Misuse Of Computers At The Workplace

Mis manipulation Of Computers At The WorkplaceIn general, the use of data processors for illegal practiseivities is an increasingly problem as virtually either commercial transaction occurs in the digital world. In addition, people spend a signifi hindquarterst part of their lives at the workplace so that chances are blue that all sort of misuse will occur. Internal and external scourges to an organization are becoming prevalent. In order to manage the collection and handling of digital severalize, allowing it to be admissible in court, an organization admits to concentrate efforts in constituting mechanisms to effectively handle potential take the stand for wretched investigations.In order to place that hump, I initially discuss how calculators merchantman be misused at the workplace, identify cut downs in the security happenings arena, and provide a quick view on the field of digital forensics acquirement and cyber forensics. Later, I move to the setting of th e problem addressing issues of forensic readiness, admissibility of digital induction, disco real, and practices for hap response. Finally, I convey a proposal aiming at proactively addressing issues of collection and admissibility of digital show up.The backgroundMisuse of computers at the workplaceComputers tidy sum be misused at the workplace in a variety of contrasting ways. From attacking inappropriate Internet sites to copying copyrighted material, such(prenominal) as music, video or software, employees faecal matter make offenses against the employer corporate policies. In addition, non-work related Internet activity, such as visiting sport sites, bidding online, trading stocks, shopping online, and collecting and sending jokes to co-workers whitethorn excessively infringe reading security measure or Information Technology (IT) resources policies.It is known that one of the most common ways of computer misuse in the workplace is the utilization of corporate e-mail a nd the Internet for snobbish use. Most companies use Internet as a powerful business tool, but somewhattimes the misuse of that asset could turn out to be very expensive as it consumes IT resources and affects negatively employee productivity, in addition to compromise security. Some businesses accept the personal use of IT resources at the workplace, but on that point is a ill-timed line that divides what is right and wrong in terms of personal use.Other more than serious offenses may include ingress to unauthorized or hole-and-corner(a) material, cyberstalking, identify and instruction theft, hacking, embezzlement, child pornography etc. Internal computers can also be used to commit fraud against the employer or its customers or suppliers. In some cases involving an employee accessing certain types of illegal websites, a company may be subject to criminal investigation.1Computer related evidence can also be used to investigate cases of bribes.2Companies from different siz es restrain some sort of security policy in place that helps shaping the adequate to(predicate) use of information engineering science (IT) assets or identifying misbehaviour. Those security policies may have been implemented in line with security standards, such as ISO/IEC 2700120053, ISO/IEC 2700220054and the Internet Security Forum (ISF)5, but initiatives in this area are normally linked to two important and quite different streams. First, financial obligations impose IT systems to have tight checks, such as access control and bureau procedures, segregation of duties, contingency plans etc. Second, IT departments establish security mechanisms to protect internal computers from external threats, such as viruses, network attacks, and phishing among others cyber threats. Such tasks are mostly performed by distinct teams, with different skills in the IT and business areas.Failures to protect the internal network can put companies in situations where information systems can be com promised, private or confidential information leaked, or even computers creation used by criminal networks via botnets6. In cases like this, companies may find its computer systems confiscated for inspection as part of criminal investigation, in addition to being subject to damages in reputation.A recent survey from Ernst Young7shows an accession in the perception of internal threats related to information security. About 75% of answerents revealed that they are concerned with possible reprisal from employees recently separated from their organization. That may have had some impact originated from the recent global financial crisis, but it is also due to the increasing level of automation and value of digital assets present in about all organizations. A nonher interesting finding of this survey is that the primary challenge to effectively delivering information security was the lack of appropriate resources.8The computer misuse act (UK)As a first important UK legislation design ed to address computer law-breaking, the Computer Misuse Act (CMA)9became law in 1990. It turned, for example, hacking and viruses dissemination criminal offenses. The Act identifies three computer misuse offencesSection 1 unauthorized access to computer material (a program or data).Section 2 Unauthorised access to a computer system with flavour to commit or facilitate the focus of a serious crime.Section 3 Unauthorised modification of computer material.A person is guilty of an offence under section 1 ifHe causes a computer to perform any function with intent to secure access to any program or data held in any computerThe access he intends to secure is unauthorised andHe knows at the time when he causes the computer to perform the function.The Section 2 deals with unauthorised access to computer systems with the specific intention of committing, or facilitating the commission, of a serious crime. A person is guilty of an offence under this section if he commits an offence und er Section 1 with intent to commit or facilitate the commission of a further, sufficiently serious, offence.The Section 3 covers unauthorized modification of computerised information, and thus includes viruses and trojans10. A person is guilty of an offence under this section ifHe does any act which causes an unauthorised modification of the contents of any computer andAt the time when he