Tough on the causes of crime
- Article 29 of 77
- Information Age, February 2002
Tracking insider computer crime is hard enough. But proving guilt can be even harder.
Page 1 | Page 2 | Page 3 | All 3 Pages
“We're a lot like undertakers,” says Cliff May, a computer forensics specialist at IT security company Integralis. “People only call us when they've got a problem.” May has been working in computer forensics for 15 years, and during that time, he says, he has developed a deep understanding of the potential threat to businesses posed by their own employees: “In any organisation, there are people from all walks of life, with debts, gambling problems, jealousies.” Given the opportunity, he says, some of those people may use their employers' systems to commit fraud or other crimes.
The criminal activities of hackers are widely recognised, and most organisations now install firewalls and anti-virus software to mitigate the threat posed by them. Little attention, however, is paid to the prevention and detection of computer crime from within the organisation – although, May argues, it is potentially a far greater problem. “It's much easier for someone internal to damage systems than for a hacker [to do so],” he says.
It is also much more costly. According to figures from the Computer Security Institute, an internal IT attack typically costs a company over four times as much as an external attack. Furthermore, according to government watchdog the Audit Commission, most corporate fraud is committed by insiders. The average loss to a company resulting from IT fraud, it says, currently stands at some £36,000. Even if there is no actual theft, the damage caused by IT abuse to a business and its relationships with customers, partners and employees can be very real.
The first priority for any company is to put in place preventative measures, says Paul Vissilis, head of risk services at security consultants the NCC Group. He claims that the majority of networks he comes across are “wide open” to internal abuse. And while few employees are deliberately malicious or fraudulent, he says, organisations must have a clearly stated policy regarding the use of its IT systems in order to deal with dishonest members of staff.
“You can't expect to investigate or prove anything unless you have a policy framework,” he says. “You have to have some kind of known-about policy about the use and abuse of IT facilities. Without that, you'll never get to first base in court or at a tribunal.” The policy, he adds, must be clear, both to employees obliged to sign up to it, and to the company's lawyers.
“There's a case at the moment that hinges on whether it was legal for someone to copy some files,” confides Vissilis. “If it was, the whole case falls apart, but the policy document isn't clear.”
In contrast, May says the problem of internal abuse is usually one of education. “You can't blame staff for breaching policy or giving out confidential information over the phone if they haven't been made aware of the issues. The best thing you can do is to provide staff with awareness training.” One sales person he encountered defended the theft of customer contact lists by other sales executives by saying “everyone does that”.
This also holds true for temps and contractors, who must be made to sign up to the company's IT policy if they are to use the system. Vissilis came to the aid of one organisation that had hired a contractor as a database administrator who was abusing the company's IT resources. It subsequently emerged that the contractor was helping a far-right terrorist group – not a common occurrence, fortunately.
Audit trail
But when an abuse does occur, companies must be able to prove what happened and who was responsible. “It's all very well suspecting misuse of company assets, but you need to record exactly what has been done to prove a case,” says Stephen Tsirtsonis, technical sales executive at Axial, the UK distributor of a forensics tool NetVCR, which collects and records user activity data for replay at a later date.
Vissilis says that most corporate IT systems come with out-of-the-box logging facilities, but “almost 99% of IT managers turn them off” to conserve processing power and data storage resources. He recalls a client that dismissed an employee for abusing its email system. With the former employee threatening to take the company to an industrial tribunal for unfair dismissal, Vissilis was called in to investigate. However, he discovered that the logging system had been turned off, and he could only narrow down the cause of the email abuse to a group of 15 potential culprits. “All 15 people were tarred with a slight slur on their name. The individual suspected had a strong case for unfair dismissal. The investigation had left the company worse off than before.”
Page 1 | Page 2 | Page 3 | All 3 Pages