Computer Crime and Security - Essay Example

Interoffice Memo 05/05/2008 CEO Eze, CISCO RE: Incident Report Situation Summary Having been the flu season, last January we were forced to hire temporary workers for our call centre. All came highly recommended and were interviewed by the HR department. All temporary workers sat for an orientation session and their work duties were explicitly outlined for them. There appeared to be no problems with either their understanding of their tasks or their references and qualifications. Shortly, thereafter, however, the ICT Department detected unusual IT activities and launched an investigation. The Secret Service was informed as initial investigations indicated that patients' files were being accessed and data contained therein, copied. Later investigations revealed that it was an insider incident, involved the theft of subsequent selling of patients' credit card numbers, and that the activities emanates from the Call Centre. Having provided you with a general overview of the situation, I will now explain its potential and actual consequences, summarize the results of the post-mortem and clarify both lessons learnt and future action. 2 Background In regulating conduct related to the use of computers, the United States government currently defines a computer as "an electronic, optical, electrochemical, or other high-speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such a device" (United States Computer Fraud and Abuse Act (e)(l), 1984, cited in Kipper, 2007, p. 194). This definition accounts for the way in which IT has fused data storage, computing and telecommunications technologies and in so doing, touches upon the potential of both the computing and telecommunications technologies to violate the integrity and confidentiality of the stored data. The United States Department Of Commerce (2000) highlighted this threat in its report on the proliferation of computer use and internet access, not just in the United States but, across the world. As the greater majority of corporations, both in the United States and worldwide, are relying on IT for data storage and processing, increased popular access to IT renders corporate systems vulnerable to unauthorized penetration and the associate accessing of private and confidential data (U.S. Department of Commerce, 2000). While it is the responsibility of corporate entities to ensure the securitization of their networks, absolute inviolability is practically impossible to achieve. It is, thus, that recent years have witnessed the ever-increasing adoption of computers in the commission of crimes of fraud and theft (Power, 2000). Our company has recently fallen victim to one such incident. 3 Incident Overview On January 16th, 2008, a periodic review of our IT activities logs evidenced a string of unusual activities. Almost 10,000 patient files had been accessed and the data they contained had been transferred to an external medium, possibly an external hard drive. The IT department had no record of authorizing any individual this level of access and, indeed, there was no legitimate justification for the access of 10,000 patient files. The incident was terribly worrisome as these files contain sensitive data such as patients' social security, insurance and credit card numbers, not to mention home and place of employment addresses and contact information. The IT department immediately contacted the Legal Department and appraised its Director of the situation who, in turn, contacted law enforcement and did the same. 4 Post Mortem After reporting the incident to the Legal Department and law enforcement officials, the IT department launched an intensive post mortem investigation. The investigation, which followed standard procedures which will be described shortly, had several objectives. These were the identification of the source, as in whether it was an insider or outsider incident; the personal identification of the attacker and the strategy by which s/he gained access to the files; the data accessed and downloaded; and the attacker's intent. The scale of the incident necessitated the involvement of several departments in the investigation. Accessing confidential files which contained social security and credit card numbers immediately indicated that there was a criminal intent to the transgression and that the attacker either intended to sell the information for the purposes of facilitating credit card fraud or identity theft. Hence, apart from the involvement of the Secret Services, the Legal Department, the Security Department and, of course, the IT Department were involved in all stages of the investigation. Adhering to established digital forensics procedures recommended by noted security experts such as Stephenson (2003), the first step involved a detailed and comprehensive review of available logs. IT department employees collected all logs dating prior to the detection of the suspicious activities and throughout it. A review of the logs against our corporate network map established that the incident had not been launched by an outsider but, by an insider. Furthermore, the logs clearly indicated that access had been granted in response to the entry of a valid, high level password. This finding, in itself, was quite problematic because even though we had narrowed down suspects to insiders, the net we had cast was still very wide and encompassed several hundred employees. Therefore, at the direction of the Secret Service personnel involved in the investigation, we narrowed down our suspect list to insiders who had this level of access. All were interviewed by the Security Department in the presence of representatives from the Legal Department and, without exception, all were cleared. They were cleared for two reasons. Firstly, had their passwords been used to access the data in question, the logs would have identified them as having accessed the data. The logs, however, identified none of these individuals as having accessed the data in question during the time-period under investigation. Secondly, the Security Department had cleared them during the interview process. It was, thus, determined that an unidentified person had accessed one of these passwords to elevate his/her security clearance level. The logs were reviewed once again for determination of the validity of this particular hypothesis and it was, indeed, discovered that elevated access had been granted to a call centre employee by the call centre manager himself. Again, interviews conducted by the Security Department with the call centre manager, cleared him of complicity although not of carelessness as it was discovered that he stored his network access data on his mobile phone which he often left unattended. At this point, the digital forensics investigation came to an abrupt halt as the logs did not reveal any additional information pertaining to the identity of the individual in question or even the computer terminal which had been used to either elevate the access level or access the data in question. The Security Department and the Secret Service stepped in at this point and began to interview all call center employees. Extensive interviews eventually led to the identification of a recently hired temporary worker. Although she had come with high recommendations and had no prior citations for involvement in computer crime, she fit the bill. The certificates in her personnel file indicated that she had received extensive IT training and, accordingly, had the requisite knowledge to commit the acts in question (elevation of access level and accessing files). The Secret Service placed the suspect under surveillance for the purposes of either absolving her or gathering incriminating evidence. The surveillance established her complicity and she was subsequently arrested by the Secret Service. At the court hearing, which is set for next month, members of the investigation team are required to give evidence. To date it appears that the credit cards and social security numbers accessed have not yet been used. There is, however, no way to determine that they have not been sold and will not be used in the near future. Table 1: Summary of Findings Objective Results of the Investigation Source of Attack Insider Identity of Attacker A female temp call center employee Strategy Employed Accessed the Call Center manager's login information to elevate her clearance level, enabling unrestricted access to sensitive patient data Data Accessed 10,000 patient files were accessed and the credit card numbers contained therein were downloaded onto an external storage medium. Data Usage Intent Sale of the credit card numbers, including their associate three-digit authorization code. 5 Lessons Learnt The incident is a direct consequence of carelessness and the failure of the IT department to implement an automated log review system which would alert personnel to suspicious activities. The Call Center Manager violating all IT security policies by leaving his password lying around and the IT department was derelict in its duties because the incident was only discovered after 10,000 credit card and social security numbers had been downloaded. Lessons have been learnt as a direct outcome of this incident and the implementation of these lessons will help prevent a similar incident from occurring. First of all, the imperatives of not recording network access information will be stressed upon all employees. Secondly, the authority to elevate access levels will be removed from all employees and kept within the IT department. Lastly, a system for the automated review of network and computer logs will be implemented for the purposes of immediately alerting the department to any suspicious activities. It is believed that the implementation of these lessons will reduce the possibilities of reoccurrence. 6 References Kipper, G. (2007) Wireless Crime and Forensic Investigations. NY: Auerbach Publications. Power, R. (2000). CSI/FBI Computer Crime and Security Survey. San Francisco, CA: Computer Security Institute. Stephenson, P. (2003) Conducting Incident Post Mortems. Computer Fraud and Security, 2003(4), 16-19. United States Department of Commerce. (2000). Falling Through the Net: Toward Digital Inclusion. Washington, DC: National Telecommunications and Information Administration. Read More