The needs of the corporate world and those of law enforcement differ on several levels. Law enforcement officials work under more restrictive rules than corporate agents or employees . If a law enforcement agent asks you to do something, you can be bound by the same restrictions that they encounter. Face it: there is a big difference between a company deciding to log router traffic and a local or federal law enforcement officer asking the company to log the traffic.
A threatening computer security breach that can be recovered from in a relatively short period of time.
Both law enforcement and corporate practitioners are guided by a set of best practices set forth by various agencies. In the law enforcement arena, a set of best practices exists for electronic discovery and how to properly retrieve data. The corporate world has established best practices for security and best practices for determining what comprises an incident . These best practices iterate incident response procedures regarding how to react to an incident. Because disasters are usually of a larger magnitude, best practices for disaster recovery may affect both. The focus of this book is to provide information that can be used in either discipline and not geared specifically toward law enforcement.
The action taken to respond to a situation that can be recovered from relatively quickly.
Every day new articles are written about network security and vulnerabilities in software and hardware. This visibility has caused security to become a priority in most companies. Corporate efforts to make sure a network is secure generally are focused on how to implement hardware and software solutions, such as intrusion detection , web filtering, spam elimination , and patch installation. For example, an article from Silicon.com reported that during the first quarter of 2003, the number of security events detected by companies jumped 84 percent over the preceding three months. The SQL Slammer worm infected 200,000 computers running Microsoft's SQL Server. Ninety percent of all vulnerable servers were infected in the first 10 minutes the worm had been released on the Internet. Dealing with the threat of network damage through an intrusion or virus is a part of everyday life for corporate IT professionals, whereas forensic experts focus on the examination, analysis, and evaluation of computer data to provide relevant and valid information to a court of law.
Software and hardware agents that monitor network traffic for patterns that may indicate an attempt at intrusion.
Corporate focus is on minimizing the potential damage that may result from unauthorized access attempts through the prevention, detection, and identification of an unauthorized intrusion. This is done mainly by having security policies in place that dictate the level of security for various areas and computers. Along with these policies, incident response and disaster recovery plans set forth the procedures for investigations, including the when, who, and how in regard to contacting law enforcement.
Specifications for a secure environment, including such items as physical security requirements, network security planning details, a detailed list of approved software, and human resources policies on employee hiring and dismissal.
Companies can access websites to find out about new vulnerabilities or security best practices. It is in the best interest of any company to assign someone to check this information on a regular basis to ensure that the network is protected.
A program or piece of code that is loaded onto your computer without your knowledge and is designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched.
You'll find in many corporate environments that incidents are not reported, often times due to the issue of legal liability. The 'Let's just quietly fix it' approach to security incidents is common in the corporate world. Some laws now hold the management responsible for data breaches. A company is potentially liable for damages caused by a hacker using one of its computers, and a company might have to prove to a court that it took reasonable measures to defend itself from hackers. The following federal laws address security and privacy and affect nearly every organization in the United States.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted on August 21, 1996, to ensure the portability, privacy, and security of medical information. HIPAA was enacted to ensure that only patients and their healthcare providers have access to the patients ' medical information. HIPAA requires that Patient Health Information (PHI) be kept private and secure. It imposes stiff fines and jail time both for healthcare institutions and individuals who disclose confidential health information.
Similar in function and behavior to a virus, with the exception that worms do not need user intervention. A worm takes advantage of a security hole in an existing application or operating system and then finds other systems running the same software and automatically replicates itself to the new hosts .
The Gramm-Leach-Bliley (GLB) Act requires financial institutions to ensure the security and confidentiality of the personal information that they collect. This includes information such as names , addresses, phone numbers, income, and Social Security numbers . Basically, financial institutions are required to secure customer records and information regardless of size . Among other institutions, it includes check-cashing businesses, mortgage brokers , real estate appraisers, professional tax prepares, courier services, and retailers that issue credit cards to consumers.
The Sarbanes-Oxley Act, named for the two Congressmen who sponsored it, was passed to restore the public's confidence in corporate governance by making chief executives of publicly traded companies personally validate financial statements and other information. Congress passed the law to avoid future accounting scandals such as those committed by Enron and WorldCom. The law was signed on July 30, 2002. Large corporations must be in compliance by June 15, 2004, and smaller companies have to comply by April 15, 2005. The executives who have to sign off on the internal controls can face criminal penalties if a breach is detected. In other words, if someone can easily get into a secure or private part of your system because you use a three-character password such as 'dog,' it will be viewed as a sign of noncompliance .
