To protect your assets, you need to understand electronic information and the flow of information within your company. One of the main problems in a paperless environment is to identify where your electronic assets are located. The difference between a paper document and an electronic document during a business transaction sometimes can be blurred. But there is a huge difference between the two. An electronic document can contain a lot more information than the usual paper document. For instance, in a Word document, if you look in the properties of that document you will have all kinds of information such as the time the file was created, the time the file was modified, when was it last saved and the editing time.

Another good example, in a previous version of Microsoft Office 97, your documents would contain an actual GUID number which basically could identify the exact machine the document was created on. Microsoft received a lot of criticism because of this and they issued a patch that would remove that feature identifying the origin of the document. Since electronic information can contain a lot more information than a paper document, you obviously want to use the right means to protect it. When you know the risks you are taking when using cyberspace to do business, you need to take proper measures to reduce that risk and prepare yourself for the day when your system administrator comes to you and says we have been "hacked" or we have lost a lot of valuable information.

Incident response procedures

Good response procedures will allow you to minimize damages to your electronic assets, and they will enable you to recover information more easily and help you initiate an investigation into the breach. One of the big questions you want to ask yourself from the beginning is: Do I have an internal or external problem? Frequently, the problem might appear to be external because the intruder used external means to come in the system.

But it is a well known fact that the biggest threat will come from within your organization. An interesting statistic from our KPMG IRM (Information Risk Management) team shows that our penetration testing team is successful between 50 percent and 60 percent of the time when asked to attack a system using external means. But the same team is 100 percent successful when they are allowed to go inside a business to break into a network system.

Some other key areas that you want to focus on when you do your incident response procedures are the acquisition of the information or electronic evidence and the procedures you use to secure that information. You need to consider how you will preserve that information until such a time you need it for litigation purposes or for the authorities.

Flow of information

Before you start investigating a breach it is important to understand the flow of information within your company. For instance, a lot of employees have personal digital assistants (PDAs) such as Palm Pilots and they synchronize these devices with their PC at work. They will synchronize the same information with their PC at home. The PC at work will synchronize with the network, consequently, you can find an exact copy of a particular email replicated four or five times on different storage media. You will have the same copy of the email on your palm pilots, on your PC at home, on your PC at work and two or three copies on the network. It is important to understand that the information you are looking for might be stored at several different places, thus the importance of understanding the flow of information in your company. Another very critical issue is the information which is deleted or hidden. A lot of times information might be deleted from your system but the system will keep a copy somewhere on your hard disk. A very common situation is when you delete an email from your email application. You could delete the email from the "sent box" folder, you could delete the item from the "deleted" folder, however, the email is still somewhere on your hard drive until it is actually overwritten. There is also the issue of backups! Your network system is backed up on a regular basis, or so it should be. Consequently emails might be stored for a long period of time. So when you look for information, you have to think outside the box and keep in mind that what you see is not always what you get on a computer system.

Another very concrete example can be shown with the software MS Word from Microsoft. The latest versions have a tool called tracking changes. This enables someone to create a document, make modifications and pass it on to someone else to review the modifications made on that document. The reviewer can actually see the words which have been deleted, changed, added etc. This information will not be seen unless you activate the tool to view it, however, it is still part of the file. This proves a point that a printed copy of a document and an electronic copy are completely different. If I print the document, I will see only what my monitor displays. If I looked at the document with the tool turned on or a special forensic software I can actually see all the information that has been added or removed from that document. Another good example is steganography which is a process where you have the ability to hide text of images within another image or sound file. Several free tools can be found on the Internet and they use steganography to hide text and pictures. Last February, in USA Today, there was an article about terrorist leader Osama Bin Laden. This terrorist actually uses steganography to post instructions for his colleagues all around the world. The information can be downloaded from the Internet by his accomplices. He uses images all around the world on the Internet to propagate his messages.

Where is the threat?

You must remember, that the biggest area of threat is from within. The reason is that your employees or ex-employees have an intimate knowledge of your system and can use that against you if you don't have proper controls already implemented. It doesn't mean that a disgruntled employee will do it himself or herself, but it means they can use someone else to come back into your system to steal information or delete information. If they lack some of the knowledge to do it, they can simply use the Internet as an extra source of information on how to break into a particular system. Remember that these employees already have a good knowledge of your system as far as architecture, applications and platforms. If someone is a little bit computer literate, it is a lot easier for that person to break into your system with the knowledge they have already on your system. Another very recent example was posted on CNN.com. "Hacking threat rises with hi-tech layoffs." The article quoted a company in California called Slip.net. Their system was broken into by a disgruntled system administrator. This is not new to investigators. The Internet and information highway did not create new criminals! The Internet has created new tools that are very user-friendly to help people carry out their wrongdoings.

With that in mind, you want to disperse your investigative resources accordingly. If your system gets broken into, you don't want to disperse your resources all over the place chasing an anonymous hacker. Start looking inside and try to find weaknesses. Try to find history on possible disgruntled employees or recently fired employees. You might be surprised on the information you will find. An increasing amount of employees are getting more computer literate than they used to be. To help avoid this problem from the beginning you need to do a good due diligence or background checks on people hired to protect your information within your IT department. A simple call to a previous employer or a criminal record check can save you a lot of problems down the road. Also you should check all the certifications and degrees with the originating agency to find out that in fact, they were obtained by the said person that you intend to hire. Another very interesting statistic from Carnegie Mellon University in 1998 shows that in the last 20 years the sophistication of attacks increased. This means that the attacks today are more complex in nature that they were 20 years ago.

But the knowledge that intruders need to perform those attacks decreased. This means that you need less computer knowledge and ability today to perform more complex attacks than you needed 20 years ago!

Investigation

Now that you know how to spread out your resources and where to start looking for information and solve your problems or system breaches, it is time for you to start collecting evidence. The manner in which you will seize electronic evidence to prove your case is very important. The immediate reaction that some system administrators or people in charge of your IT department have is to restore or rebuild your system right away and put the system back online. It is a natural reaction, on the other hand, in the process they end up overwriting some of the logged files that can be used as evidence and other documents that are very important in the investigation. You need to decide if you can continue your investigation / recovery without this information. Remember the need to identify the source of the attack (intruder) might be more valuable than what you have lost already. You might have a deep problem within your company that you have to identify and resolve to protect the future of your company and assets.

At this point you have to make a decision as to how much resources and energy you want to invest in the acquisition of electronic evidence and how will you use it to prove your case. If you are in doubt just shut down your machine and secure it to prevent anybody else access to it. You can now rest easy and discuss your options.

A former RCMP officer, Ren้ Hamel, is a Senior Manager with KPMG Investigation and Security Inc Forensic Technology Services. You can reach him by email at This e-mail address is being protected from spam bots, you need JavaScript enabled to view it