Friday, September 20, 2019

Misuse Of Computers At The Workplace

Misuse Of Computers At The Workplace In general, the use of computers for illegal activities is an increasingly problem as virtually every commercial transaction occurs in the digital world. In addition, people spend a significant part of their lives at the workplace so that chances are high that any sort of misuse will occur. Internal and external threats to an organization are becoming prevalent. In order to manage the collection and handling of digital evidence, allowing it to be admissible in court, an organization needs to concentrate efforts in constituting mechanisms to effectively handle potential evidence for criminal investigations. In order to address that issue, I initially discuss how computers can be misused at the workplace, identify trends in the security incidents arena, and provide a quick view on the field of digital forensics science and cyber forensics. Later, I move to the context of the problem addressing issues of forensic readiness, admissibility of digital evidence, discovery, and practices for incident response. Finally, I convey a proposal aiming at proactively addressing issues of collection and admissibility of digital evidence. The background Misuse of computers at the workplace Computers can be misused at the workplace in a variety of different ways. From accessing inappropriate Internet sites to copying copyrighted material, such as music, video or software, employees can make offenses against the employer corporate policies. In addition, non-work related Internet activity, such as visiting sport sites, bidding online, trading stocks, shopping online, and collecting and sending jokes to co-workers may also infringe Information Security or Information Technology (IT) resources policies. It is known that one of the most common ways of computer misuse in the workplace is the utilization of corporate e-mail and the Internet for private use. Most companies use Internet as a powerful business tool, but sometimes the misuse of that asset could turn out to be very expensive as it consumes IT resources and affects negatively employee productivity, in addition to compromise security. Some businesses accept the personal use of IT resources at the workplace, but there is a faulty line that divides what is right and wrong in terms of personal use. Other more serious offenses may include access to unauthorized or confidential material, cyberstalking, identify and information theft, hacking, embezzlement, child pornography etc. Internal computers can also be used to commit fraud against the employer or its customers or suppliers. In some cases involving an employee accessing certain types of illegal websites, a company may be subject to criminal investigation.  [1]  Computer related evidence can also be used to investigate cases of bribes.  [2]   Companies from different sizes have some sort of security policy in place that helps shaping the adequate use of information technology (IT) assets or identifying misbehaviour. Those security policies may have been implemented in line with security standards, such as ISO/IEC 27001:2005  [3]  , ISO/IEC 27002:2005  [4]  and the Internet Security Forum (ISF)  [5]  , but initiatives in this area are normally linked to two important and quite different streams. First, financial obligations impose IT systems to have tight checks, such as access control and authorization procedures, segregation of duties, contingency plans etc. Second, IT departments establish security mechanisms to protect internal computers from external threats, such as viruses, network attacks, and phishing among others cyber threats. Such tasks are mostly performed by distinct teams, with different skills in the IT and business areas. Failures to protect the internal network can put companies in situations where information systems can be compromised, private or confidential information leaked, or even computers being used by criminal networks via botnets  [6]  . In cases like this, companies may find its computer systems confiscated for inspection as part of criminal investigation, in addition to being subject to damages in reputation. A recent survey from Ernst Young  [7]  shows an increase in the perception of internal threats related to information security. About 75% of respondents revealed that they are concerned with possible reprisal from employees recently separated from their organization. That may have had some impact originated from the recent global financial crisis, but it is also due to the increasing level of automation and value of digital assets present in almost all organizations. Another interesting finding of this survey is that the primary challenge to effectively delivering information security was the lack of appropriate resources.  [8]   The computer misuse act (UK) As a first important UK legislation designed to address computer crime, the Computer Misuse Act (CMA)  [9]  became law in 1990. It turned, for example, hacking and viruses dissemination criminal offenses. The Act identifies three computer misuse offences: Section 1 Unauthorised access to computer material (a program or data). Section 2 Unauthorised access to a computer system with intent to commit or facilitate the commission of a serious crime. Section 3 Unauthorised modification of computer material. A person is guilty of an offence under section 1 if: He causes a computer to perform any function with intent to secure access to any program or data held in any computer The access he intends to secure is unauthorised; and He knows at the time when he causes the computer to perform the function. The Section 2 deals with unauthorised access to computer systems with the specific intention of committing, or facilitating the commission, of a serious crime. A person is guilty of an offence under this section if he commits an offence under Section 1 with intent to commit or facilitate the commission of a further, sufficiently serious, offence. The Section 3 covers unauthorized modification of computerised information, and thus includes viruses and trojans  [10]  . A person is guilty of an offence under this section if: He does any act which causes an unauthorised modification of the contents of any computer; and At the time when he does the act he has the requisite intent and the requisite knowledge. The requisite intent is an aim to cause a modification of the contents of the computer and by so doing impair its operation or hinder access to it, or any data stored on it. The requisite knowledge is the awareness that any modification one intends to cause is unauthorised. The CMA is responsible for a variety of convictions, from nanny agencies (R v Susan Holmes 2008) to ex-employees (R v Ross Pearlstone one of the first).  [11]  One recent arrest under the CMA involved two suspected computer hackers that have been caught in Manchester in a major inquiry into a global internet fraud designed to steal personal details. The investigation focused on ZBot trojan, a malicious software or malware  [12]  that records online bank account details, passwords and credit card numbers to ultimately steal cash with that information. It also steals password of social network sites.  [13]   Trends in security incidents Large organizations are the ones more likely to have adequate Information Security Policies in place. The utilization of Information Security practices in general requires the availability of skilled and well-trained people, risk assessment procedures and well managed incident response procedures. To some extent, the implementation of such practices is available in most businesses. However, the last PWC Global Economic Crime Survey  [14]  shows that large organizations are the ones to report more frauds. The survey confirms that the larger the organization the bigger the relative number of reported incidents. It also showed an interesting trend in detections methods, which is pertinent to our analysis. For example, internal audit went down to 17% of cases in 2009 against 26% in 2005. In addition, fraud risk management rose to 14% in 2009 from 3% in 2005. Newly risk management approaches try to be more proactive as opposed to traditional audit procedures. That trend may also demon strate that manual procedures (mostly audits) are being replaced by more automation (fraud management systems). Digital forensics science and cyber forensics Digital forensic science can be defined as: The use of scientifically derived and proven methods toward the preservation, collection, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.  [15]   Carrier and Spafford (2003)  [16]  argue that digital evidence concerns with data in digital format that establishes a crime has been committed, thus it provides a link between a crime and its victim or perpetrator. A digital crime scene is therefore the electronic environment where digital evidence potentially exists. Evidences, which are made of bits and bytes, are part of the digital forensic science (DFS) realm, which also includes visual and audio evidences. As a subset of the DFS, the cyber forensics field focus on the investigation of evidences via scientific examination and analysis of digital data so that it can be used as admissible and verifiable evidence in a court law. Evidences in this field includes log files, equipment primary and volatile memory, storage media, software (code) and virtually any document in digital format, such as email, sms messages etc. Evidence in general must be admissible, authentic, complete, reliable and believable, therefore requirements for digital evidence are not different in essence. Fundamentally, the process of managing the lifecycle of digital evidence is the same as the physical evidence. It includes the following phases: preparation, response, collection, analysis, presentation, incident closure.  [17]  However, digital evidence is highly volatile and once it has been contaminated, it cannot come back to its original state.  [18]  The chain of custody is an essential condition for digital evidence admissibility and preservation. The context Threats to evidence collection Evidence may exist in logs, computer memory, hard disks, backup tapes, software and so on. IT organizations are normally the ones supporting the usage of IT assets that generates most of the digital evidence as a result of doing business. However, IT organizations provide services to their companies mostly using multivendor strategies. In addition, users are mobile and spread along several geographic areas; workstation and servers are hardly standardized; and vendors use different methods for proving services and are bound to complex service level agreements (SLAs) that penalize them when services are not available or running with poor performance. The focus is always on running services to the lowest possible cost with adequate performance and availability. Whenever a problem may exist damaging the availability of a system, analysts will try to recover the full capacity of that service. It may imply that systems will be, in a rush, restarted or have its logs and other files deleted to improve processing capacity. In addition, although storing costs have fallen considerably during the last years, mainly on the end user side, data-center storage has been still expensive. Therefore, the pressures coming from costs reduction programs can, as a result, compromise running an adequate storage strategy. Moreover, this have implications that will hinder storing data longer, and reduce backup/restore procedures. Forensic readiness In the context of enterprise security, forensic readiness may be defined as the ability of an organization to maximize its potential to use digital evidence whilst minimising the costs of an investigation.  [19]  An adequate management of digital evidence lifecycle may help an organization to mitigate the risk of doing business. It can support a legal dispute or a claim of intellectual property rights. It can also support internal disciplinary actions or even just show that due care has taken place in a particular process.  [20]   An initiative, which aims at supporting a forensic readiness program, would include:  [21]   Maximising an environments ability to collect credible digital evidence; Minimising the cost of forensics during an incident response. In a general perspective, the utilization of enterprise information security policies will facilitate forensic readiness initiatives. However, in any security incident there will be mostly focus on containment and recovery due to the short-term business critical issues.  [22]   In order to help organizations implement a practical forensics readiness initiative, Rowlingson (2004) suggests a 10-step approach, as follow:  [23]   Define the business scenarios that require digital evidence. Identify available sources of different types of potential evidence. Determine the evidence collection requirement. Establish a capacity for securely gathering legally admissible evidence to the requirement. Establish a policy for secure storage handling and potential evidence. Ensure monitoring is target to detect and deter major incidents. Specify circumstances when escalation to a full formal investigation should be launched. Train staff in incident awareness, so that all those involved understand their role in the digital evidence process and the legal sensitivities of evidence Document an evidence-based case describing the incident and its impact Ensure legal review to facilitate action in response to the incident. Rowlingson also highlights two types of evidences: background evidence and foreground evidence. While the first is collected and stored via normal business reasons, the second is gathered to detect crime, and more frequently done via monitoring. However, monitoring typically raises privacy issues consequently requiring alignment to local laws. The monitoring process may help identifying data correlation between different events, thus increasing the potential of digital evidence based investigations. Admissibility of digital evidence Digital evidence can be defined as any data stored or transmitted using a computer that support or refute a theory of how an offense occurred or that address critical elements of the offense such as intent or alibi  [24]  . Digital evidence is useful not only to address cyber crimes, but also in an extensive range of criminal investigations, such as homicides, child abuse, sex offenses, drug dealing, harassment, and so on. Dicarlo (2001) argues that the basic questions about admissibility of evidences are relevance, materiality, and competence. When evidence is considered relevant, material, and competent, and is not blocked by an exclusionary rule, hearsay for example, it is admissible. Evidence is relevant when it has any tendency to make the fact that it is offered to prove or disprove within certain probability. Evidence is material if it is offered to prove a fact that is at issue in the case. Evidence is then competent if the proof that is being offered meets certain traditional requirements of reliability.  [25]   Daubert  [26]  has posed a threshold test to validate an evidence competency as a class of evidence.  [27]  Digital forensic evidence proposed for admission in courts must meet two basic conditions; it must be relevant, and derived by scientifically sound method. The digital forensics field is highly technical and grounded on science, which in turn bring some challenges to forensics professionals. Initially, it requires specific skills to deal with as it can be challenging to handle. For example, pieces of bytes can be put together to recover a deleted email that would provide key information to a case. Nevertheless, it would require an exhausting work to collect, handle and find the significant data. A similar situation occurs when decoding information carried by wire or wireless networks. Additionally, the knowledge of the digital evidence environment and how it can be produced is essential for any investigation. In Loraine  [28]  , Judge Grimm (2007) remarkably considered the Federal Rules of Evidence regarding its admissibility and authentication. He confirmed that the way evidence is gathered, processed and produced have a significant impact on its admissibility. According to the court, evidence must be: Relevant; Authentic; If hearsay, allowable under the hearsay exceptions; Original, duplicate or supported by admissible secondary evidence; The probative value of such evidence cannot be outweighed by any unfair prejudice or other factors. Another important issue is that digital evidence, to some extent, is easily manipulated. It can purposely suffer modification from offenders or be accidently altered during the collection phase without obvious signs of distortion.  [29]  However, differently from physical evidences, it offers some particular features:  [30]   It can be duplicated. In fact, this is a common practice in investigations and aims at diminishing the risk of damages to the original. It is traceable. Appropriate tools can be used to determine if digital evidence has been modified or tampered when compared to the original copy. It is difficult to destroy. For example, deleted data can be recovered even if hard disk is damaged. It may contain metadata (data about data). For example, a deleted file can show when it was deleted and last modified. Electronic data discovery Electronic Data Discovery  [31]  is any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case.  [32]   The 2006 amendments in the US Federal Rules of Civil Procedure (FRCP)  [33]  were driven by the increasingly use of the electronic form as evidence in litigation. The FRCP refers to electronic data discoverable as Electronic Stored Information (ESI). It constituted a milestone in the field, which is requiring organizations to be better prepared to store and manage business records. In addition, it established the legal hold, which means that organizations are under the duty to preserve information if they reasonable anticipate that a lawsuit may commence.  [34]   Normally, following a court order, an electronic discovery procedure can be carried out offline or online, on a particular computer or in a network, for the purpose of obtaining critical evidence. Electronic data is clearly easier to be searched when compared to paper documents. In addition, data can be perpetuated if properly stored, or even recovered if once deleted. If an entity becomes involved in a lawsuit, it will probably be requested to provide information that is in digital form. It is essential to be able to identify where and how the information can be retrieved. In preparation for electronic discovery, an enterprise will likely have to face the following issues:  [35]   Changes in business process to identify, collect and manage business records and knowledge assets; Implementation of new systems, technology or consulting to manage the lifecycle of the electronic discovery; Need to instruct and inform employees about their responsibilities regarding the need to preserve information and make it discoverable. In a event that an organization cannot locate or retrieve discoverable information, it may be subject to penalties or even have the case turning to the opposite side.  [36]   Discoverable electronic information must be produced regardless of the device it is stored, its format, its location or type.  [37]  If the burden or cost to produce is not reasonable, then it does not need to be produced. However, courts are entitled to order the discovery in situations where a good cause would exist.  [38]   Chain of custody is a fundamental requirement of ESI. Electronic discover processes should demonstrated the integrity of documents from storage to retrieval. Without historical records, evidence can be held inadmissible. Metadata per se is contestable as digital evidence; however, it can support the integrity and traceability of evidences. The FRCP also provide that one side may be required to grant the other access to a specific computer system as part of a discovery request, including technical support for that.  [39]  The whole aspect of maintaining an appropriate environment to locate, secure, and search discoverable information, increase the need to maintain IT tools that better support ESI processes. Although IT departments within organizations are the ones on duty to guarantee the technical means to preserve and recover ESI, electronic discovery as such is an evolving field that requires more than technology. Moreover, it may rise legal, jurisdictional, security and personal privacy issues, which still need to better assessed. Practices for incident response Every incident is unique and can incorporate many different areas of the affected organization. A right response to incidents requires an appropriate level of planning and coordination. In spite of being a critical element of any information security policy, incident response is one of the least practiced, most stressful, highly scrutinized task as it requires that incident analysts be well prepared in advance, be quick and calm, and act considering a wide range of possibilities.  [40]   Common cases of information security incidents may include economic espionage, intellectual property theft, unauthorized access to data, stolen passwords, unauthorized or inappropriate use of email and web, malicious code, such as worms with backdoors or trojans, and insider threats. In dealing with breaches, organizations face the following common challenges:  [41]   Misunderstanding of risks; Limited understanding of where sensitive data are collected, used, stored, shared and destroyed; Insufficient emphasis on secure coding practices and security quality assurance; Permissive access; No information classification; Flat architecture; Duties not segregated; Third-party connectivity/access; No access controls and limited physical controls; End-use computing vulnerabilities; Limited role and activity based training and guidance. The ISO/IEC 27002:2005 is a Code of Practice for Information Security Management. It is a well-known guide for the subject and widely used within private organizations as a reference for the information security management. The Section 13 Information Security Incident Management deals with information security events, incidents and weaknesses. It intends to provide a framework and a starting point for developing a cyber threat response and reporting capability. It says incidents should be promptly reported and properly managed. An incident reporting or alarm procedure is required, plus the associated response and escalation procedures. There should be a central point of contact, and all employees, contractors etc should be informed of their incident reporting responsibilities.  [42]   In addition, responsibilities and procedures are required to manage incidents consistently and effectively, to implement continuous improvement (learning the lessons), and to collect forensic evidence. An organization must respond in some way to a computer security breach whether it is an intrusion/hack, the implantation of malicious code such as a virus or worm, or a denial of service attack. The better prepared the organization is to respond quickly and effectively, the better the chance it will have to minimize the damage.  [43]   The ISACA ´s Cybercrime: Incident Response and Digital Forensics  [44]  internal control checklist recognize the following steps for reacting efficiently and quickly to information security-related incidents: Pre-incident; Immediate action; Secondary action; Evidence collection; Corrective measures; Evaluation. Systems administrators duties Statistics in general indicate that companies are more and more subject to internal and external attacks. The digital economy is pervasive and more and more documents now appear to exist only in electronic means. Even social engineering techniques, which many times target non-authorized physical access, will leave electronic traces in some way. Thus, system and network administrators are many times the first ones to get to know that security incidents or breaches are taking place. The appropriate procedure to collect evidence is vital to the success of any certain case. It is fundamental to understand how to collect evidence, how it may be interpreted and what data will be available to trace criminal actions.  [45]   The AAA  [46]  architecture, defined by the RFC 2903  [47]  , is a familiar concept for system and network professionals, and useful when considering forensics. The model is based on key information security concepts: authentication, authorization and accounting. Authentication is concerned with the process of positively identifying a user, process or service and ensuring that they have sufficient credentials to enter and use systems and resources. Each usually requires information (account user names and passwords being a good example) that differentiates them uniquely and hopefully undisguisably. Authorization is concerned with ensuring that resource requests will be granted or denied according to the permission level of the requester. Accounting is concerned with the monitoring and tracking system activities. From a network security perspective, accounting is often called auditing. Auditing is the process of logging communications links, networks, systems and related resources to ensure that they may be analysed at a later date. Accurate and detaile

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.