Security

Are you at risk for being accused of a cybercrime?

IT pros have access to sensitive information and systems that can make them the target in cybercrime investigations. Make sure you know the laws and how to protect yourself if you are implicated. Deb Shinder details the risks and offers some tips.

You're a hard-working, upstanding, law-abiding member of the community who happens to work in IT security. Every day, you're out there on the front lines of the (virtual) battlefield, fighting a never-ending war against malware, viruses, phishers, spammers, men-in-the-middle, and other nefarious attackers who threaten your networks and systems. It probably never even occurred to you that your position and area of expertise could very well make you a prime suspect if a computer-related crime occurs involving a system or network to which you have access. Unfortunately, it could happen.

Why is everybody looking at you?

As shocking as it may seem to those who are innocent, a murder victim's loved ones and closest friends are the first to come under scrutiny by the police. That's because they are the ones most likely to have the motive, means, and opportunity to kill that particular person, and statistically most murders are committed by someone who knows the victim well. Likewise, those who have both access to a victimized system and the skills to pull off the crime will be at the top of the list as investigators start trying to track down the culprit -- especially if there are any indications at all that it could have been an "inside job."

From the investigator's point of view, it makes sense. You're the one who's on the scene -- you're probably the one who discovered and/or reported the crime. It's not unusual for crimes to be reported by the perpetrator, in an attempt to establish him/herself as a victim or witness and thus divert suspicion.

The numbers vary depending on the source, but most studies show that a significant portion of data breaches are caused by insiders. For example, according to this white paper by Credant, 48% of breaches studied were caused by insiders.

Many insider threats are accidental, but this category also includes:

  • Disgruntled employees who take revenge for real or imagined poor treatment by sabotaging the company's network, causing loss of productivity, frustration for other workers, and loss of business with the intent of negatively affecting the company's bottom line and/or reputation.
  • Employees who were planted inside the company or who were recruited after being employed to commit corporate espionage, obtaining trade secrets, financial data, confidential business plans, and so forth for rival companies.
  • "Entrepreneurial" employees who steal the company's data or use its network resources to engage in a side business of their own (legal or illegal).
  • Opportunistic employees who take advantage of their access to and knowledge of the company's systems to divert company funds to their own accounts, or simply to gain an unfair advantage and advance their own pet projects or other gain competitive benefits within the company.

Of course, IT personnel are in a unique position to commit such criminal activities. You have the administrative passwords, physical access to the machines, intimate knowledge of the applications that run on them, and the data that's stored on them. You might remember a case that made the news in 2008, when a system administrator for the city of San Francisco effectively took the city's network hostage, removing everyone else's administrative rights and refusing to divulge the passwords for administrative access. He was arrested on felony charges and bail set at a whopping $5 million.

The next year, a former IT administrator for a New York investment firm pled guilty to charges of extortion for threatening to crash the company's servers after being laid off.

And earlier this month, a network engineer fired by Gucci was indicted for hacking into the company's network and deleting files and virtual servers and cutting off email access for the company's employees, resulting in an estimated $200,000 in damage.

The evidence against you

Everyone who has watched fictional trial lawyers on TV has heard the phrase, "It's only circumstantial evidence." What many people who haven't been involved in the real-world legal system don't know is that most of the people in prison were convicted by circumstantial evidence. What do we mean by "circumstantial," anyway?

There are two basic types of evidence admissible in court:

Direct evidence is generally testimony by an eye witness who actually saw you commit the crime (although the term "eye witness" is a bit of a misnomer, since the witness could also have come by the knowledge through the sense of hearing, smell or touch).

Circumstantial evidence is evidence (testimony by someone who did not directly see you commit the crime, or a physical object, or any facts or circumstances) that tends to indicate that you committed the crime, but doesn't absolutely prove it.

The evidence in a computer crimes case is usually forensic evidence -- evidence obtained by examination of the affected systems and devices, logs, etc. Forensic evidence is generally circumstantial, and is testified to by an expert witness, who did not observe the crime being committed. For example, if a forensics examiner testifies that the account that was logged on locally when sensitive data was accessed was yours, that would be circumstantial evidence against you. By itself, it probably wouldn't be enough to convict you. If a co-worker also testified that he saw you go into the server room and log onto the computer a few minutes before the data was accessed, that's more circumstantial evidence (it's not direct evidence because he wasn't looking at your screen and couldn't see what you were doing). If an expert then testifies that the data was definitely accessed from inside the internal network, all of these pieces of circumstantial evidence together will carry more weight with a jury - possibly enough to convict.

