Advances in Cyber Security: Technology, Operations, and Experiences

Computer Crime Incidents and Responses in the Private Sector

200 Companies can fall victim to various types of computer crime and accidental incidents. One type of incident is a data breach in which information a company has in its possession is stolen or in some way improperly released. An obvious example we have all read about is the theft of individual social security account numbers (SSANs) or credit card numbers. There are other forms of data breach, too, such as the theft of trade secrets. If we just focus on data breaches, we see that the size of this problem alone is striking. According to figures posted in 2010 by www.privacyrights.org, 494,647,283 records were breached from 1,651 separate instances of data breach made public since 2005 [1]. An often-cited example of a large data breach was announced by Heartland Payment Systems in 2009. Press reports indicated that approximately 130 million records may have been compromised [2]. Many other companies, governments, and not-for-profit organizations (such as TJX, Choicepoint, and the Veterans Administration) have reported data breaches in which millions of records were exposed or stolen. Computer Crime Incidents and Responses in the Private Sector Edward M. Stroz Computer Crime in the Private Sector 201 Sometimes the cause of the breach is a lost laptop, the theft of a computer hard drive or backup tape, or the action of a disgruntled employee. In other cases, data breaches are brought about by malicious computer software (malware) that has been installed surreptitiously into a company’s computer network. You may have read press reports about what have become known as advanced persistent threat (APT) technologies, which have been an eyeopener for business executives. While your company might appear to be running just fine, and even profitably, your company’s data may have been targeted and compromised using hidden techniques. And one of the more disconcerting properties about information is that, unlike money or physical property, it can be stolen without depriving the owner of that which has been stolen. The theft happens by copying rather than removal. Who Does This, and Why? Those who seek to steal information are sometimes referred to as threat agents. Threat agents can have different motivations for what they do. Some intruders are motivated by financial profit, and they may be interested in stealing personally identifiable information (PII) to sell to identity thieves, or intellectual property such as trade secrets or research and development information (industrial espionage). Sometimes an intruder tries to sell the information back to the victim in an extortion scheme. Other intruders may be motivated by ideology. Types of attacks from this type of intruder can include state-sponsored attacks, and are sometimes committed by trusted insiders of the targeted company. An insider attack can also be the work of a disgruntled employee, as appears to be the case of the WikiLeaks incidents involving the theft of diplomatic cable communications. Having some degree of understanding about the motivation of the attacker is important in developing an effective response to the incident, and in preventing these problems in the future. Important Response Actions and Considerations If the incident under investigation is believed to be from an attacker external to the victim company, it is important to start by identifying the computers 202 Edward M. Stroz that are likely to have been compromised by the attack. The process for identifying the compromised computers will have to be tailored to the specific computer network involved, and often depends heavily on a dialogue with trusted members of the IT staff, and on a good data map. (More information about the data map is in the “Useful Tips for Preventing Incidents and Effectively Responding in the Event They Happen” section later in this chapter.) From there, a forensic copy (or forensic image) of the data from the compromised computers is usually made to preserve the data that would otherwise be altered or lost. The forensically preserved data are then analyzed for the presence of malware and data artifacts that could indicate whether the malware was activated and, if so, to what degree. For example, logs are analyzed and key events from those logs are correlated in an attempt to establish how, when, and where data were touched, copied, and transmitted. Other data that are not recorded in logs also have to be taken into consideration. This analysis requires someone with training and expertise in this type of specialized investigation. The...