| A number of legal issues surround the investigation of an insider attack. Company liability has been briefly discussed. The company might be liable if the investigation is not complete or if the employee was involved in illegal activity and the company did nothing about it. Pirated software and child pornography are obvious examples of material that might result in corporate liability if the offense is not properly handled. In addition, if the incident is mismanaged and it affects the company's profits or value, shareholder lawsuits could result. Corporate legal counsel and outside legal experts should be consulted at all phases of a sensitive investigation. As a general rule, in the United States, a private company can monitor the electronic (and physical) actions of its employees. Consent is not always required (depending on the situation and the physical location of the employee), nor is prior notification. In any situation, however, legal advice should be obtained prior to monitoring employees, especially if that monitoring is initiated or increased in response to an incident. Prior notification of monitoring and informed consent by the employees will make the situation clearer and might also act as a deterrent. Government agencies, including contractors employed by them in some situations, generally have much stricter rules as to the type of monitoring they can conduct. The law is not clear on this, and agencies often have differing interpretations and implementations of their right to monitor. Again, proper legal advice is critical. Private companies outside the United States have different requirements. European Union privacy laws might make it difficult for the company to monitor email, for example.The situation is even less clear when the traffic or data crosses national boundaries. Case Study This particular case illustrates many of the points discussed in this chapter. It is not meant to be representative because insider attacks can vary widely, but it does demonstrate some of the pitfalls inherent to investigating an insider. A firewall administrator was suspected of using an anonymous account to post harassing emails to a web bulletin board. The email account was a free web-based email service (such as Hotmail or Yahoo! Mail). The account in question had been used by the employee in the past to post to other boards (such as technical and computer-gaming discussions). The message headers indicated that the source address of the postings corresponded to the corporate web proxy server, indicating that the messages had been sent from a company computer. The employee was interviewed and confronted. He refused to discuss the incident and was terminated . A team of consultants was hired to perform forensics examinations of the employee's computer and to audit the firewalls to ensure that no modifications had been made to them. -
The employee was interviewed by the head of physical security. This person had a background in law enforcement but was not technically skilled. Based on transcripts of the interview, the employee probably felt threatened by the interviewer. Some of the more technical questions asked during the interview might have been misunderstood by one or both persons. For example, the employee was asked whether he had any kind of remote access to the firewalls, and he stated that he had none. In fact, he did have dial-in access. However, based on the specific way the question was stated, it was possible that the employee interpreted it as asking if he had any unauthorized remote access. As the investigation progressed, it became clear that almost nothing obtained as a result of this interview was usable. The key point is that interviewing a potential suspect requires qualified and skilled personnel and should not be attempted randomly . -
The employee was terminated following the interview. By terminating him immediately, however, the company lost any leverage it might have had to gain his cooperation. When further examination revealed no conclusive evidence that the employee was the source of the postings, the company could have become liable in a wrongful-termination lawsuit. The decision to terminate the employee was made as a direct result of the interview and was made without input from the corporate legal or incident response teams . As a general rule, suspected employees should not be terminated unless there is overwhelming evidence. It is usually better to place them on administrative leave pending the results of the investigation. This both avoids potential lawsuits over wrongful termination and can be used to persuade the employee to cooperate with the investigation. -
The consulting team was not requested until two weeks after the final posting. Forensics examinations were unable to produce conclusive evidence that the employee had made the postings. All members of the employee's team had their computers examined as well. Because other people had knowledge of the incident, their computers demonstrated that they had visited the bulletin board. However, no forensics evidence existed that any employee had posted. Forensics, to be successful, requires that the computer be seized and examined as soon as possible following the incident. Logs, temporary files, cache, and history files are quickly overwritten during normal use. -
Although the postings resolved the source address back to the corporate proxy server, the firewalls were not logging all outbound HTTP traffic. In addition, logs were only maintained for one month and then were deleted. By the time the investigation took place, no logs were available to further resolve the source of the posting back to a specific computer. In addition, even if the firewall logs had been available, the company did not maintain DHCP logs. It would have been virtually impossible to tie an IP address in the firewall log to a specific workstation. Logs are one of the key sources of evidence. They must be backed up and archived offline. Again, the delay in initiating the investigation resulted in a lack of evidence. -
One of the postings was made during a weekend . The company had no records, however, that could track which employees had been present in the building during that period. Although the company had electronic badge access to the offices, it was common practice, especially on weekends when the air conditioning was turned off, for the first employee in to block the doors open with a fire extinguisher. It was therefore impossible to demonstrate whether the suspect employee (or any other employees) were physically able to make this particular posting. Physical security logs are often the only way to put a person at a computer. -
The decision to call in outside consultants to do the investigation was extremely useful. Regardless of the technical skills of the consultants or the internal incident response personnel, the fact that the suspect was a firewall administrator (and an ad-hoc member of the incident response team) created the potential for a conflict of interest (or at least the perception of one). By bringing in outside consultants to audit the affected systems, the company was able to demonstrate that it was willing to do an independent audit of the incident and that no one, not even members of the incident response team, was above suspicion. The use of external auditors , who might report to persons outside the normal incident response team, can be valuable in demonstrating a degree of due care and diligence in the investigation. The company responded to the bulletin board by stating that it had investigated the incident and terminated the employee responsible. The bulletin board then deleted the email account. No further harassing emails were received from the company. However, because all members of the team were aware of the scope of the investigation, this might simply be a case in which the person responsible simply stopped his actions because he knew he was being monitored . | |