Clever criminals have always fabricated evidence to implicate someone else for their crimes, but in the realm of computer crime, that can be easier because there are many ways to create false records, spoof email headers and IP addresses, or hijack someone else's account and use it to do the dirty work. And as someone with administrative privileges, you have an account that's a prime target to be hijacked.

The problem is that civilian law enforcement personnel don't always understand the technical details, and may take the evidence at face value. In addition, far less evidence is required to arrest you (probable cause) than to convict you in court (proof beyond a reasonable doubt). Even though the case against you might not be strong enough to convict, being arrested is at best inconvenient and can also be frightening. An arrest on your record, even without a conviction, can do real and lasting damage to your reputation and your career.

What should you do?

You're probably wondering two things: How can you protect yourself from false accusations? And what should you do if you are accused or suspected of a cybercrime?

On the first count, the most important step is to make sure you're not guilty in the first place. In an effort to control computer-related criminal activity, there are so many laws being passed by legislative bodies at all levels of government that it can be difficult not to break some, without intending to or even knowing that you have. Everyone who uses a computer -- but especially those who work in IT and even more especially those IT workers who have administrative privileges and/or work in companies that deal in a lot of confidential information -- should spend some time becoming familiar with the laws that govern use of computers and the Internet. That means everything from city ordinances all the way up to international laws. Then abide by them, no matter how silly or unfair they might seem.

Don't cut corners or think that because you're an IT pro, you're above the law. The growing cybercrime rates and increasing concern about the problem, as well as media attention, puts pressure on law enforcement agencies to "do something about it" and that means such crimes will be investigated more thoroughly and arrests will be made more often.

Document your actions when working with sensitive data. Have witnesses whenever possible who can verify what you did or didn't do. It goes without saying that your accounts should have strong passwords and you should use multifactor authentication if possible to make it harder for someone to gain access to your credentials, but also be aware that the more secure the systems appear to be, the more investigators will suspect those like you, who have legitimate access to them, if something does occur.

If you're questioned by police or other authorities in the investigation of a cybercrime, be careful about what you say. Don't brag about your abilities or volunteer that you would be able to "do the same thing." Don't say you don't know how this could have happened because you're the only one who could possibly access the information. Don't express any negative feelings toward your employer, or admiration for the hacker/attacker's skills. In short, stick to "just the facts."

If you sense that law enforcement officials see you as a possible suspect in a computer crimes case, consult an attorney immediately. If you are arrested, you need a criminal defense attorney who specializes in cybercrime defense. This field of law is relatively new and is one with which many general criminal defense attorneys are not familiar. Prosecutors in many states are cracking down on computer crime and cybercrime, often in cooperation with federal authorities. Many of these crimes are felonies and being a suspect is something you should not take lightly.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

17 comments
ddalley
ddalley

Good grief! I've been on-line for about two and a half decades, now. I've been having so much fun that they HAVE to make using the Internet illegal! Somebody, please stop us!

AnsuGisalas
AnsuGisalas

Don't, for a second, think the system is there to convict the guilty. Know, like Deb, that the system is there to fill the conviction quota, and anyone fool enough to tell the truth or exhibit the wrong mannerisms is fair game. Be prepared. Read Kafka. Consort with Lawyers. Have an escape route for when you need to jump bail. A numbered Swiss account is a good idea, if you have money to spare.

sarfarz
sarfarz

MY YAHOO PASSWARD IS NOT WORKING SO MY ACCOUNT 5-6 YEARS OLD SO PL RESET

Old Timer 8080
Old Timer 8080

It will naturally spill over into IT functions of a company.... From the HR slime to the CEO on down to the lowly temp, dishonestly spreads and consumes the workplace.. In the end, the toxic place affects the outsider, like an IT contractor. Your best bet is to personally sever ties and keep detailed records for yourself..... BUT NOT PLAY WHISTLEBLOWER AND CONTACT LEOs AT ANY LEVEL!!! You will quickly find that most LEOs, DAs and judges want a quick kill these days and don't care who sheds the blood. I can attest to this..having a ( now dead ) ex-wife as part of the Court system in the nearby major city and state government, I got first hand knowledge of the practices and gossip among our " protectors ". Abuse of the Crime Databases is rampant. My ex-wife ( and others ) used it to check up on potential marriage partners/dates. If a cop wants your butt, it has the tools. and doesn't care about legalities... Privileged discussions between areas of the courts and law enforcement weren't so privileged....I got plenty of juicy gossip that didn't make the headlines...but should have... When I did company work for several different employers involved with different LEO agencies, this pattern was always the same....ALL OVER THE STATE!!! The only way to survive ( and keep getting a salary ) was to keep your mouth firmly closed and play the " three little monkeys " while finishing out ( or not finishing ) the contract... Since I handled Network Security at Cray ( DARPANET, you know ) I quickly learned how the government WANTS YOU TO BEHAVE ON SECURITY ISSUES..that is how I survived this whole issue during my career.....now I'm out of this toxic loop, thank god....

