Cybercrime potentially costs Australian businesses millions, if not billions of dollars in unrealised profits and exposes organisations to significant risk, according to analysts, but very few victims will admit to being "mugged".
The potential damage to future business, of admitting that you were hacked, is usually considered worse than suffering in silence. This is particularly the case with institutions that base their business on keeping your money or information safe from criminals.
Even if a victim of cybercrime is prepared to admit the attack, the problem of finding out who did the deed, and then proving it in court, still remains elusive. The normal procedures in cases such as an armed bank robbery no longer apply. In cybercrime, there are usually no witnesses, no fingerprints, no smoking guns and no getaway cars. Or maybe the cyber equivalent of this evidence does exist if you know where to look.
According to Standards Australia, there are steps that can and should be taken within an organisation to make it possible for an investigator to uncover vital clues needed to solve a case and initiate prosecution. Too often after a cyber break-in, the IT department stomps all over the evidence while trying to get systems back online. Who can blame them? Their job is to keep systems available, not catch crooks. However, Standards Australia says there are things an IT manager can do to make it possible to catch the bad guys without keeping systems offline for so long that you go out of business.
Its handbook, Guidelines for the management of IT evidence, is aimed at everyone involved in dealing with electronic records in companies, from board members to business managers. That includes CIOs, IT staff, including contractors, and of course, the auditors. The book also has information for investigators, lawyers and barristers. It covers litigation in Australia, rather than overseas but doesn't tell you how to secure your computer systems or explain how forensic tools work. There are plenty of resources already available to tell you how to lock down your systems, and as far as doing the forensic work yourself goes, most experts advise against self analysis.
The handbook is meant to provide guidance on the management of electronic records that might end up being used as evidence in case of a security breach, either in court or in an internal disciplinary procedure. Your company needs to keep its records safe and available, because they might be required to provide them as a defence, not just as ammunition for a prosecution. Lawsuits can go in both directions. It would also be handy if suspected criminal activity has been discovered and you intend to call in the cops, to know what records they will be asking for, and where they are hiding in your vast storage network.
Some of the interesting things you will discover by reading this guidebook, seem blindingly obvious once revealed. For instance, anything on your computer system might be regarded as evidence for a forensic investigation, rather than the particular files that you thought would be of interest. That's because the evidence required depends on the crime being investigated, and evidence by its nature might be hidden or accidentally left in places that you might not have thought to backup or make secure.
Definition
Forensics experts define electronic records as either computer-stored or computer-generated, and often as a combination of these two definitions. Computer-stored records are e-mails and memos saved on PCs or corporate databases. It might also include voice-mails and instant messaging archives. For the purposes of evidence, the experts will want to prove that what is stored on the computer is a true record of a particular person's work or input.
Computer-generated records are all the log files and audit trails generated by the computer itself, without human intervention. Most administrators are at least familiar with the Wndows servers systems and applications logs, even if only because they've had to intervene when the things get full, or worse, fill up your disk storage. Most of the time these files are meaningless but when things go wrong, or when a cyber crime has occurred, they become vital evidence. Forensic experts will want proof that your logging sytems are working properly before they can rely on their output for evidence.
Citadel Securix
Who to call
Citadel Securix provides services to
management to recover deliberately
or accidentally destroyed or hidden
data on computer devices and
networked systems, for use in legal
and investigative processes.
Data Recovery Labs
Offers data recovery experts who
can safely enter a system, network
or data storage device to determine
whether data has been deleted or
damaged.
AusCERT
As the national computer emergency
response team for Australia, AusCERT
monitors and evaluates data from
numerous sources around the globe
to provide a comprehensive source
of advice about the latest threats and
vulnerabilities affecting common IT
applications and services.
Australian High Tech Crime Centre
While the AHTCC will accept referrals
for all high tech crimes, the investigations
conducted by the AHTCC itself primarily
focus on crimes that are particularly
serious, complex or multi-jurisdictional.
Forensic Focus
This US Web site is an information
and news resource for anyone
interested in the field of computer
forensics.
Computer Forensics Conference
The 1st Australian Computer,
Network & Information Forensics
Conference will be held on
Nov 25, 2003 at Hotel Rendezvous,
Scarborough, WA.
Most companies only think about computerised data as evidence once they have been attacked or sued. If attacked, the company will expect the IT department to instantly produce all necessary records to nail the perpetrators. If sued, the company will expect the IT department to instantly provide the necessary rebuttal or alibi. Either way, it is the IT department which is expected to produce the goods, and this won't happen unless you already have very good records management in place. Records management will allow you to categorically state exactly who produced a document and who has since accessed and modified the document. You will find that such software makes it easier to run an efficient business, so the investment is not just for helping out the investigators in some as-yet uncommitted crime.
