Catching a Corporate Rat
Use computer log event data to identify thieves responsible for inside jobs
Corporate espionage is not a new crime problem, but the means for insiders to victimize their employers in the digitized workplace have become a whole lot easier.
Stealing confidential information or valuable intellectual property no longer requires hours of surreptitious photocopying or the smuggling of overstuffed briefcases past building security. Corrupt employees need not even transfer data to a disk. Any employee with access to the Internet can copy and upload data to Web-based e-mail services with a few simple keystrokes and mouse clicks.
Among the most common acts of corporate espionage is the theft of personal data regarding individuals for the purpose of engaging in identity theft schemes. These are often inside jobs: It is estimated that as much as 50 percent of company computer security breaches are perpetrated by insiders.[FOOTNOTE 1]
The theft of confidential information is by no means limited to identity theft schemes. Organizations are also at risk of having their current employees paid off by others to steal valuable proprietary information and intellectual property that is then used against the organization in the marketplace. Or, perhaps a former employee steals the information prior to leaving in an effort to jump start his or her own business venture.
Unlike other instances of cybercrime, where appropriate security measures may be adopted to minimize the risk of unauthorized access by outsiders to confidential electronically stored information, inside jobs are, generally speaking, committed by those who have the organization's permission to access that information.
Instances of corporate espionage targeting proprietary information maintained on an organization's computers are increasing despite federal criminal penalties designed to deter and punish insiders who steal from their employers. For example, the Economic Espionage Act prohibits, among other things, the commercial theft of trade secrets, carried out for purely economic or commercial advantage.[FOOTNOTE 2] If found guilty, a defendant can be imprisoned for up to 10 years and fined $250,000, or both, for violating the EEA.[FOOTNOTE 3] The Computer Fraud and Abuse Act (CFAA)[FOOTNOTE 4] protects the confidentiality, integrity and availability of electronically stored data by criminalizing a variety of computer-related misconduct, including the theft of data by unauthorized persons.[FOOTNOTE 5] The CFAA also permits persons harmed by CFAA violations to bring civil actions for damages and injunctive relief.[FOOTNOTE 6]
Criminal penalties and civil remedies are, of course, ineffective if the evidence cannot be developed to prove liability. Thus, the potential effectiveness of these provisions is undermined whenever an organization's networks are not set to capture and record information that might permit investigators to identify the insider improperly accessing and stealing confidential information. In order to permit the effective investigation of such inside jobs, it is important that an organization adopt network policies that maximize the amount of data captured and retained concerning what a system's authorized users are doing, including what services have been accessed.
INVESTIGATING THE INSIDE JOB
The success of investigations of acts of corporate espionage committed by insiders is highly dependent on an organization's capacity to retrieve and analyze information that may reveal the identity of the insider.
The task may be more difficult or impossible if an organization failed to configure its network servers to record and maintain data showing the services that its users access. These data, recorded in what are commonly referred to as "event logs," often contain the clues enabling forensic investigators to identify the corrupt insider. Poor initial choices on the maintenance of such data may frustrate the ability of investigators to bring an investigation over the finish line.
Sifting and analyzing clues present in event logs is a necessary, but not exclusive, step in determining responsibility for a theft of data or digital intellectual property. Investigating and solving cases involving the theft of confidential information by a corporate insider requires an approach that effectively incorporates and seamlessly blends network analysis, computer forensics and traditional investigative techniques. Take this simple example:
The thief is John, an employee of XYZ & Co., a regional financial services firm. John is approached by a broker employed by a competitor, ABC Co., who offers to pay John for personal data on XYZ's best clients, i.e., for valuable leads that may represent new business for ABC.
John knows exactly where to go: a database containing personal information about the 1,000 XYZ clients with the highest net worth. In fact, it's part of John's job to access and update this information, which is exportable into a spreadsheet found on XYZ's file server, which functions as a centralized repository for the storage of electronic documents within a computer network.
To accomplish the theft of this valuable information, on Jan. 2, 2006, 9 a.m., John accesses the client information spreadsheet. John then accesses the Internet from his computer and goes to an account at a free Web-based e-mail service (in this example Yahoo), that he established in order to carry out the scheme. Yahoo, and other Web-based e-mail services like Hotmail, typically do not verify a user's identity, which assists John in attempting to maintain his anonymity.
John then composes a draft e-mail attaching the spreadsheet that he has copied from an XYZ file server and sends the e-mail to himself. XYZ's valuable information about its best clients has left the building while John has not even left his workstation.