premiertechnologist
premiertechnologist

If you are a technologist, do not trust IT Management or HR: They are your enemies and sometimes they set you up -- they have their favorites and you could be vulnerable or at risk to be the fall guy when things go sour. I won't take that much time to elaborate, but I "retired" from a local government where the HR Director violated the law, the attorneys supported the violation, two managers in IT controlling 85% of the people were married to each other, the Director suborned perjury to get a developer to lie to the Sheriff's Department that she was working for them while in fact she was doing internal work for the IT Department. The list goes on and on. Moreover, in an environment like that, you can be certain that RFPs that go out can get you into lots of trouble too, particularly if the IT Management decides that they want a fall guy when things go south on the proposal. Said agency went out to bid to outsource their IBM Mainframe and actually had the phones tapped to find out if anyone was talking to the vendors behind the scenes. Any evidence which could be twisted can be used to not just get you fired, but embroil you in a law suit. And by the way, said agency is being sued for gross discrimination associated with laying off only women from Development and violating HIPPA and other laws. The Feds already have declared the whole place a "Hostile workplace" in an age discrimination suit, which, unfortunately, isn't actually against the law (the Development Manager DID say that they needed younger people and the Network Narcissist 3 did tell the System Programmer that he was too old to understand the technology). And by the way, IT management never intended to do anything with the RFP: It was all for show. You can't imagine how hostile the apparently successful bidder was. They said things not repeatable here on this forum, for sure, and they will never do business with the County ever again. IBM was wise enough not to even engage in the bid. In such a hostile environment as this, you need to keep detailed accurate records going back years. It can save you a lot of grief. An example of this was the suit brought by an employee of Weyerhaeuser against a Director who actually committed assault against the employee right in front of an HR representative: He got a settlement of an undisclosed amount in the six figures to the left of the decimal point. Take this seriously. We've made the transition from a stable world of years of faithful loyal competent work rewarded for excellence to obsessive compulsive paranoid psychopaths who rely on attractive politically correct people who look and sound good to staff a growingly mediocre doing barely enough to get by and getting rewarded for it, while the ones doing the work are stressed to their limits. And by the way, after 29 years, the Director of Budget and Finance and his executive assistant retired April 1st because they couldn't take it any more and left the running of IT to scoundrels because they couldn't stomach the politics any longer. Paranoia is a survival tactic. I hope it gets better, but I'm not optimistic. I will say I'm having a fine time in retirement, because I'm learning all sorts of technology I didn't have time for in such things as ASP.NET 4.0, Silverlight, WPF, LINQ; I'm building advanced websites using HTML 5 and CSS 3 with SWF flash flip pages to advance humanity by taking down a few minor cult religions. They lied to me and I took their money. I hope they regret it. I'm having a fine time.

eduardo01usa
eduardo01usa

I really want to congratulate you for your article but I think you should go deeper because there are not new elements which provide a better perspective to the IT community. For example an IT specialist in the secutity field must have his own security policy in order to protect himself against any external and internal threat able to put in risk your career.

CharlieSpencer
CharlieSpencer

"It probably never even occurred to you that your position and area of expertise could very well make you a prime suspect if a computer-related crime occurs involving a system or network to which you have access." If it hasn't, you're incredibly naive. You may regard having the keys to the kingdom as a sacred trust, but too many others have abused the privilege for you not to be a suspect.

Alpha_Dog
Alpha_Dog

...and just like every other professional like a doctor or lawyer we can be held liable for things we do in the normal course of business. A doctor may have done everything within the law and correctly within his scope of practice, and still be sued for malpractice. There are a few things we do to mitigate the risks. First, even if you are a one man band, do not skimp on your liability insurance. You will not need it until you do, and you'll be glad you had it. Likewise, it may be good to have an attorney on retainer. Better to have an attack dog on your leash instead of being without and needing one. Second, software piracy is no joke. Keep good records on software licenses and what machines the licenses are installed upon. I can't tell you how much of a load off our minds it has been to not have licensed, closed source software on our company systems. That said, your mileage will vary. As an open source shop, our licenses are easy to manage since they tend to be only on test machines used to duplicate customer issues. Where a client's machine has a dubious history, do your homework. Check the various online stolen machine databases. Where the license tag doesn't fit the installed system, don't be shy about asking for the new OS's license. We keep a database on each system we see for a variety of reasons, and it contains the license numbers we need for reinstalls. Worst case, walk away from work that could implicate you. We work with local law enforcement and are known to be "straight shooters". We have been helpful in recovering stolen machines in part due to our database. This rapport has helped us where we have been accused of wrongdoing. If approached officially by law enforcement, limit what you say. Be helpful if they are trying to understand a case (they will make it clear, swearing everybody to secrecy, etc.), but if the conversation goes anywhere close to a criminal case directed at your organization or an employee, plead the fifth and get an attorney.