does the act he has the infallible intent and the requisite knowledge.The requisite intent is an aim to cause a modification of the contents of the computer and by so doing impair its operation or hinder access to it, or any data stored on it. The requisite knowledge is the awareness that any modification one intends to cause is unauthorised.The CMA is responsible for a variety of convictions, from nanny agencies (R v Susan Holmes 2008) to ex-employees (R v Ross Pearlstone one of the first).11One recent arrest under the CMA involved two suspected computer hackers that have been caught in Manches ter in a major inquiry into a global internet fraud designed to steal personal details. The investigation focused on ZBot trojan, a malicious software or malware12that records online bank account details, passwords and credit card numbers to ultimately steal cash with that information. It also steals password of social network sites.13Trends in security accompanyings lifesize organizations are the ones more likely to have adequate Information Security Policies in place. The utilization of Information Security practices in general requires the availability of consummate and well-trained people, risk assessment procedures and well managed incident response procedures. To some extent, the implementation of such practices is available in most businesses. However, the kick the bucket PWC Global Economic curse Survey14shows that large organizations are the ones to report more frauds. The survey confirms that the larger the organization the bigger the relative number of reported incid ents. It also showed an interesting grade in detections methods, which is pertinent to our analysis. For example, internal audit went down to 17% of cases in 2009 against 26% in 2005. In addition, fraud risk management rose to 14% in 2009 from 3% in 2005. Newly risk management approaches try to be more proactive as opposed to traditional audit procedures. That trend may also demonstrate that manual procedures (mostly audits) are being replaced by more automation (fraud management systems).Digital forensics science and cyber forensicsDigital forensic science can be defined asThe use of scientifically derived and proven methods toward the preservation, collection, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of takingss found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.15Carrier and Spafford (2003)16argue that digital evidence concerns with data in digital format that establishes a crime has been committed, thus it provides a link between a crime and its victim or perpetrator. A digital crime scene is therefore the electronic environment where digital evidence potentially exists. Evidences, which are made of bits and bytes, are part of the digital forensic science (DFS) realm, which also includes visual and audio evidences. As a subset of the DFS, the cyber forensics field focus on the investigation of evidences via scientific examination and analysis of digital data so that it can be used as admissible and verifiable evidence in a court law. Evidences in this field includes log files, equipment primary and volatile memory, repositing media, software (code) and virtually any document in digital format, such as email, sms messages etc.Evidence in general must be admissible, authentic, complete, authentic and believable, therefore demands for digital evidence are not different in ess ence. Fundamentally, the process of managing the lifecycle of digital evidence is the same as the physical evidence. It includes the following phases preparation, response, collection, analysis, presentation, incident closure.17However, digital evidence is highly volatile and once it has been contaminated, it cannot come back to its original state.18The chain of custody is an essential condition for digital evidence admissibility and preservation.The contextThreats to evidence collectionEvidence may exist in logs, computer memory, hard disks, backup tapes, software and so on. IT organizations are normally the ones supporting the work of IT assets that generates most of the digital evidence as a result of doing business. However, IT organizations provide run to their companies mostly using multivendor strategies. In addition, users are mobile and spread on several geographic areas workstation and servers are hardly standardized and vendors use different methods for proving service s and are bound to complex service level agreements (SLAs) that penalize them when services are not available or running with poor performance. The focus is always on running services to the lowest possible cost with adequate performance and availability. Whenever a problem may exist damaging the availability of a system, analysts will try to recover the full capacity of that service. It may impeach that systems will be, in a rush, restarted or have its logs and other files deleted to improve processing capacity. In addition, although storing costs have fallen considerably during the last years, chiefly on the end user side, data-center storage has been still expensive. Therefore, the pressures coming from costs reduction programs can, as a result, compromise running an adequate storage strategy. Moreover, this have implications that will hinder storing data longer, and reduce backup/restore procedures.Forensic readinessIn the context of enterprise security, forensic readiness ma y be defined as the ability of an organization to maximize its potential to use digital evidence whilst minimising the costs of an investigation.19An adequate management of digital evidence lifecycle may help an organization to mitigate the risk of doing business. It can support a legal dispute or a claim of intellectual property rights. It can also support internal disciplinary actions or even just show that due care has taken place in a point process.20An initiative, which aims at supporting a forensic readiness program, would include21Maximising an environments ability to collect credible digital evidenceMinimising the cost of forensics during an incident response.In a general perspective, the utilization of enterprise information security policies will facilitate forensic readiness initiatives. However, in any security incident there will be mostly focus on containment and recovery due to the short-term business critical issues.22In