According to the National Crime Agency’s Strategic Cyber Industry Group, in its Cyber Crime Assessment report 2016, there is “A need for a stronger law enforcement and business partnership to fight cyber crime” In this article, Andrew Sheldon MSc, one of the UK’s leading experts in the field of digital forensics technology and application, explains how the corporate community can help protect their business interests and the police to secure convictions.
Reference to the very first statement in the NCA report, published in July of last year, puts the whole matter into context “A cyber attack that poses an existential threat to one or more major UK businesses is a realistic possibility.”
Along with the Office of National Statistics data to inform the size of the problem, this is indeed a sobering thought for any commercial enterprise. The ONS estimated that there were 2.46 million cyber incidents and 2.11 million victims of cyber crime in the UK in 2015, with ‘cyber enabled fraud’ representing a massive 36% of total UK crime in the same year.
When you consider that the digital technologies involved are themselves a relatively recent phenomenon in our lives, this represents an alarming growth rate. The almost ubiquitous availability of powerful, personal digital devices, combined with the committed criminal’s determination to adapt, adopt and attack, presents us with a formidable adversary.
As the NCA report puts it “Cyber crime is growing fast, becoming both more aggressive and evolving at pace”. Even more concerning for business is the emergence of sophisticated international crime groups which are developed enough to have formal organisational structures and operational cells which include call centres and language translators.
John Flatley, a spokesman for the ONS, has underlined the issue, referring to the Crime Survey for England and Wales which estimated 3.6 million cases of fraud in the UK in a single year, and saying “Today’s figures demonstrate how crime has changed, with fraud now the most commonly experienced offence.”
There is, however, some good news to report, not least the growing recognition of and response to the problem. Around the globe law enforcement officers are working with business, using techniques such as digital forensics, to identify and bring malefactors to justice. Nothing succeeds in the business of criminal deterrence better than raising the chances of identification, prosecution and conviction.
A recent and most welcome initiative, for example, was the news that a consortium operating under the name Qufaro is proposing to set up a National College of Cyber Security, appropriately enough on the historic Bletchley Park site, while in Government circles the Department for Work & Pensions has created a new and highly paid role of Operations Director, Counter Fraud and Compliance. In addition, the National Cyber Security Centre, which operates as part of GCHQ, has offered a useful set of guidelines about the component elements of its work, with observations about many of the activities which are of interest to the corporate community including transaction protection, identity validation, security management and integrity of hardware, systems and services.
Finally, with the continued development of digital forensics, companies and their executive have the means to detect, recover and prosecute offenders.
Cyber offences can be divided into four motive categories; money, kudos, facilitation and vengeance. Most critical to the business organisation are the out-and-out criminals, intent on cheating, defrauding and stealing from commercial operations of all types and sizes. It’s worth remembering that 80% of an enterprise’s digitised information resides in individual hard drives and personal files, which increases risk.
Once hackers and criminals have got something as simple as a URL, they will investigate the digital boundaries and weaknesses of an organisation. When they have identified the mail server, the web server, perhaps even the FTP server, they are ready to begin probing the defences. Although cyber security offers protection, detection and, to a certain extent, investigation of these, digital forensics should be called upon at the earliest possible stage after the event, to pick apart the attack and identify what has been done. It can help to create new protocols to shore up the weaknesses and pinpoint the source and identity of the attacker. Digital forensics will enable you to rapidly see the extent of the damage and whether attacks are continuing.
Let’s examine a typical ‘route’ of attack. Someone in the organisation may receive an email, purporting to be from the chairman, with a PDF attached. When it is opened the PDF has malicious content. It might open up what is called a ‘back door’ or a ‘listener’ and broadcast the IP address to the attacker. At that point, the attacker can start to look at that PC and, using the information they find on it, can ‘swivel’ the attack sideways to other devices and resources within the network. Potentially all sales, marketing, finance, technical, procurement, logistics and other data are now vulnerable.
As soon as an alarm is raised, possibly at the firewall or Intrusion detection system (IDS) if deployed or more usually by a user noticing something is wrong, digital forensics takes over to pinpoint the source of the attack and what data has been compromised. Evidence on the device or devices in question will be preserved, further spread of the problem prevented and a fix can be made, perhaps by applying patches to vulnerabilities in the operating system the organisation uses.
The tools, training and techniques now exist to support governance and compliance officers in many aspects of this work, including payment stream analysis, travel and entertainment expenses, payroll, financial mis-management, bribery and corruption and capital projects. Digital triage systems now allow non-technical investigators to produce results to evidential standards based on the recovery of live and deleted files, volatile memory and comprehensive file information from Windows, Apple or Linux-based machines and serversas well as mobile phones and tablets.
A recent report published by the Center for Strategic International Studies calculated the cost of cyber crime to the global economy of around $445 billion a year. It is evidence of a problem which cannot ignored, but the systems and means are readily available to fight back. What’s more, with short and straightforward training programmes available, even non-specialist staff can quickly be empowered to use the response systems at their disposal.