John later logs into his Webmail account from a non-XYZ network computer and transfers the spreadsheet to a compact disc, which he gives to his buyer. Several weeks later, XYZ begins receiving calls from its client base reporting that they have been solicited by ABC representatives. (Or worse, XYZ sees a surge in client accounts transferred to ABC). XYZ initiates an internal investigation into the matter.
EVENT LOGS HELP IDENTIFY A THIEF
Because many of XYZ's employees had access to the stolen data, it is essential to first narrow the pool of potential suspects.
Thus, the first step in the investigative process is to obtain and analyze all network system and event logs that may contain valuable clues. Virtually all servers have the potential to maintain a log file that records, captures and lists requests made by employees.
Generally, there are a vast number of events that can be logged on a server, including operations on files or folder. These operations include accessing, creating, modifying or deleting files and folders.
An organization's IT department may choose to maximize the number and types of events that are logged, and may also choose to store that data for longer periods of time. The more data that is captured and retained, the more information forensic investigators have to analyze based upon the choice of logging events, and the length of time the data is maintained.
Based upon the choice of logging events, reports can be generated based on user ID or IP address (Internet Protocol address -- a unique identifier for each computer on the Internet or internal network), date and time of a request, number of records returned in a search, elapsed time to complete a request and the browser that made a request, among other potentially revealing pieces of information.
An organization that captures and maintains such data for at least 60 to 90 days will, generally speaking, give investigators a reasonable opportunity to track down rogue employees.
The logs that typically contain the key pieces of evidence include file access or file server logs (FTP, samba shares or active directories), e-mail server logs (such as Exchange logs in a Microsoft Outlook environment), firewall logs and Web server logs. FTP, HTTP (Web server) and e-mail server logs can identify the date and time a server was accessed by Media Access Control address -- a unique number identifying each computer network interface card within a corporate network ("MAC" address), and the IP address and user name.
Firewall logs memorialize all traffic in and out of a corporate network through specified ports. Web logs memorialize, in greater detail, the path traveled by Web traffic in and out of the corporate network. In our example at XYZ, a review of the file server log access would likely show that the IP address and corresponding MAC address assigned to John's computer logged into the file server at 9 a.m. on Jan. 2, 2006. If the proper logging events are activated on the server, the logs will also show that John accessed the folder containing the spreadsheet or the spreadsheet itself.
Standing alone, this would not be sufficient to demonstrate that John is the thief, given that he has permission to access the file and, in fact, must do so routinely to properly perform his job. Indeed, review of the file access log in this case shows that 25 other XYZ employees accessed and/or updated the spreadsheet in the weeks preceding discovery of the theft.
To further narrow the universe, a review of the firewall logs should be undertaken to see who among those 25 employees accessed the Internet proximately in time to accessing the client spreadsheet. In this instance, a review of the Web logs would reveal that mail.Yahoo.com was accessed from John's MAC address at 9:01 a.m. on Jan. 2, 2006. John has now become a prime suspect.
ENTER COMPUTER FORENSICS
Now that the field of potential suspects has been narrowed, the next step is to perform computer forensics on John's computer in an effort to find the evidence of what John actually did on mail.Yahoo.com. Computer forensics is defined as the collection, preservation, analysis and presentation of computer-related evidence.[FOOTNOTE 7]
With the use of specialized forensic tools, an investigator can create and analyze a bit-stream image of the hard drive (a copy that does not alter the original media in any way, and, if done properly, can be authenticated by the forensic expert as a copy of the original for use as evidence at any future proceeding). Analysis may take many forms, but, in this simple example, the most fruitful would be a key word search across John's entire hard drive for the term "Yahoo." Yahoo, Hotmail and other Web-based e-mail (such as AOL in some cases) are not saved locally on a user's desktop. Rather, the messages are saved to the e-mail provider's server.
Messages sent and received in a Yahoo account, unbeknownst to the user, however, are often stored temporarily ("cached") to a user's hard drive in plain language in unallocated free hard drive space. Therefore, even though there will be no "Yahoo" file on John's computer, a keyword search for "Yahoo" may very well reveal the e-mail (or a fragment thereof) that John sent to himself, as well as the spreadsheet attachment.
Additional review may yield login screens for the external account and/or the setup information from the account, itself. With the right pieces of the puzzle located, John is now identified as the culprit.
TECH + TRADITIONAL METHODS
The last step in the investigative process involves traditional investigative techniques.
