This was the start of a fascinating case which lasted for several months, and dealt with a technophile senior employee hell bent on obtaining as much information about his employer's high-profile – and sometimes contentious – activities. It ended with a court injunction, the delivery of stolen information and the discovery of an array of computer and communications equipment, listening devices and recording media.
Our client was in the midst of some delicate negotiations, and had commissioned a physical security review which – in addition to a comprehensive ECM 'sweep' programme – paid particular attention to the safeguarding of proprietary information. In other words, our client's main asset.
A major part of the review consisted of a security assessment of the networked information communications technology system. Our report concluded that even the most fundamental, logical security provision was absent. There was no defined policy on centralised IT functions and resources, and no security strategy documentation.
In addition, access controls had been applied equally to all applicants, leading to a situation where – in some cases – the control was too little and in others too great.
There was no tried-and-tested disaster plan in place, the server system was outdated (with only a small library of attendant security utilities) and no encryption algorithms or digital signatures had been deployed. The use of passwords was inadequate, and they were seldom changed. Without doubt, software at the firewall needed hardening to control attempts at access from remote sites.
Last but not least, the 'a' drives on PCs were not blocked off, there was no intrusion detection system and the relevant parts of the client's database were not securely classified. All of the above deficiencies were subsequently acted upon.
Bugs prefer spam
It still came as a shock to most of us in the IJA Team when we heard of the 'spamming' of several hundred of our client's customers a few days later. The rogue e-mails were sent using an unidentifiable e-mail account, and contained: verbatim extracts from past Board Meetings, accurate summaries of some key internal policy decisions, confidential and accurate financial information, acidic comments about Members of the Board and an incitement to lobby against the interests of the client. There were also warnings of further, similar missives to come.
The Board Room transmitter was of a type widely advertised on the Internet and in 'Exchange and Mart', and which can be bought in specialist stores in London's West End. This one had some added touches that belied a great deal of technical know-how. At about the same time, some of the recipients of the e-mails – customers or contacts of our client – reported receiving printed hard copies of the offending communications by post.
A provisional profile of potential opponents and adversaries of our client comprised a raft of competitor organisations and former employees, and even posed the question of foreign Government intervention. However, a detailed analysis of the e-mails revealed a level of knowledge and a familiarity with internal procedures indicative of only a handful of senior in-house employees.
In addition, the spamming audit trail – partly listing the recipients of the e-mail – was a direct match to an internal e-mail database only accessible to the chief executive officer and his secretary. The investigation was honing in...
Detailed background checks using on-line databases and the Internet confirmed that a senior employee had an employment history differing somewhat from his CV and job application. Only cursory background checks had been conducted on him prior to the offer of employment by our client. He was an erratic timekeeper, often staying late into the evening and regularly working weekends. He appeared to enjoy challenging those in authority, and was a gifted writer of prose. We had a suspect.
Taking initial legal advice
During the early stages of any investigation procedure, it's vitally important for the security manager to document the reasons for deciding to launch – and subsequently continue with – an enquiry. These reasons must be justifiable, and in accordance with the Data Protection and Human Rights Acts. They must also steer a fine path between the rights of the client and those of the suspect(s).
If you don’t take reasonable steps to safeguard your company’s assets or those of your client, the inevitable will happen... Worse still, if you can’t demonstrate this to the courts then the judiciary will not be too enamoured by your ap
Our early overview concluded that there had been an unauthorised and (hence) illegal attempt to bug a Board Meeting, that confidential information (as contained in the e-mails) had been stolen from our client, and that a database had been downloaded from our client's computer system.
While we remained mindful of the potential for a criminal outcome, our objectives – as agreed with the client – remained: the identification of miscreants, the recovery of our client's information, financial restitution and injunctions to limit any further damaging and publicly humiliating e-mails. This was to be a civil law case.
Our gamut of initial investigation options was wide-ranging. It included the review of selected personnel files, real-time electronic audits of Board Meetings to monitor interceptions, the covert disk imaging of PCs and laptops, a review of the client's server (to monitor outgoing e-mail traffic) and telephone call log analyses of key employees.
We also considered the interception of 'phone and fax lines (again of selected employees), the analysis of fingerprints on envelopes and the contents of letters as well as DNA matching of stamps and envelopes with selected staff samples.
Alongside this, we thought about handwriting analysis (to match the writing on envelopes with control samples), indented impression (ESDA) testing on envelopes and their contents, striation testing to match printed pages with printers and photocopiers and covert desk searches/physical surveillance of employees. 'Disputed utterance' analysis of written material, background checks on key staff, creating an 'incident' to elicit a response and working with undercover operatives to gain intelligence were other avenues pursued.
Security managers should remember that – during the initial phases of any investigation that's poised to develop at speed – they must obtain legal advice from a law firm familiar with investigative techniques. A firm that has a strong stomach for litigation, not to mention a successful track record of applying for injunctive relief in a Court of Law. For our part, we chose London-based Mishcon de Reya.
