data protection officer and a security officer, not in full-time positions, but with identifiable roles." Being in the market research business, Mori and Booth are clued up about data protection and data security issues. But keeping evidence of individual computer use is not high on the agenda.
For most IT directors, detective work to find evidence that will link misconduct to an individual is likely to be an exceptional scenario and they need to tread very carefully to ensure the evidence they find is not judged inadmissible by the courts.
Bill Margeson, chief executive of CBL Data Recovery Technologies, is regularly called on by the police to seize IT and data assets and is familiar with the legal pitfalls of IT detective work. "The danger is that an IT person would not be familiar with the rules of evidence. They would be tempted to look for the offending e-mail straight away and may alter evidence, which would make it inadmissible," he says.
"The first thing to do is to get a forensic-quality bitmap of any material. You must maintain the integrity of the evidence, which means taking a physical, not a logical or software copy." There are important processes to observe too. "For example, anything that is touched has to be recorded," says Margeson.
Margeson recommends that IT directors call in data recovery experts who know the rules of evidence gathering, but says there is an important role for the IT department to play in the war against computer misuse.
"There needs to be a consciousness-raising effort," he says. "System and IT experts are keen to get new systems up and running, but their maintenance is often regarded as a boring activity. Data preservation and the professionals who do it have to be elevated. The IT maintenance professional needs to be elevated to hero."
His sentiments are confirmed by detective sergeant Paul Wright, head of the data recovery unit at the City of London Police. Wright says there is frequently a void between IT security and physical security. He cites the example of the suspect e-mail that would be forwarded to IT, and which then might be sent to security for perusal. "The original subject header, meantime, has been stripped out. If we want to see the original, we discover it has been deleted and we have lost the opportunity to trace back," he says.
Wright urges firms that believe they are being digitally defrauded to work in conjunction with the police, rather than resort to cloak-and-dagger tactics. Part of the remit of the City of London Police is to cause the minimum physical intrusion during an investigation. This need reflects the unique nature of the City, where several small companies may be sharing a server in the same building.
The force’s crime scene and forensic data collection system, eFex, from Oasis Consulting, shows that the workload of the data recovery team has already surpassed that of last year. "Phishing and the use of obfuscated URLs are on the rise," says Wright.
Phishing is where a spoof website is set up and punters are solicited by e-mail to visit it and record passwords to online accounts. The criminals then use the data to visit the genuine site and remove funds. An obfuscated URL is an even more cunning practice where a fraudulent URL is embedded beneath an apparently genuine one, so that even the wary may be caught out. One false click and the hapless victim is sent to the imposter site. "Phishing will soon reach the levels of the Nigerian 419 sting," says Wright.
Data harvesting – where IDs are stolen online and used for fraud – is difficult and time-consuming to track via digital audit trails and may better be cracked by pattern-recognition, says Tony Thomas, principal fraud consultant at SAS UK. Banking habits have changed and customer account details may easily – and legitimately – be accessed by staff nationwide. "There are myriad systems and audit trails that would have to be analysed," Thomas says.
How to spot deviant behaviour
A good way of spotting unusual patterns of staff behaviour is to centralise all records of access. That way, you can mine data to spot any patterns that deviate from the norm. Thus, a member of staff who is accessing the same account details too many times over a given period may be worthy of scrutiny. "This is less an evidential action than a preventative stance and involves looking for signposts of possible wrongdoing," says Thomas.
Wright urges the staff responsible for a company’s IT and physical security to talk more and call in the experts when necessary.
Margeson, who has accompanied police on raids to collect evidence, confirms that preparation and forethought are key to preventing valuable evidence going awry. "In our suitcase there is every tool we think we need and there are always complications," he says. This may range from having the right adaptor or power supply for a server to dealing with a self-destruct password used by sophisticated criminals. In a recent case, a suspect provided a password for a laptop, but it proved to be a password to invoke a self-destruct program and the evidence was nearly wiped.
Sadly, the IT director is having to adopt the mindset of the computer forensic specialist when dealing with internal security. "Criminals are the first to embrace technology," says Margeson, who cites the example of drug barons who years ago were well ahead of the game in their systematic use of pagers. "They are always ahead of the curve and they exploit it for their own twisted agenda."
How to select an IT security company
Specialist companies in this field generally employ two types of worker: the computer scientist hotshot, fresh from university and very talented at code. The hotshot should be complemented by big-picture, architectural thinkers who may not be so good at spotting rogue IP packets but specialise in knowing where there are not enough checks and balances in a network.
To ensure that a company does not employ hackers, make sure they use government vetting procedures. Ask whether the company is Check-qualified. Check is a certification managed by the Government Communications Electronics Security Group, part of GCHQ. The accreditation process for suppliers offering security health checks to businesses is stiff – it reportedly has a 70% failure rate.
How to ensure evidence is admissible in court
- Evidence has to be collected and stored in a secure manner
- Original information must not be altered or damaged in any way
- The chain of evidence has to be preserved
- It must be possible to restore evidence to its original form if that’s what investigators require
- The defence must be allowed to access the evidence and have it examined by their own forensic expert.