The Information Security Week´s 2012 State of Mobile Security provides a glimpse of the current situation “with 62% already allowing personal devices at work, IT’s juggling laptop policies and Wi-Fi policies and BYOD policies—and that means security gaps big enough to drive a semi through. Most, 80%,require only passwords for mobile devices that access enterprise data/networks, yet just 14%require hardware encryption, no exceptions”. 

Ok, so this problem is pretty bad; just to make matters worse, let’s think about eDiscovery and eEvidence issues… Kurt Mix, a former engineer for BP plc, is being prosecuted on charges of intentionally destroying SMS evidence requested by federal criminal authorities that are  investigating the Deepwater Horizon disaster.  If convicted, Mix faces a maximum penalty of 20 years in prison and a fine of up to $250,000 as to each count. Could this be just Kurt that gets into trouble here or is it possible that there is a smoking gun scenario that will be pursued at more senior levels of the company?

To sum it up, organisations need not only look at how to protect electronically stored information (ESI), but also how to ensure records that are generated on mobile devices are preserved, especially whilst on legal hold.  Issuing legal hold notices are just not enough, there needs to be technical solutions available to ensure on-going legal hold, especially on mobile devices that do not benefit to regular backups.

Author: Nadeem Bukhari

Untangling that; basically preservation of records for litigation is pretty complex and is discussed in many publications. It is supported by the test of authenticity which results in whether the data carries sufficient evidential weight to be admissible see The Foundations of Digital Evidence and BS10008. As US Chief Magistrate Judge Paul W. Grimm (author of lorrain vs markel opinion paper) in his recent eDiscovery interview, suggests “rules that deal with whether it’s admissible or not must be addressed…If people weren’t aware of what they had to do to get this stuff into evidence during the discovery phase…they were potentially spending huge amounts of money only to be left wanting a trial because they couldn’t get it into evidence”.

Think about a simple case of a cloud provider who does somehow agree to provide data to support your e-Discovery requests but cannot prove the data´s authenticity.  Brings to mind all those sunk costs invested to discover, retain and preserve the data, but with no forethought towards actually having to use it in court.   

Author: Nadeem Bukhari

Their study highlights just how many companies are immature in the detective and reactive controls following a breach.  I would suggest that for data theft and fraud breaches, most of the deployed controls as so ineffective that often, the occurance of a breach is detected though a source outside of their organisations.  A great example of this is the TJX breach  where the incident was reported by TJX officials around a month after an extensive fraud had occurred. 

There are many reasons for this including but not limited to zero day hacks, or ineffective intrusion detection systems.  However, as Ponemon points out in their findings, “companies using SIEM were better able to quickly detect and contain cyber crimes than those companies not using SIEM”… Yes, the sponsor or this study is a SIEM provider.  More importantly though, it does point to the fact that audit log information is a key source of information in the detection capabilities.  However as recognised year after year by another study known as the Deloitte Global Financial Services Security Survey; within the top 5 internal/ external audit findings is “Audit trails/ logging issues”.  I.e., organisations are still wrestling with collection, analysis and protection of audit log data.   CSO´s need to place greater emphasis on using some of their rapidly reducing IT budgets on log collection, analysis and protection tools.  Because as Ponemon points out  “Cyber attacks can get costly if not resolved quickly…the average time to resolve a cyber attack by a participating organisation was 18 days at an approximate average cost of $415k with malicious insider attacks taking more than 45 days”… I know of more than a few log management solutions that cost less than that.
 
OK,  now lets assume that you have a solution to detect and fix a breach but now want to prosecute or even have to defend a prosecution.  Most companies are missing a critical capability that will cause such a significant pain point in litigation scenarios.  Specifically most organisations have not deployed capabilities so that the electronic data to be digital evidence ready.    I will write more on this in an upcoming post, however if you cannot prove the electronically stored data´s authenticity, it will not be usable as evidence.  A great source to identify the controls you need to consider are located in BS 10008 – Evidential weight and legal admissibility of electronically stored information. 