order to help organizations implement a pract ical forensics readiness initiative, Rowlingson (2004) suggests a 10-step approach, as follow23Define the business scenarios that require digital evidence.Identify available sources of different types of potential evidence.Determine the evidence collection requirement.Establish a capacity for securely gathering legally admissible evidence to the requirement.Establish a policy for secure storage handling and potential evidence.Ensure monitoring is target to detect and deter major incidents.Specify circumstances when escalation to a full formal investigation should be launched. enlighten staff in incident awareness, so that all those involved understand their role in the digital evidence process and the legal sensitivities of evidence history an evidence-based case describing the incident and its impactEnsure legal review to facilitate action in response to the incident.Rowlingson also highlights two types of evidences background evidence and spotlight evidence. While the first is co llected and stored via normal business reasons, the second is gathered to detect crime, and more frequently done via monitoring. However, monitoring typically raises privacy issues therefore requiring alignment to local laws. The monitoring process may help identifying data correlation between different events, thus increasing the potential of digital evidence based investigations.Admissibility of digital evidenceDigital evidence can be defined as any data stored or transmitted using a computer that support or refute a theory of how an offense occurred or that address critical elements of the offense such as intent or alibi24. Digital evidence is useful not only to address cyber crimes, but also in an extensive range of criminal investigations, such as homicides, child abuse, sex offenses, drug dealing, harassment, and so on.Dicarlo (2001) argues that the basic questions about admissibility of evidences are relevance, materiality, and competence. When evidence is considered relevant , material, and competent, and is not blocked by an exclusionary rule, hearsay for example, it is admissible. Evidence is relevant when it has any tendency to make the fact that it is offered to prove or disprove within certain probability. Evidence is material if it is offered to prove a fact that is at issue in the case. Evidence is then competent if the proof that is being offered meets certain traditional requirements of reliability.25Daubert26has posed a threshold test to validate an evidence capability as a class of evidence.27Digital forensic evidence proposed for admission in courts must meet two basic conditions it must be relevant, and derived by scientifically sound method. The digital forensics field is highly technical and grounded on science, which in turn bring some challenges to forensics professionals. Initially, it requires specific skills to deal with as it can be challenging to handle. For example, pieces of bytes can be put together to recover a deleted email t hat would provide key information to a case. Nevertheless, it would require an fatigue work to collect, handle and find the significant data. A similar situation occurs when decoding information carried by wire or wireless networks. Additionally, the knowledge of the digital evidence environment and how it can be produced is essential for any investigation.In Loraine28, Judge Grimm (2007) remarkably considered the Federal Rules of Evidence regarding its admissibility and authentication. He confirmed that the way evidence is gathered, processed and produced have a significant impact on its admissibility. According to the court, evidence must beRelevantAuthenticIf hearsay, allowable under the hearsay exceptionsOriginal, duplicate or supported by admissible secondary evidenceThe probative value of such evidence cannot be outweighed by any unsportsmanlike prejudice or other factors.Another important issue is that digital evidence, to some extent, is easily manipulated. It can purposel y suffer modification from offenders or be accidently altered during the collection phase without obvious signs of distortion.29However, differently from physical evidences, it offers some particular features30It can be duplicated. In fact, this is a common practice in investigations and aims at diminishing the risk of damages to the original.It is traceable. Appropriate tools can be used to determine if digital evidence has been modified or tampered when compared to the original copy.It is embarrassing to destroy. For example, deleted data can be recovered even if hard disk is damaged.It may contain metadata (data about data). For example, a deleted file can show when it was deleted and last modified.Electronic data discoveryElectronic Data Discovery31is any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case.32The 2006 amendments in the US Federal Rules of Civil Procedure (FRCP)33were driven by the increasingly use of the electronic form as evidence in litigation. The FRCP refers to electronic data discoverable as Electronic Stored Information (ESI). It constituted a milestone in the field, which is requiring organizations to be better prepared to store and manage business records. In addition, it established the legal hold, which means that organizations are under the duty to preserve information if they reasonable anticipate that a lawsuit may commence.34Normally, following a court order, an electronic discovery procedure can be carried out offline or online, on a particular computer or in a network, for the purpose of obtaining critical evidence. Electronic data is clearly easier to be searched when compared to paper documents. In addition, data can be perpetuated if properly stored, or even recovered if once deleted.If an entity becomes involved in a lawsuit, it will probably be request to provide information that is in digital form. It is essential to be ab le to identify where and how the information can be retrieved. In preparation for electronic discovery, an enterprise will likely have to face the following issues35Changes in business process to identify, collect and manage business records and knowledge assetsImplementation of new systems, technology or consulting to manage the lifecycle of the electronic discoveryNeed to instruct and inform employees about their responsibilities