pgit
pgit

Do not talk to the police, ever. Only if there is subpoena are you compelled to talk to anyone, and then you can say "I elect to exercise my 5th amendment right to remain silent." A cop and lawyer explain this in a seminar they put on: http://www.youtube.com/watch?v=6wXkI4t7nuc

pgit
pgit

That's a lot of good info, thanks for posting. I am curious, could you give a synopsis of 'how the government wants you to behave on security issues?' From the tone of your post I get the impression it's more about "security theater" than actual security...

pgit
pgit

Like the Packet Storm folks say, "trust no one." It's a good idea to keep a professional distance between yourself and management, and especially HR, but it doesn't have to consume you, as the work "paranoia" suggest to me, at least. I know what you are saying, I couldn't agree more. It's unfortunate but you just can't get 'chummy' with anyone in the workplace anymore. It's more often the road to disaster than any friendship. Don't forget there could be an unknown third party in the mix. Say you befriend someone of the opposite sex, you get along well, work more effectively together and have a good time of it. There could be some manager or higher-up (even in another department completely) that's jealous of this situation. Even if you KNOW there will be no problem in getting personally closer to a co-worker, there's always potential for the kind of trouble you can't defend yourself from. Sucks but it's a reality in a lot of places these days.

douglas.gernat
douglas.gernat

I thought the 5th amendment can only be taken when you would be incriminating yourself to the crime in question, or another crime? Even when invoked, the judge may hear the crime that you are protecting yourself from in chambers, and thus, be proven as inadmissable. I'm not saying it would not be the right thing to do, just repeating what I've been told.

IMHAL9000
IMHAL9000

pgit has it exactly right. Keep your mouth shut. And learn a bit about how our "justice" system works, where even being accused of a crime can cost $$, reputation, and time even if you are 100% innocent.

SStine
SStine

Miranda rights are connected to the 5th Amendment right to remain silent and not self-incriminate. Exercising your rights does not equate to you being guilty. Peace Officers/ LEOs are required to notify you of your rights prior to questioning. "You have the right to remain silent. Anything you say or do can be used against you in a court of law. You have the right to an attorney (to consult with or have an attorney present during questioning). If you cannot afford an attorney, one will be appointed for you at no cost to you. Do you understand these rights?" Mr. Johnson, you said you are the Administrator, what does that mean in terms or your access to the data in question? (Ability/Access) How do you think this happened? (Ability and Know How) Who could have done this or what level of skill? (self-incrimination, possible sympathetic or admiration response) Who in the company has these kind of skills? (self-incrimination) Why would someone do this; are there issues in your organization that could drive people to do this? (absence of other suspects, motive...) The questioning and responses could all be used you against you in court of law. You could be completely innocent and just happened to finish your CEH course... Although innocent, you may incriminate yourself with "wrong" answers. The LEOs are doing their job - trying to find suspects that fit the requirements (access, ability, motive) sympathetic statements or statements of admiration could demonstrate your affinity for that behavior. The fact that you are a CEH would be correlated to "you are a hacker!" Exactly what they are looking for... All things being equal, the most likely suspect usually is the guilty party.... or so it is said. Not neccessarily so in the cyber world. Protect yourself.

bboyd
bboyd

Any encounter with police is dangerous. You are not a helpful citizen, you are a potential perpetrator. There might be a knife within 20 feet of you so you might need to be shot for flinching. You reported the crime, guess what your first on the list. You want the "evidence back"... maybe after a prolonged legal battle. Police are for punishing the guilty/innocent and earning fine income. Now there are great peace officers in this world and bless them. There are brave men and women who risk their lives. Just don't trust that the one in front of you is either at the moment they talk with you. That one is likely a "Law enforcement" officer. He cares not for your concerns, you just interrupted his dinner at a Chinese restaurant. When seconds count they will be there in minutes. ---This mass of negativity and venom brought to you by observation of local LEO's and employment among them.---