In addition to the digital evidence point, it is now a known fact that the hacker of today is not out to be noticed.  In fact they have always preferred to stay undetected until they want to get noticed.  To do this they delete or modify data that may show their activity.   In most hacking 101 books/ papers, there are sections on how to conduct a stealth attack and how to remain undetected by deleting or modifying log data.  It’s obvious that if the log data has been modified the time to detect and respond to an attack will be substantially increased. 

A professor at one of the first lectures that I had in Information Security asked the question: “What is the most dangerous thing a hacker can do?” After going through a list of responses by the class, he suggested; “It is to stay hidden and seep corruption into the organisations digital data that it even gets into the backups and yield an unrecoverable digital data environment…. This type of effect can put a company out of business”.  Now, years on, I recognise that this is not the worst a hacker can do, i.e. they can cause an outage of a power grid, mayhem at a nuclear plant etc.  However with respect to normal business it does make me wonder how many organisations were subjected to this type of attack when the UK´s Ministry of Defence published the warning “Foreign hackers ‘putting UK firms out of business’“.

Author: Nadeem Bukhari

Time is used throughout the judicial; landscape to provide a chronology of events. In the digital world, these events are often captured in audit logs where each event is associated to a timestamp. When things go wrong and the audit log data will be needed in a court of law as evidence, it does beg the question of whether system time synchronization capabilities have been used or even better, whether trusted time stamping solutions are installed. At issue here, is whether it can be proven that the data has not been compromised or tampered-with in any way.

Organizations that have implemented Network Time Protocol (NTP) are better off than those only relying on the systems hardware clock which is usually set at the beginning of the hardware’s life or maybe during some critical hardware maintenance event. This would mean that any time data e.g. in audit logs would have their time data equivalent to that of the hardware engineer’s wristwatch. In well run IT environments this is not so common. Additionally, well run organizations would use a Log centralization tool that would include its own timestamp from when it received that audit event data. If this is done in real-time across a multitude of systems, the forensics and audit value is very high.

Going back to using these audit log records for digital evidence. If I were a cross examining lawyer that wanted to diminish the value of the time data, it would be fun finding out if the audit logs time source comes from some time synchronized system, or not. Obviously any time data associated with the hardware engineers watch as an endpoint would result in significantly lower evidential weight. Or if an NTP time server was used; then the question arises “How vulnerable is the NTP timeserver and what is the time source that sets its clock?”. Motivation may be a defense but that discussion is for another blog post. There have been many vulnerabilities posted associated with the use of NTP for example, Cisco Security Advisory: NTP Vulnerability and Ubuntu NTP vulnerability, many more are available through a simple web search.

Trustworthy time is a crucial attribute in the digital evidence world. If the time data within the audit logs of at least important systems does not carry sufficient evidential weight, then there could become happy defense lawyers and their clients celebrating their successes out there .

Author: Nadeem Bukhari

Availability was the main focus some years ago. Denial-of-service was the main worry, and business continuity was the focus of organizations. Then came the turn for confidentiality, and encryption became something that was -almost- everywhere. The impacts of a loss in availibility is big; the impact of a loss of confidentiality is bigger… and scarier.

But now comes the time for data integrity. Right now, few decision-making minds in organizations focus on that, or care about it. But still, the impact of a loss in data integrity is -and here we agree with Mr. Lacey- huge. What if somebody changed the data -intentionally or not? Results can go from from undermining the people’s (think about the recent alleged attack by a hacker to the Virginia Health Professions Database) or even fraud (think about the Satyam Computers‘ case.

And it gets darker. The problem comes not only by safeguarding integrity, but also to the long and painful process of recovering from one of this attacks: how to know exactly which data is trustworhty (i.e. hasn’t been tampered with) and what is not?

