Tough on the causes of crime
- Article 29 of 77
- Information Age, February 2002
Tracking insider computer crime is hard enough. But proving guilt can be even harder.
Page 1 | Page 2 | Page 3 | All 3 Pages
Companies must avoid crossing the line of legality, however. Vissilis and May both caution against monitoring individuals without good reason because of the concerns of the Human Rights Act. The Regulation of Investigatory Powers (RIP) Act only allows for the general monitoring of employees' phone calls and use of IT equipment, provided they have been told they will be monitored.
May says the degree of logging is up to the culture of the company. Some companies only log exceptional behaviour, but others monitor everything.
The latter end up with large logs that are impossible to read and analyse except with custom tools such as those from data recovery specialist Vogon. But other approaches are emerging. Peter Dorrington, business solutions marketing manager at business intelligence tools company SAS Institute, says that the company's new text mining tool, SAS Text Miner, is capable of analysing logs for patterns that might indicate abuse, but can also spot patterns in other types of documents such as CVs and invoices that might otherwise be missed. “One guy was submitting invoices that individually were not unusual, but together meant he was working a 36-hour day.
The accounts department rubber-stamped the individual invoices because there was nothing suspicious about them,” says Dorrington.
But what about the abuse that is perpetrated by the people most adept at covering their tracks – the IT department? Mark Knowles of Maxima, a fraud investigation agency, says that he is mainly called in over downloaded pornography, and the culprits are mostly to be found in the IT department. “Admins tend to be very helpful. And very good at deleting logs,” agrees Vissilis. “You've got to try and second guess what they've done and hope they're lazy or there's something they haven't thought of.”
Taking regular back-ups of logs, preferably onto read-only media such as CD ROMs that can also be digitally signed, means that even if the logs go missing, they can still be recovered. This can be especially important if a company sets its logs to recycle after a certain period to save space.
Addressing abuse
So what should an organisation do if it suspects its IT systems are being used for criminal activity? According to guidance from IT security firm @Stake, it is essential that a record of the computer system be taken as soon as possible. Clues are deleted and distorted during every minute a system is active, making the process of recovering information more difficult for security architects to extract. The International Association of Computer Investigative Specialists lists three essential requirements of a competent forensic examination: “Forensically sterile examination media must be used, the examination must maintain the integrity of the original media, and printouts, copies of data and exhibits resulting from the examination must be properly marked, controlled and transmitted.” Tools like Niksun's NetVCR and EnCase from computer forensics specialist Guidance Software take exact copies of a hard drive, including free and 'slack' space (space partially occupied by files that cannot normally be used by other files).
Getting hold of this evidence can sometimes be more difficult with laptops, says May, but most people under investigation fall for the simple ruse of “the necessary software upgrade”, although in more extreme cases, he reports, he has had to fake breakdowns that require the computer to be returned for “repairs”.
However, a computer forensics tool in inexperienced hands can be counter-productive. Says May, “The most common thing is for someone in senior management to grab someone from IT [to run an inspection using the tool]. They then change file modification times and overwrite information by installing utilities.” The result, he adds, is that vital evidence may be lost completely. There needs to be a well-known procedure for employees to follow in the event of a suspected crime that details what to do and to whom to report the problem. Even trivial matters –such as a Windows screen that previously wasn't there that requires a password (and which could be a program designed to steal the password) – should be reported and logged in case of a potential breach of security.
Varied skills
Kevin Lack, a partner at Insight Consulting, says the skills required in investigations are extremely varied. “They must have knowledge of systems, programs, monitor-ing tools, interviewing methods and legislation. They have to be able to act as expert witnesses, sustain investigation management skills and even be able to handle the media.” So while companies such as Microsoft and Boeing can hire their own in-house forensics teams, the millions of pounds required means that external forensics teams are almost a must for serious crimes. Indeed, if a company discovers child pornography on its systems, the police have to be called in or else the company is aiding and abetting the perpetrator.
Page 1 | Page 2 | Page 3 | All 3 Pages