Old Data Never Dies...

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Old data never dies... but it may not even fade away, to rework a sayingfrom General Douglas MacArthur.

OK, how many of you out there have a lawyer you'd call a friend? Oh,come on now. There must be a few of you. No, this is not a lawyer jokeor a rant at the expense of attorneys. By the end of this article thoseof you muttering in the back of the room should want to review yourcompany's -- and maybe even your personal -- policies regarding the legalaspects of IT.

Let me explain.

Along with the IT security consulting that I do, I also review forensicdata. The technical part isn't rocket science, but it does requirepatience, care, and a lot of detailed notes. I also deal with lawyersand the legal aspects of evidence, digital data, and digital data asevidence. The hard part in digital forensics seems to be policy anddealing with the human factor.

It comes back to company policies. Always does, doesn't it?

Let's start with an example -- a 'composite' drawn from a couple ofrecent cases. All of the elements are real, they may just have come frommore than one case so I can maintain the clients' privacy.

Company X calls and says they need to have the computer used by a formeremployee examined. Their concern is that the employee who recently leftis now working for their competitor, and it seems the competition hasjust bid on a contract for developing some new widget that looks anawful lot like Company X's gadget.

They want to know if I can find out if proprietary information orprotected intellectual property has been stolen?

Never say, ''Yes.'' Just say, ''We'd be happy to review the drive in aforensically clean process, and if the drive has that information, we'llfind it.''

It's all about the facts and the data -- not inferences and surmises.That's what the lawyers get paid to do as they build cases from all ofthe details from digital and traditional investigations.

Now we enter through the looking glass.

When I arrive on site I learn that:

  • The employee left three months ago;
  • The employee worked in a development role, with sensitive files onhis system;
  • He had added un-restricted internet access from this system (andused it);
  • He was allowed (as was everyone else) to use web-based email inaddition to company email;
  • Because there was no policy enforcement, he was allowed to downloadand install third-party software on the system;
  • He had a CD-ROM burner and software on the system;
  • The system had been on the floor behind someone's desk or on ashelf in a common access workshop, and
  • The system had been accessed by IT staff, at the specific requestof management, to 'copy files over to a server'.

    The person telling me all of this averted his eyes and carefullyinspected his shoes. I think I may have been glaring, dumbstruck.

    At this point, it's hard to call this a ''forensics'' case. Anyway, Isuggested that it was good to at least know these things. Perhaps Icould determine what had happened on a timeline and show what may or maynot have been done while the former employee was responsible for thecomputer.

    In the end, I did find some facts that were useful to the lawyers' teamsin each case. But the important part, again, wasn't technical -- it wasthe process.

    What should the process be for the termination, transfer, or promotionof any employee with access to sensitive company or personnelinformation? Out-brief letters, signing or re-signing non-compete andnon-disclosure agreements, a review of transaction logs and the data onthe system, all jump to mind as good standard practice.

    Why does a sensitive development system have internet access? Why areemployees using web-mail that won't have company transaction logs oremail records? For those in companies with Sarbanes-Oxley orGramm-Leach-Bliley requirements, this could be a regulatory violation,too.

    User installed software is a great vector for Trojan horses and othermalicious programs, so it should be avoided at all costs. This untestedsoftware could also simply introduce incompatibilities that crashprograms or degrade the network.

    CD-Rom burners used to be part of resource management. Some of you arenodding... Remember when there was one burner and you had to get blankCDs through some tracked process? ''What are you copying and why?,''needed to be answered first. Today, burners are literally everywhere.And so are copies of software and data.

    If someone leaves the company or a project, and there's enough of anissue to keep a computer out of the network, shouldn't that be a hintthat something more formal should be done to keep track of the box?

    Don't wait three months. And don't turn on the system to check thingsout and copy a few files. If a computer needs do be 'examined', andthere is any chance it may be key in upcoming litigation, you mustfollow some pretty clear procedures that maintain a chain of custody andrecord of access to the system.

    This, of course, brings us back to the lawyers.

    It is essential that legal counsel be an active part of the policydevelopment and implementation team. Among other things, they need tohelp determine what is private and what isn't. Anyone dealing withEuropean-based firms or offices knows the E.U. privacy laws are verydifferent from those in North America.

    As an IT department decides what to check for policy compliancemeasures, they should also talk to the lawyers so they know how tohandle what may become evidence in either a civil or criminal case.

    Remember, forensics is generally what gets done after something badhappens. There's a lot of homework and preparation that should comebeforehand.

    Oh, if you're ever a defendant, you want your counsel to be more of afriend than just another lawyer. In one of the parts of this compositestory, it became pretty clear that the person under scrutiny wasn'tdoing anything wrong. They were just unpopular.

    So, go meet a lawyer. She will help you understand a crucial andunder-appreciated aspect of the business world.

    By the way, in each of the cases that made up the composites, data wasdiscovered that pre-dated the employee in question -- and some of itwasn't good at all. We found snippets of emails to and from competingcompanies, and address books with entries for competitors. Of course, wefound where some employees had been surfing the Web for a new car orclothing.

    And we did find, in one case, where an employee had been surfingpornographic Web sites in violation of company policies. When thecompany further investigated this same employee, they found he was stillviewing porn on the job and he received an administrative warning. Andyes, any one of a dozen ways to block sites would have helped, but thiscompany hadn't put policy enforcement processes in place.

    Bob Hillery, a former computer and security manager for the U.S.Navy, is a founder of Intelguardians, LLC, a security consultancy. Withexperience in the corporate, military and academic worlds, he now alsois an instructor with the SANS Institute.

  • Submit a Comment

    Loading Comments...