regarding the need to preserve information and make it discoverable.In a event that an organization cannot locate or retrieve discoverable information, it may be subject to penalties or even have the case turning to the opposite side.36 determinable electronic information must be produced regardless of the device it is stored, its format, its location or type.37If the burden or cost to produce is not reasonable, then it does not need to be produced. However, courts are entitled to order the discovery in situations where a good cause would exist.38Chain o f custody is a fundamental requirement of ESI. Electronic discover processes should demonstrated the integrity of documents from storage to retrieval. Without historical records, evidence can be held inadmissible. Metadata per se is contestable as digital evidence however, it can support the integrity and traceability of evidences.The FRCP also provide that one side may be required to grant the other access to a specific computer system as part of a discovery request, including technical support for that.39The whole aspect of maintaining an appropriate environment to locate, secure, and search discoverable information, increase the need to maintain IT tools that better support ESI processes. Although IT departments within organizations are the ones on duty to guarantee the technical means to preserve and recover ESI, electronic discovery as such is an evolving field that requires more than technology. Moreover, it may rise legal, jurisdictional, security and personal privacy issues, which still need to better assessed.Practices for incident responseEvery incident is unique and can incorporate many different areas of the affected organization. A right response to incidents requires an appropriate level of planning and coordination. In spite of being a critical element of any information security policy, incident response is one of the least practiced, most stressful, highly scrutinized task as it requires that incident analysts be well prepared in advance, be quick and calm, and act considering a wide range of possibilities.40Common cases of information security incidents may include economic espionage, intellectual property theft, unauthorized access to data, stolen passwords, unauthorized or inappropriate use of email and web, malicious code, such as worms with backdoors or trojans, and insider threats.In dealing with breaches, organizations face the following common challenges41Misunderstanding of risksLimited understanding of where sensitive data are collec ted, used, stored, shared and destroyedInsufficient emphasis on secure coding practices and security quality assurancePermissive accessNo information classificationFlat architectureDuties not segregatedThird-party connectivity/accessNo access controls and limited physical controlsEnd-use computing vulnerabilitiesLimited role and activity based training and guidance.The ISO/IEC 270022005 is a Code of Practice for Information Security Management. It is a well-known guide for the subject and widely used within private organizations as a reference for the information security management. The Section 13 Information Security Incident Management deals with information security events, incidents and weaknesses. It intends to provide a framework and a starting point for developing a cyber threat response and reporting capability. It says incidents should be promptly reported and properly managed. An incident reporting or alarm procedure is required, plus the associated response and escalat ion procedures. There should be a central point of contact, and all employees, contractors etc should be informed of their incident reporting responsibilities.42In addition, responsibilities and procedures are required to manage incidents consistently and effectively, to implement unbroken improvement (learning the lessons), and to collect forensic evidence. An organization must respond in some way to a computer security breach whether it is an intrusion/hack, the implantation of malicious code such as a virus or worm, or a denial of service attack. The better prepared the organization is to respond quickly and effectively, the better the chance it will have to minimize the damage.43The ISACAs Cybercrime Incident Response and Digital Forensics44internal control checklist recognize the following move for reacting efficiently and quickly to information security-related incidentsPre-incidentImmediate actionSecondary actionEvidence collectionCorrective measuresEvaluation.Systems admi nistrators dutiesStatistics in general indicate that companies are more and more subject to internal and external attacks. The digital economy is pervasive and more and more documents now appear to exist only in electronic means. Even social engineering techniques, which many times target non-authorized physical access, will leave electronic traces in some way. Thus, system and network administrators are many times the first ones to get to know that security incidents or breaches are taking place. The appropriate procedure to collect evidence is vital to the success of any certain case. It is fundamental to understand how to collect evidence, how it may be interpreted and what data will be available to trace criminal actions.45The abdominal aortic aneurysm46architecture, defined by the RFC 290347, is a familiar concept for system and network professionals, and useful when considering forensics. The model is based on key information security concepts authentication, authorization an d accounting.Authentication is concerned with the process of positively identifying a user, process or service and ensuring that they have sufficient credentials to enter and use systems and resources. Each normally requires information (account user names and passwords being a good example) that differentiates them uniquely and hopefully undisguisably.Authorization is concerned with ensuring that resource requests will be granted or denied according to the permission level of the requester.Accounting is concerned with the monitoring and tracking system activities. From a network security perspective, accounting is often called auditing. Auditing is the process of record communications links, networks, systems and related resources to ensure that they may be analysed at a later date. Accurate and detaile