Week of April 17, 2000

From the Houston Business Journal

Companies should take steps to respond to computer crime Brett Young The incident rate of computer-based crime is accelerating -- roughly keeping pace with the expansion of electronic business. While the fantastic exploits of cyber criminals catch the headlines, most crimes involving computers go unnoticed. The majority of these misdeeds (about 70 percent according to a Computer Security Institute survey) are perpetrated by organizational insiders -- usually employees.

Companies of all sizes are forced to respond to computer crime, and many don't handle it well. To reduce the damage done, company officials must act quickly, following a clearly defined plan. Companies able to respond quickly and decisively have taken precautions beforehand.

FIRST RESPONSE If a crime has been committed against a company and it has possession of the computers affected, company managers should ask two simple questions. They are: "Should we pursue prosecution for this crime?" and, "Are there any critical data that could be lost by examining the computer?"

If the answer to either of these questions is yes -- don't touch the PCs. If they are running leave them on. If they've been shut down, leave them down. Modern operating systems like Microsoft Windows generate temporary files during normal use. Just turning the machine on and browsing through files on the PC could destroy evidence on the machine's hard drive, such as the remnants of deleted files.

Next step is to enlist the expertise of a computer forensics expert to examine the machines used in the crime. An experienced forensics pro has the tools and knowledge to analyze the PC without destroying evidence. The Federal Bureau of Intelligence's Computer Crime Division can provide help locating a forensics specialist.

Those who are certain that they have no interest in prosecution, but think that critical information may have been deleted from the computer's hard drive, are advised to get an expert anyway. This odd situation, where information is deliberately deleted (often by a departing employee) suggests the question: "If the data is so important to the business, why was the only copy on this PC?"

HELP FROM THE FBI Federal law offers businesses protection against all types of information crimes, though this legislation is not widely known. The most comprehensive law is the Economic Espionage Act of 1996. This Act provides for jail sentences of up to 10 years and fines up to $250,000 for individuals found guilty of information crimes. These crimes include any act willfully done that would cause a "material impact" to the owner of the information. That definition includes destructive activities such as divulging trade secrets, participation in insider trading or destroying critical data.

The enactment of the Economic Espionage Act was good news to small and mid-sized businesses that lacked the resources to mount a lengthy legal defense in civil court following an information crime. The FBI and federal courts could be enlisted on the behalf of any business to redress the wrong.

But there's a catch. Many companies have excluded themselves on a technical point. The protection offered to US organizations via the Economic Espionage Act of 1996 is only offered to those businesses that have taken "reasonable precaution" to protect their information.

If the information in question were paper drawings, a reasonable precaution might be to lock the room where the drawings are stored. In the case of computer crime, reasonable precaution might include computer policies and procedures, appropriate use statements for e-mail users and an ongoing awareness program.

TAKING PRECAUTIONS The real work of recovering from a computer crime begins long before the "perp" takes to the keyboard. Quick and effective recovery is possible when organizations have followed a few guidelines:

Put appropriate policies in place; make sure that they are understood.

Know where critical information resources reside.

Make sure the organization's critical information is backed-up and recoverable.

Review protection systems such as virus control and Internet firewalls to insure that they are current.

Assuming that the crime won't go to court and that the PC doesn't house critical information, some forensics work can be done in-house. Every organization should have a rudimentary forensics capability on hand. Commonly available software such as Norton Utilities and Ghost from Symantec Corp. can provide the ability to recover deleted files and to make an exact copy of a suspect system.

Browsing through recently opened documents and reviewing the Internet browser cache can provide some good insights into what might have gone wrong. Remember though, that PCs that have been casually inspected won't hold up as evidence in court and that selectively monitoring the PCs of current employees might be deemed discriminatory.

Computer crime will likely impact most organizations during the next few years. The companies that suffer least will be those that have prepared for it.

http://www.bizjournals.com/houston/stories/2000/04/17/focus11.html

-- Martin Thompson (mthom1927@aol.com), April 18, 2000