It is surprising that currently there is not a big concern about this. We are guessing that unfortunately this concern will come when it is too late, and there are many breaches in data integrity and costs and consequences are there to remind us of its important. That is why, in David Lacey’s words,  it a time-bomb, waiting to explode.

The laws does not actually allow employers to check on their worker’s emails and read their communications. It gives them the right to track them, though, by retaining associated information to those emails such as recipients, senders and the time when those emails have been read or sent. Employers can also check if emails have attachments, and data related to them. This law, of course, has created a big amount of discussion among civil rights groups, employers organizations and the Finnish society.

What we think is interesting is the way this is evolving. It seems that it is becoming an undeniable fact that business are in the need of defending themselves from corporate espionage. But there’s also the fact that allowing employees to check on some information about their worker’s email may open the door for abuses. The direct relation between being allowed to do it and the certainty of abusing this law is a matter of debate. The important issue here is that it will certainly put doubts in each worker’s mind: is my boss checking my emails?. So the key element here is the ability to prove, unquestionably, that emails have or have been not checked. And this is where the Kinamik Secure Audit Vault can be the final solution.

Of course, these accesses to the worker’s emails must be audited. But auditing does not provide a sufficient solution, since these audit data can be easily changed, specially when users have high privileges or power. By collecting, centralizing and securing this audit information with the Kinamik Secure Audit Vault, employers will not only gain in efficiency and lower auditing and compliance costs, but they would also be able to provide something harder to quantify but not less important: their employee’s trust. Being able to prove, without any doubt, that the audit recors that show who has done what have not been changed will certainly provide ease of mind to every single person in an organization. Knowing that there’s an always-on, tamper-evident watching system like this should definitely be the standard best practice whenever any organization wants to exercise their right of checking their workers’ emails.

One last note: I have been asked many times in the past why any worker organization would accept to implement a system like this into any organization, since they feel that they will be constantly watched. Well, the reasons mentioned above are exactly why: this kind of systems are not accussatory systems; they are protective systems, that allow the guilty to be proven guilty, and the innocent to be confident that his or her innocence will be unquestionably shown.

We are working for showing Mr. Sembhi that we are what he misses: a data integrity protection solution aimed at protecting every type of data.

In the meantime, he mentions a fact as true as the sky is blue: it all starts with putting proper procedures in place. For reducing the organization’s exposure to data integrity attacks (and to high-value frauds), Mr. Sembhi mentions:

• “Create policies and procedures for data quality and data integrity
• Create policies and procedures to identify the extent of the problem and record incidences of data integrity compromises and suspected incidents of fraud
• Ensure information assets are correctly valued, (including configuration and log files, and meta data)
• Undertake threat assessment of valued data
• Take a risk management approach to protecting data integrity
• Ensure adequate protection of all data that is relied upon for investigatory purposes
• Include data integrity protection as part of security awareness programme”

The German rail company is being accused of spying on almost all of its 227.000 employees for almost a decade. Part of a campaign to root out internal corruption -a very positive cause indeed-, the spying operation consisted on comparing “master data” (i.e. personal details) of over 170.000 employees, with information of around 80.000 external suppliers. This would show irregularities that might imply internal corruption. These investigations and comparisons have been going on at least three times (on 2002, 2003 and 2005).

It is now under investigation whether privacy laws have been broken or not. But even if Deutsche Bahn’s actions were legal, privacy is an extremely sensible matter in Germany because of its Nazi and Communist past. Surprisingly enough, this is not the first of such spying cases, with Deutsche Telekom in 2008 and Lidl grocery stores in 2007.

Under investigation as well is how aware of these proceeding were its top managers (including Deutsche Bahn’s CEO, Hartmut Mehdorn).