Often, the victim company does not know which law enforcement entity to call. Company management might feel that the local or state police will not be able to understand the crime and the Federal Bureau of Investigation (FBI) and Secret Service are not needed. In addition, management might be afraid that the intrusion will become public knowledge, harming investor confidence and chasing away current and potential customers. They might also fear the effect of having critical data and computers seized by law enforcement. An investigation can
seriously jeopardize the normal operations of a company, not only for the customers but for the employees as well. The interruption to the workplace causes confusion and disrupts employee schedules. Furthermore, cases are often hard to pursue if the suspect is a juvenile or the intruder is from another country, and in many states the amount of damage inflicted by the intruder is too small to justify prosecution . Lastly, pursuing such matters can take a long time and be costly.
Many businesses perceive that there is little upside to reporting network intrusions.
Whereas the corporate world focuses on prevention and detection, the law enforcement realm focuses on investigation and prosecution. Each state has its own set of laws that govern how cases can be prosecuted. For cases to be prosecuted, evidence must be properly collected, processed , and preserved. In later chapters, we'll go through these processes. Technology has dramatically increased the universe of discoverable electronic material, thereby making the job of law enforcement much more complicated. Electronic evidence can include any and all electronically stored information that is in digital, optical, or analog form. Not only does evidence include electronic data, it also includes electronic devices such as computers, CD-ROMs, floppy disks, cellular telephones, pagers , and digital cameras .
Law enforcement must deal with incredible amounts of data. When the Inter- net is involved, crimes can be committed from other states and countries , thereby involving the laws and jurisdiction of those locales. The following high-profile case about hackers from Russia is a perfect example of this situation.
On June 20, 2001, a federal grand jury indicted a computer hacker on several federal charges for allegedly accessing computer systems owned by several companies, stealing credit card information, and requesting payments for computer security services from the companies. Alexey V. Ivanov, of Chelyabinsk, Russia, was charged with four counts of unauthorized computer intrusions, eight counts of wire fraud, two counts of extortion, and one count of possessing usernames and passwords for an online bank. Ivanov allegedly used one of the stolen credit card numbers to open an account with CTS Network Services, an Internet service provider in San Diego. He then hacked into CTS computers and used them to launch attacks against other e-commerce companies.
To obtain evidence for the case, the FBI set up a sting operation in which it advertised a job offer for a fictitious company named Invita Security, Inc., which drew Ivanov and his partner, 25-year-old Vasili Gorchkov, to the United States.
During the sting operation, the two men were invited to log on to their computer in Russia from the Invita offices. FBI agents captured the keystroke information, which they used to access the Russian's computer over the Internet and download its data. However, the FBI agents did not contact Russian law enforcement officials, thus violating Russian Criminal Code Article 272 that punishes ' unlawful access to computer information' with up to two years in prison . The U.S. federal judge presiding over the case ruled that the downloaded evidence was admissible in court, finding that the FBI wasn't subject to Russian law. Gorchkov was subsequently convicted of 20 counts of wire fraud.
Source: U.S. Department of Justice, Computer Crime and Intellectual Property Section (CCIPS), http://www. usdoj .gov/criminal/ cybercrime /ivanovIndict2.htm .
For a case to stand up in court, most evidence must be attested to by a witness. In the case of electronic evidence, who's the witness of a computer making a log entry? How can a law enforcement officer show that the other 15 accounts logged in at the time didn't commit the deed? Despite the relative infancy of the law, electronic data is finding its way into the courtroom and is having profound impact in many cases. Courts are generally not persuaded by the authenticity, best evidence rule, chain of custody, and other challenges to the introduction of electronic data at trial. This type of issue has been brought up in court several times. A good example is United States v. Tank. The court addressed the question of the authentication of Internet chat room logs that were maintained by one of the co-defendants. The defendant claimed that the government did not have a sufficient foundation for the admission of the logs. The government provided evidence linking the screen name used by the defendant to the defendant. The government evidence also included testimony from one of the co-defendants about the method he used to create the logs and his recollection that the logs appeared to be an accurate representation of the conversations among the members . The court ruled in favor of the government, declaring that the government made a satisfactory showing of the relevance and the authenticity of the chat room log printouts.
With the increase of cybercrime, keeping up with caseloads has become nearly impossible . Department of Public Safety (DPS) crime lab personnel barely have time to answer the phone. How does law enforcement determine the priority of the complaints that they investigate and prosecute ? Generally speaking, the following factors help determine which cases get priority:
The Amount of Harm Inflicted Crimes against children or ones that are violent usually get high priority along with crimes that result in large monetary loss.
Crime Jurisdiction Crimes that affect the locale are usually chosen especially when resources are taken into consideration.
Success of Investigation The difficulty of investigation and success of the outcome weigh heavily in determining which cases to investigate.
Availability and Training of Personnel Often crimes that don't require a large amount of manpower or very specific training may take precedence.
Frequency Isolated instances take a lower priority than those that occur with regular frequency.
In addition, some associations offer help and guidance not only to law enforcement but the corporate world as well. The High Technology Crime Investigation Association (HTCIA) is one such organization. The national website is located at http://htcia.org . The website includes links to chapters throughout the world, which include information on local laws associated with computer crimes.