You're a hard-working, upstanding, law-abiding member of the community who happens to work in IT security. Every day, you're out there on the front lines of the (virtual) battlefield, fighting a never-ending war against malware, viruses, phishers, spammers, men-in-the-middle, and other nefarious attackers who threaten your networks and systems. It probably never even occurred to you that your position and area of expertise could very well make you a prime suspect if a computer-related crime occurs involving a system or network to which you have access. Unfortunately, it could happen.
Why is everybody looking at you?
As shocking as it may seem to those who are innocent, a murder victim's loved ones and closest friends are the first to come under scrutiny by the police. That's because they are the ones most likely to have the motive, means, and opportunity to kill that particular person, and statistically most murders are committed by someone who knows the victim well. Likewise, those who have both access to a victimized system and the skills to pull off the crime will be at the top of the list as investigators start trying to track down the culprit -- especially if there are any indications at all that it could have been an "inside job."
From the investigator's point of view, it makes sense. You're the one who's on the scene -- you're probably the one who discovered and/or reported the crime. It's not unusual for crimes to be reported by the perpetrator, in an attempt to establish him/herself as a victim or witness and thus divert suspicion.
The numbers vary depending on the source, but most studies show that a significant portion of data breaches are caused by insiders. For example, according to this white paper by Credant, 48% of breaches studied were caused by insiders.
Many insider threats are accidental, but this category also includes:
- Disgruntled employees who take revenge for real or imagined poor treatment by sabotaging the company's network, causing loss of productivity, frustration for other workers, and loss of business with the intent of negatively affecting the company's bottom line and/or reputation.
- Employees who were planted inside the company or who were recruited after being employed to commit corporate espionage, obtaining trade secrets, financial data, confidential business plans, and so forth for rival companies.
- "Entrepreneurial" employees who steal the company's data or use its network resources to engage in a side business of their own (legal or illegal).
- Opportunistic employees who take advantage of their access to and knowledge of the company's systems to divert company funds to their own accounts, or simply to gain an unfair advantage and advance their own pet projects or other gain competitive benefits within the company.
Of course, IT personnel are in a unique position to commit such criminal activities. You have the administrative passwords, physical access to the machines, intimate knowledge of the applications that run on them, and the data that's stored on them. You might remember a case that made the news in 2008, when a system administrator for the city of San Francisco effectively took the city's network hostage, removing everyone else's administrative rights and refusing to divulge the passwords for administrative access. He was arrested on felony charges and bail set at a whopping $5 million.
The next year, a former IT administrator for a New York investment firm pled guilty to charges of extortion for threatening to crash the company's servers after being laid off.
And earlier this month, a network engineer fired by Gucci was indicted for hacking into the company's network and deleting files and virtual servers and cutting off email access for the company's employees, resulting in an estimated $200,000 in damage.
The evidence against you
Everyone who has watched fictional trial lawyers on TV has heard the phrase, "It's only circumstantial evidence." What many people who haven't been involved in the real-world legal system don't know is that most of the people in prison were convicted by circumstantial evidence. What do we mean by "circumstantial," anyway?
There are two basic types of evidence admissible in court:
Direct evidence is generally testimony by an eye witness who actually saw you commit the crime (although the term "eye witness" is a bit of a misnomer, since the witness could also have come by the knowledge through the sense of hearing, smell or touch).
Circumstantial evidence is evidence (testimony by someone who did not directly see you commit the crime, or a physical object, or any facts or circumstances) that tends to indicate that you committed the crime, but doesn't absolutely prove it.
The evidence in a computer crimes case is usually forensic evidence -- evidence obtained by examination of the affected systems and devices, logs, etc. Forensic evidence is generally circumstantial, and is testified to by an expert witness, who did not observe the crime being committed. For example, if a forensics examiner testifies that the account that was logged on locally when sensitive data was accessed was yours, that would be circumstantial evidence against you. By itself, it probably wouldn't be enough to convict you. If a co-worker also testified that he saw you go into the server room and log onto the computer a few minutes before the data was accessed, that's more circumstantial evidence (it's not direct evidence because he wasn't looking at your screen and couldn't see what you were doing). If an expert then testifies that the data was definitely accessed from inside the internal network, all of these pieces of circumstantial evidence together will carry more weight with a jury - possibly enough to convict.
Clever criminals have always fabricated evidence to implicate someone else for their crimes, but in the realm of computer crime, that can be easier because there are many ways to create false records, spoof email headers and IP addresses, or hijack someone else's account and use it to do the dirty work. And as someone with administrative privileges, you have an account that's a prime target to be hijacked.
The problem is that civilian law enforcement personnel don't always understand the technical details, and may take the evidence at face value. In addition, far less evidence is required to arrest you (probable cause) than to convict you in court (proof beyond a reasonable doubt). Even though the case against you might not be strong enough to convict, being arrested is at best inconvenient and can also be frightening. An arrest on your record, even without a conviction, can do real and lasting damage to your reputation and your career.
What should you do?
You're probably wondering two things: How can you protect yourself from false accusations? And what should you do if you are accused or suspected of a cybercrime?
On the first count, the most important step is to make sure you're not guilty in the first place. In an effort to control computer-related criminal activity, there are so many laws being passed by legislative bodies at all levels of government that it can be difficult not to break some, without intending to or even knowing that you have. Everyone who uses a computer -- but especially those who work in IT and even more especially those IT workers who have administrative privileges and/or work in companies that deal in a lot of confidential information -- should spend some time becoming familiar with the laws that govern use of computers and the Internet. That means everything from city ordinances all the way up to international laws. Then abide by them, no matter how silly or unfair they might seem.
Don't cut corners or think that because you're an IT pro, you're above the law. The growing cybercrime rates and increasing concern about the problem, as well as media attention, puts pressure on law enforcement agencies to "do something about it" and that means such crimes will be investigated more thoroughly and arrests will be made more often.
Document your actions when working with sensitive data. Have witnesses whenever possible who can verify what you did or didn't do. It goes without saying that your accounts should have strong passwords and you should use multifactor authentication if possible to make it harder for someone to gain access to your credentials, but also be aware that the more secure the systems appear to be, the more investigators will suspect those like you, who have legitimate access to them, if something does occur.
If you're questioned by police or other authorities in the investigation of a cybercrime, be careful about what you say. Don't brag about your abilities or volunteer that you would be able to "do the same thing." Don't say you don't know how this could have happened because you're the only one who could possibly access the information. Don't express any negative feelings toward your employer, or admiration for the hacker/attacker's skills. In short, stick to "just the facts."
If you sense that law enforcement officials see you as a possible suspect in a computer crimes case, consult an attorney immediately. If you are arrested, you need a criminal defense attorney who specializes in cybercrime defense. This field of law is relatively new and is one with which many general criminal defense attorneys are not familiar. Prosecutors in many states are cracking down on computer crime and cybercrime, often in cooperation with federal authorities. Many of these crimes are felonies and being a suspect is something you should not take lightly.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.