Once again, we are witnessing privacy and employee surveillance issues arise. Any organization is in its own right to safeguard its name, intellectual property, and even its trade and business secrets. But doing so correctly and stepping on their employees privacy are two different matters. Proper systems should be put in place in order to audit each and every action done within an organization, even by the most privileged users. This kind of systems (like the Kinamik Secure Audit Vault), would act as deterrent for any misuse that may occur, and accountability and full responsibility would be in place. It would protect both the organization and its employees: the organization would be protected since employees would think twice before doing any unappropriate or ilegal action knowing that each and every action is being recorded and archived. And employees would be protected since these audited actions would include also the actions allegedly done by Deutsche Bahn; any empoyee representative (e.g. union leader) could then run integrity reports and analysis on the audit trails for checking improper actions, and be sure that these reports can be unquestionably trusted.

The scandal, reported extensively in the media, is the biggest-ever corporate fraud in the India’s history. Satyam’s former CEO, Ramalinga Raju, admitted he had been cooking the books of his firm for the last years. In his statement, Mr. Raju said that about $1bn (€0.75bn), reflecting 94% of the cash on the company’s books, was made up. The fraud he perpetrated was so large and complex that Indian business people are already calling it the “India’s Enron”.

But this immense fraud scandal does not end here. Just like in Enron’s case -in which one of the “Big Five” accounting firms, Arthur Andersen, was finished-, now one of the remaining “Big Four” is finding itself in the middle of this turmoil: PriceWaterhouseCoopers is in the spotlight.

Bloomberg.com reports that two PriceWaterhouseCoopers auditors have just been arrested, putting the auditing organization in the center of attention. It is the first time in India’s history that an auditor has been detained for failing to ensure a client’s financial integrity. PriceWaterhouseCoopers LLP may even face scrutiny in the U.S. after Satyam’s equities -listed in New York- lost 82% of their market value in two weeks.

Many implications arise out of this scandal. The first question that comes to mind is how such big fraud could happen without anybody noticing it. Although Mr. Raju claims that only few people knew about the scam, the country’s regulators, including Sebi and India’s Institute of Chartered Accountants, have promised an investigation. This will lead inevitably lead to stricter oversight of auditors; furthermore, analysts believe the rules governing independent directors will need to be tightened to force them to be more accountable. Also, questions are also being asked about governance at India’s other family dominated businesses.

Keyword here? Accountability. Once again, we see the need of an independent auditing platform for securing and making kind of sensitive data tamper-evident, like the Kinamik Secure Audit Vault. Having this kind of platforms in place acts as a deterrent: if any user (even the most privileged ones) has the certainty that his/hers trails are being “recorded”, and cannot be covered, the occurrence of these kind of scandals would be certainly lower. Users at all levels, up to the c-level will be accountable for their actions, and by counting with trustworthy and tamper-evident sensitive data of all the actions that took place, organizations could even protect the innocent by unquestionably proving not only what was done, but also that nothing has been changed.

You can read more about the Kinamik Secure Audit Vault here .

The article points that the reason for this could be the amount of savvy employees that suddenly find themselves without jobs, and are pushed to “the other side” and commit fraudulent acts that they otherwise wouldn’t do. In that respect, the real threat comes when disgruntled employees that leave companies, take customer records with them to sell them on the black market.

So how to deal with this? Many organizations are focusing on improving their security systems; but at Kinamik we believe that this is clearly not enough. For us, one of the best ways of dealing with insider threat is by having a system like the Kinamik Secure Audit Vault, which could collect and centralize auditing data, making it tamper-evident. This way organizations can hold users, even the most privileged ones, accountable for their actions beyond any shadow of doubt. This kind of system acts clearly as a deterrent for illegal actions, pretty much like a CCTV, and a sign like “We always prosecute thieves” would do in a real-life shop. Wrong-doers (i.e. any disgruntled ex-employee) would think twice before committing an illegal action if he/she would be certain that his or her tracks cannot be covered and erased (and if they try to do so, it would show even more).

Accountability beyond any doubt is the key here. Security without proper accountability is just not enough.