While technology can be used to identify the thief, it may not be sufficient to identify all of the participants of the scheme. In this simple example, because John sent the e-mail to himself, the fact that he was working on behalf of a competitor would not be known without traditional investigative techniques. This information is often the most critical in light of the remedies available to corporations in such a scenario, ranging from a restraining order to successful civil litigation, and to criminal prosecution.
A review of telephone records identifying calls made to the competitor, confidential interviews with co-workers and, most importantly, an effective interview of the suspect by investigators armed with a technical background and the computer evidence, will often lead to an admission of the theft and the identity of all others involved.
MORE BENEFITS OF LOG EVENT DATA
A successful investigation in cases of corporate espionage is in many ways dependent upon the extent of the logging and the log retention policy of the organization's IT department.
Unlike the investigator, the IT staff's purpose is not to preserve critical evidence, but rather to assist in assessing a server's functionality and problems. In most cases, logging is left at the default setting, which only captures exceptions.
Generally speaking, the events that matter from an IT perspective are events that must be tracked to maintain functionality. Sixty to 90 days of such data is typically of no use for this purpose and logs are thus typically preserved only for a very short period of time. In the context of an investigation into a theft like John's at XYZ, such short-lived logs are of little value.
The unfortunate reality is that in the majority of cases, organizations do not discover that they do not have the proper logging until it is too late. Since it is impossible to recreate this data after the fact, the ability to thoroughly investigate and solve these cases, and thereby the likelihood of obtaining a civil judgment or pursuing a criminal prosecution, may be severely hampered. Organizations may wish to rethink their IT policy, with input from legal counsel, with regard to the maintenance of log events so that the data that will enable theft and fraud detection is maintained.
In addition to assisting in "catching the thief," an IT policy that requires the capture and maintenance of log event data may turn out to be an important part of an organization's ability to demonstrate the effectiveness of its internal controls and compliance programs. For example, under the Department of Justice's Thompson Memorandum,[FOOTNOTE 8] which sets forth the principles governing prosecution of organizations, one of the factors considered is the effectiveness of an organization's compliance programs. In this regard, the Department considers whether a compliance program "is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees."[FOOTNOTE 9]
Here, XYZ was clearly the victim of John's malfeasance, and application of the Thompson Memorandum would be a nonissue. In situations where an organization's computers are used to commit a crime for which the organization may have criminal exposure (for example, where an employee used an organization's computer to commit a crime for the benefit of the organization), the inability of the organization adequately to investigate the misconduct may prejudice its ability to argue for leniency at the charging decision stage under the Thompson Memorandum, or at the sentencing stage under the Guidelines.
Patrick J. Smith is a partner in the New York office of King & Spalding. Kevin Barrows is a principal in Renaissance Associates, an investigative firm that specializes in computer forensic investigations.
FN1 See Lawrence A. Gordon, et al., "2005 CSI/FBI Computer Crime and Security Survey," Computer Security Institute Publications 14 (2005), available at http://www.usdoj.gov/criminal/cybercrime/FBI2005.pdf; see also B. Masters & C. Ryan, "Identity Theft More Often an Inside Job," Washington Post, Dec. 3, 2002, p. A01.
FN2 18 U.S.C. §1832.
FN3 Recent prosecutions under the EEA include U.S. v. Zhang (N.D. Cal. Dec. 22, 2005) (defendant charged with downloading dozens of files from Marvell Semiconductor Inc.'s extranet, to which he had access as an employee of one of Marvell's customers, Netgear and then delivering the information to his new employer); U.S. v. Tsai (N.D. Cal. Sept. 6, 2005) (prosecution of insider for theft of data sheet of employer's proprietary information).
FN4 18 U.S.C. §1030.
FN5 In U.S. v. Garrison (N.D.N.Y. May 23, 2003), the defendant pleaded guilty to illegal downloading of trade secrets consisting of engineering drawings and data, in violation of 18 U.S.C. §1030(a)(4).
FN6 18 U.S.C. §1030(g).
FN7 John R. Vacca, "Computer Forensics: Computer Crime Scene Investigation," p. 4 (2002).
FN8 Memorandum from Larry D. Thompson to the Heads of Dep't Components U.S. Attorney, Principles of Federal Prosecution of Business Organizations (Jan. 20, 2003) (available at http://www.usdoj.gov/dag/cftf/business_organizations.pdf).
FN9 Id. at 9.
Intelligence Search is the web's only search engine to exclusively index
Owned and Operated by InfoBureau.net Co.