Most companies make regular backups of their critical information, but very few use permanent media to make these backups. The most common media is tape, because it is cheap and re-useable. It's the re-useable nature of tape that limits its use in any forensic investigation. Large amounts of time have to be spent in proving that the information hasn't been modified since it was stored on tape, before the tape can be used as evidence. It's worth considering committing extremely important information to CD or DVD, two mediums that can't be easily altered or tampered with after the information is written.
Forensics experts will want to know the time and date that a record was written and subsequently changed, and you probably think that won't be a problem, since the computer records all that information automatically. However, is the time and date being used by your computer system regularly updated by reference to an authority that really knows the time? Such systems are readily available on the Internet now, at no cost, and should be used to automatically keep your PCs running on time. Witnesses in criminal trials usually claim that they saw something at a certain time, and often they have backed up the accuracy of their wrist-watch by saying that they check it against their computer clock. People expect a computer to be right all the time, and particularly right about time itself.
When and if the time comes to collect evidence from your computer systems, you will be unlikely to have a forensic expert on staff to assist you. If you have such people in your company, you won't be reading this for starters. Most computer staff have the necessary skills to collect the evidence required for a normal investigation, and that information will then be used directly by the authorities concerned or handed to a true forensic expert for further analysis. Collecting evidence yourself requires you to think like an investigator for the time it takes to get the data together. You need to make notes as you go, because later, perhaps in court, defendants will question everything you have done in an attempt to show that your seemingly damning evidence is nothing of the sort. Your notes should be objective, not opinions, and should be signed, dated and lodged with the authorities along with your bag of evidence.
Forensic guide
Bosco Fernandes, CEO of managed security services provider Zento, recommends systems administrators take a look at the open-source program Tripwire to help them know what is going on inside their systems.
-The main thing that you are trying to protect against is not really external attacks, it is mostly people who are not happy with the organisation, who are on the point of leaving and who get these funny ideas that they can go and crash the whole environment," says Bosco.
-What you need to do is keep track of your files to know if any alteration to those files were legal or illegal.
"With the date and time of modification of a file you can correlate that back to who was logged on and then you can trace it back to the person who did whatever was not supposed to be done," he adds.
Currently the most common form of computer-based evidence is the ubiquitous e-mail. Countless cyber criminals have come undone due to careless e-mails, and it is surprising just how much information is divulged, deliberately or otherwise.
Chy Chuawiwat is the managing director of Clearswift, a company which provides Mailsweeper software for tracking and controlling inbound and outbound e-mail messages in organisations. Your company is probably already using one of Clearswift's products or one form competitors, such as SurfControl. Nearly every e-mail sent from corporate Australia has disclaimers at the bottom, and that is usually the clue that Mailsweeper is on the job.
-We had one case where we were doing a standard report for somebody and we saw in the subjects that we were reporting on, topics that were were criminally suspicious", Chuawiwat recalls. -So we ended up calling in the forensics people. We were there just counting the number of e-mails and categorising them and we found stuff that was criminal evidence."
Charles Heunemann, managing director of SurfControl, is also very familiar with what can go wrong with simple e-mail. -A magistrate accidentally sent case notes about a defendant, instead of sending them to himself, to another police officer who had the same surname as the defendant," says Heunemann. -And the police officer thought that the magistrate was trying to get information to the defendant and reported it to his superiors -- so it looked like he was leaking. The magistrate was pulled off the case."
A recent study by the Unversity of Western Sydney, which was commissioned by SurfControl, threw up some interesting statistics which suggest that the hapless magistrate wasn't the only one trapped by e-mail mistakes. One in five of participants admitted accidentally sending e-mails, 25 percent of those messages contained confidential information and 40 percent of the accidental e-mails were work-related. With that level of accidental information disclosure, keeping logs and records of e-mail activity becomes even more critical for businesses. You don't want to be the one who is surprised when your critical information is splashed across the front page of the newspapers.
Meta Group senior analyst Michael Warrilow is quietly confident that the IT industry is becoming more aware of its obligations in this aspect of data management.
-You've got to be prepared and look to the standards to be able to help you understand what's going to happen in the future. The new technology of security analytics will go far beyond just the testing to hopefully, thwarting criminals by automated prevention.
-We will see security analytics getting more attention as products come to market but it is really early days for these technologies," says Warrilow.
Until those automated tools arrive, or become part of the next upgrade to your favourite operating system, IT managers will just have to keep doing what they've been doing for years -- keeping systems secure and available at all times. But now they'll also have to think about those systems and backups as potential evidence, in case the unthinkable happens and the forensic investigators come knocking on the computer room door. It is worth noting that after September of 2002, the biggest funding for the Commonwealth government relating to IT was for IT security. This topic is not a passing fad, it is here to stay.
1%
2%