A number of the aforementioned investigation options were then actively explored. Mishcon de Reya went about the onerous – but essential – task of collecting employment contracts and associated papers that might be used as the basis for an affidavit and the laying of a complaint.
The investigation proper
Having confirmed that it was owned and paid for by the client, it was decided to (covertly) take an image of the PC on the desk as used by the suspect. The machine boasted a large hard disk drive, and the imaging went on into the small hours.
Forensic computer imaging is where a digital or optical image of a computer's hard drive is taken for subsequent analysis. A mirror-image copy of the data, applications and operating system is garnered so that it can be replicated off-site, and a control copy kept for evidential purposes whereby investigators interrogate a duplicate copy.
When a user deletes a computer file it's not lost forever unless it is overwritten. It's akin to losing the index to a book, if you like. The words and chapters remain, but the directions to them have been lost. With a little skim reading you can usually find what you want. By using a derivation of basic virus scanning software, it's possible to create a string of key text search words that you can then run against the copy disk until you find instances of the use of those words flagged for the purpose.
On this occasion, the IJA Team found – in the 'slack' space of the computer (ie the swap file) – an extract of extreme importance to the case. It was part of a verbatim transcript of the recording of an earlier Board Meeting, using the extract words as had appeared on the e-mails. We also discovered a mailing list with e-mail addresses attached which matched with those who had received the illicit e-mails.
During the imaging procedure we took the liberty of searching the suspect's desk and found four diary entries, contact details and background material that would be of assistance at a later stage in the investigation.
Policies aimed at combating fraud and malpractice do work. They should include conflict of interest statements. Always remember to use a specialist employment or fraud lawyer for reviewing the contracts of your company’s or clients’ senior emp
Ultimately, a few more investigative initiatives enabled us to conclude that the suspect had: kept some sophisticated recording equipment in his desk, encrypted part of the hard drive of his office computer, kept a work's laptop computer at home, had handwriting which was a near match to that found on the posted letters and fabricated part of his job application, not sent the e-mail from the office, copied the posted enclosures using the office photocopier, held regular meetings in Internet cafés with third parties, had many journalistic contacts with whom he maintained a close liaison and had flouted internal rules by accessing secure files and databases.
Risk mitigation (pest control)
Having gained the optimum amount of tangible evidence that we were likely to, we decided (after taking legal advice and considering all the allegations that might come our way) the time was right to proceed with a case.
Those possible allegations were numerous. For example, the suggestion that the case had not been brought in sufficient time without undue delay or procrastination. The demands made through the courts on the defendant were not commensurate with the extant damage (in other words, that we were using a sledgehammer to crack a nut). It was not illegal to intercept the Boardroom conversations by virtue of the frequency on which the device operated. The defendant had a claim over ownership of the computers we had imaged.
Other possible allegations were that our client had taken insufficient measures to protect against the loss of information, and that this was a fishing expedition to get rid of other people. Also, it was possible for a claim to be made that the defendant was not formally reprimanded when previously caught availing himself of sensitive information, and that a precedent had thus been established.
In addition, another possible allegation was that surveillance went against the defendant's right to privacy. His legal team could have said that he should be free to write about his experiences, and that the information he was 'publishing' was in the public's interest.
The bug-busting outcome
All of these issues were addressed by our team in the affidavit that was successful in support of an ex-parte delivery-up and gagging order, whereby Mishcon de Reya accompanied a supervising solicitor to the home address of the defendant to retrieve items of information that would help prove our case.
When the case was agreed by the Court to be proven, this was followed with undertakings by the defendant to provide financial restitution and not discuss the case with anyone.
As a defendant in a Court action, our suspect admitted that he had sent the offending e-mails and letters, and that he had indeed bugged the Boardroom. He had encrypted his hard drive to hide the fact that he had downloaded pornography, and had gained access to the database by obtaining the chief executive officer's password.
The suspect had sent the e-mails from an Internet café, and by using his WAP-enabled mobile 'phone complete with built-in PDA.
Lessons to be learned
Ensure that you conduct comprehensive pre-employment and contractor screening – and continue with it when that individual is promoted, or their responsibilities are changed. The person you hired five years ago is now a different animal.
Hardly any businesses operate without recourse to information communications technology, but very few bother with securing it. Our client very nearly came unstuck as a result. Security managers should also bear in mind that forensic science is not rocket science, and should be used as a standard operating procedure during an investigation.
Ultimately, laws and regulations are there to help protect the rights of both individuals and organisations. As such, they must be respected and not ignored or – even worse – wilfully obviated. They are also there to defend those who have been wronged, including corporations. Don't be afraid to use them.
Source
SMT
Postscript
Steve Allen D.Lut CPP CFE is a director of IJA International (www.ija-int.com), the specialist provider of advice on business intelligence, corporate investigations and risk mitigation. IJA International is the sister company of Ian Johnson Associates. Dan Morrison, a fraud solicitor and litigator at Mishcon de Reya, is happy to provide legal advice to any SMT reader who needs guidance in respect of an investigation, fraud or litigious matter (telephone: 020 7440 7000 or e-mail: dan.morrison@mishcon.co.uk)
No comments yet