CyberCrime – Without Prejudice

Cybercrime has superseded all other criminal activity over the last couple of years. This can be ascribed to the fact that there will be an estimated 4.77 billion cellphone users worldwide by end of 2017. The demographics of users are diverse and the number of users is as high in less affluent countries as in more affluent countries. Large tech and cellphone companies are increasingly entering the African market as a focussed growth area. As far back as 2013, an article published in Finweek stated that in South Africa, more than 75% among those in low-income groups who are 15-years or older own a mobile phone. Households with an income of less than R432 per month (Base of Pyramid Income) were also stated to be relatively high compared with other African countries.

With a worldwide increase in the phenomenon of Bring Your Own device and mobility of devices (Tablets/ smartphones/ laptops), the security of companies and private information is constantly at risk. Computers (and mobile devices) have become the prime target of criminals resulting in digital clues, and crime scenes with little evidence in the physical world. approximately 20-years, a whole new area of investigation has developed – to wit Digital Forensics. The correct collection of digital media at the time of the occurrence of an offence/incident is of paramount importance. Following from this, the analysis and interpretation of the data by a person who does not have specialised knowledge of the operating system, programme, applications etc, may have serious adverse consequences to the person utilising it as evidence at a later stage. Charles C Palmer, “Ethical Hacking”, IBM Systems Journal, 2001 (p16) defines the main aspects of digital forensics as the use of scientific derived and proven methods in locating, collecting, preserving, analysing, interpreting, documenting and presenting digital evidence relating to incidents, often with the aim of presenting evidence during hearings. The goal of the process is to preserve evidence in its most original form. We have found, in our 13-years in the industry that the greatest risks are often from within the victim’s own company. IBM (IBM X-Force Cyber Security Intelligence Index, 2016) found that 60% of all attacks were carried out by insiders. The index goes further and identifies Healthcare, manufacturing, financial services, government and transportation as the top five industries at risk of a cyber incident.

The internal risks are not only due to a tech savvy staff member being able to shut down systems through injecting malicious code, or a disgruntled employee loading a logic bomb just before he/she leaves – to be activated on a date in the future. Less intentionally, harm is caused by staff members who inadvertently click on a link to download a virus, or give user names and passwords to apparently legitimate sites which ensure that a syndicate has unfettered access to email accounts.

The challenge is that the perpetrator is faceless and identifying the person who actually committed the offence or caused the damage is an extremely complex, sohisticated and time-consuming task. Furthermore, not properly investigating and identifying the cause of the event may lead to it being inadvertently reactivated again in the future or written off as just another “technical glitch”.

The complexities of correctly locating and extracting digital evidence to maintain its originality and integrity, as well as the ease of manipulating socalled digital evidence, has lead to the situation where legal teams can no longer accept a document originating from a computer in printed version by its mere production. It may look like an email, it may contain all the characteristics of a true document at face value, but without looking at the electronic version, counsel may find themselves with a fraudulent document (consider spoofing of a legitimate email account which is very prevalent in the deeds process and has caused an amendment in the insurance rules of the Attorneys Insurance Indemnity Fund (AIIF)). This rings true for the converse as well: a document may appear to be completely different due to its font or formatting, but may merely be printed from a different Operating System – consider the difference between Windows and Mac based Operating Systems if the same word document is used by both with a font not recognised by the other system. Insurance companies have all expanded on their Cyber related insurance products. Within the digital forensic field is a specialist area of Rapid Response Teams or Computer Incident Response Team (CIRT), which are on standby 24-hours a day to respond to an incident, access information which could lead to identifying the actual cause and scope of the risk, contain any further damage, collect digital evidence for later prosecution, all while attempting to minimise the business interuption and restoring the IT environment to a healthy state in the shortest possible time. It is extremely difficult to estimate the time lost due to cybercrime/ Cyber incidents.

Vodacom reported a 150% increase in DDOS attacks at the IT Web summit as far back as 2015. Norton, in their latest report on online crimes, indicates that 594m people are affected by Cybercrime globally, and an average of 21- hours and $358 lost per consumer globally over the past year through cybercrime (Norton by Symantec, Cybersecurity Insight Report, 2016).

Although large companies have internal IT staff, many small and medium firms cannot afford an IT team. Even if a firm does have a comprehensive IT department, it still does not mean that they are equiped, experienced or qualified to handle malicious incidents. A typical IT staff member is also not trained or experienced to secure possible evidence in the myriad of civil and criminal suits that may follow such an incident. They are merely required to maintain normal business systems and maintenance which may, through their actions cause irretrievable damage to locating the origin of the Incident and eradicating it from your system. The discipline of digital forensics requires a combination of skills, qualifications, experience and knowledge in the area of forensic investigation. The ideal team should have IT skills, legal knowledge as well as well-honed investigation skills.

Insurance company conditions, new local and international privacy legislation and a number of other pieces of legislation require reporting all incidents by, inter alia, the board. Non-compliance may lead to fines (and compliance may lead to fines where the company cannot show due process in both securing breeched data at the outset and having taken all reasonable steps once a breech has been identified), civil action or even criminal steps.

Some sound advice for clients:

  • All companies should have a robust IT policy, which includes limitation of privacy where internal resources are used and where company information or resources are removed from site as well as the use of company information on site. The IT policy must delineate clear restrictions in relation to access.
  • Have a clearly defined back-up system, both offline as well as online and ensure back-ups are done regularly so a ransomware recovery strategy is in place at all times. The strategy must include foreseeing that the backup itself may contain the malicious code.
  • Always ensure that your anti-virus and security software are up-to-date and installed on all devices that have access to your company data. IT must be obliged to ensure that all patches are up to date. Do not consider cost saving in this area.
  • Staff should be trained regularly on current risks as well as the requirements of their policy and should be able to recognise suspicious websites, dubious emails and attachments.
  • All data should be classified and critical and client data should be separated.
  • All companies should have a clear indication of their Cyber risks penetration testing and risk assessments should be part and parcel of their annual plan.
  • All companies must have an Incident Response Policy and a clear plan with well-defined roles and responsibilities. The team should consist of either an internal team with sufficient expertise or include a strategy to include external experts at the occurrence off specified incidences.

Original article Without Prejudice