· News

Be IT-aware: computers do not commit crimes, people do

'It won't happen to me.' For many organisations, this is still the extent of their computer incident response plan.

However, in the modern business era, technology has not only completely infiltrated day-to-day operations, but has also facilitated the transfer of data – allowing employees to work from the office, from home or even in transit. This creates a challenging paradox for organisations that strive to take advantage of the benefits of technology. It empowers them to serve clients on a global basis and more quickly than ever before, while balancing this are the inherent risks associated with the easy movement and transfer of sensitive and invaluable business data.

For these reasons and more, businesses need to be increasingly savvy about how they will respond, should they be faced with a computer-related incident. Preparedness and proactive prevention are now a must, but to wear a lifejacket is not to say you’ll never fall into the water. Organisations must be well versed and aware of what kinds of incidents they might be at risk of facing. They should display sufficient efforts to proactively prevent incidents occurring within their environment and they must have clear computer incident response planning in place should an incident occur. What’s more, the plans should be routinely reviewed and updated as necessary to ensure that they are applicable to the current business environment.

Types of computer-related incidents

A recent study (Kroll Ontrack’s Fourth Annual ESI Trends Report) has shown that on average, UK organisations alone face at least one data breach incident annually. Examples of such incidents range from the accidental loss of data by leaving a company laptop on a train or a BlackBerry in a taxi, through to intentional and malicious theft of intellectual property. Other common cases include computer misuse and/or misuse of the internet. Excessive use of company computers for personal or private use during company hours is being increasingly recognised as ‘theft of time’. Surprisingly, bullying and harassment by email, ‘Instant Messenger and on social websites is also becoming more common. On top of these more established questions, we should not forget the rise of the co-ordinated distributed denial-of-service (DDoS) attacks, which can bring a business to its knees by overwhelming its website.

And of course we are not just talking about traditional desktop computer or laptop devices. Radical advances in the development of ‘apps’ used by mobile and tablet technologies have brought new complexities to the corporate environment. For example, ‘apps’ available on the market which allow users to take photographs of documents and then covert the contents of the document to a text file introduce further risks to the security of intellectual property. Digital cameras, iPods and even gaming consoles are all devices capable of storing data in formats other than that for which they are traditionally designed and are often not considered as potential sources of evidence. Similarly, a considerable range of products is available that contain portable memory concealed within, the intention being that they go unnoticed in the workplace. Cufflinks, pendants and other common items, which have hidden USB connectors and are capable of storing considerable amounts of data, are readily available for purchase at very reasonable prices.

In all of these instances, forensic techniques can be employed to extract vital evidence from these devices to prove or disprove that an event or incident took place.

Policies and preventative measures

From the outset, organisations should ensure that they have policies in place detailing the acceptable use of company computers and other electronic devices and that these are updated regularly. These policies might include a clause for the use of personal devices where appropriate, such as home computers when working from home. Other methods of restricting the leak of vital data include the use of encryption, making USB ports responsive only to approved devices, or disabling these ports altogether if this does not inhibit the smooth running of the business. Restricting access to particular websites altogether or only allowing access during certain timeframes also helps to counteract internet misuse.

Many technology consulting organisations offer ‘readiness reviews’ that assess an organisation’s preparedness to deal with incidents that require the gathering and preservation of digital evidence. The ability to deal with digital evidence effectively has many advantages, from lessening the impact of an investigation on the organisation to providing it with protection and evidence that can stand up to legal scrutiny.

Recent changes in UK data protection law have put increasing pressure on organisations to ensure the security of the sensitive information that they hold and the Information Commissioner’s Office has already issued severe monetary penalties to companies who have shown negligence in protecting sensitive data. Hertfordshire County Council has been fined £100,000 after mistakenly faxing "highly sensitive personal information" about a child sex abuse case to a member of the public, and Sheffield-based employment services company A4e £60,000 for a laptop which was stolen, containing the unencrypted details of over 20,000 people.

Incident Response Planning

It is likely that your organisation will have in place an emergency response plan and/or business recovery plan that allows it to respond to emergency situations – such as natural disasters or economic downturns – while continuing to deliver the normal day-to-day services. Computer incident response planning should be no different. It should always be borne in mind that just one data loss incident can cause sufficient financial and reputational damage that an organisation may not recover from it.

The computer incident response plan provides a structure and detail for dealing with what actions should be taken when an incident is detected. It should also not merely identify individual responsibilities and technical procedures, but also have plans for dealing with socio-economic issues such as a possible legal requirement to notify those affected by a data breach or how to handle a potential media enquiry.

Given the huge pressures that can be present at the time of an incident, it is not surprising that those with a tried and tested plan in place have more chance of success than those without a strategy to respond.

First responder training

Should an incident occur, ensuring that key staff are adequately trained to ‘secure the scene’ is vital in the early stages of an investigation, where a forensic copy or ‘image’ of the suspect’s computer environment is required for further forensic analysis. The first rule of computer forensics is isolating and securing the evidence. This must be done in a manner that does not tamper with any fragile digital evidence such as metadata. Metadata is most easily understood as the ‘data about data’, for example, characteristics or attributes pertaining to a particular file (name, size, file type, last opened, location) and is often vital in ascertaining whether or not a particular file has been copied, opened or modified by a particular user at a given date and time. Even an action as simple as turning on a suspect’s computer can destroy that vital evidence.

At the rapid rate at which technology advances, for many companies it is not economically viable to have an in-house forensic expert on hand to attend to matters that will only occur periodically. However, training one or two key staff in a role recognised as ‘first responder’ puts an organisation in the best possible position to obtain crucial evidence by successfully securing the scene and ensuring evidential integrity. This requires that appropriate understanding and correct working practices be employed where there is often only one opportunity to correctly extract key evidence. By forensically isolating/securing the environment, this provides a solid foundation for independent forensic experts to assist by using forensic methods to extract and gather potentially case-critical evidence in a manner that withstands legal scrutiny.

Conclusion

It is the technology – laptops, smartphones, USB devices to name a few – that allows organisations to work more productively and more flexibly, maintaining more mobility and allowing us to maintain a work/home balance. Yet it is this same technology that puts us increasingly at risk of computer-related incidents. However, ultimately, we must not forget that computers do not commit crimes, people do.

Tony Dearsley is manager of computer forensics at Kroll Ontrack