System Alert: Intrusion detected
With shrinking budgets and time constraints within IT departments, it is becoming dangerously apparent that mistakes and / or events are not being fully investigated. There have been numerous cases where, if given more time or the opportunity to secure environments as they should be, the loss of data may have been mitigated. Here is an example of where friendly relationships, along with security systems producing many false positive results, allowed data to be extracted from a company.
5:27pm on Friday 18th November, the IT Director receives a notification via his security system alerting him of a breach on the network. He immediately recalls his IT team from going for their usual end of week drinks to assist in investigating the problem. The alert details that there is a computer located on the third floor of their building that has an unusual amount of traffic suggesting information is being copied to an external USB device. Immediately, the IT Director rushes to the location and identifies an individual sitting at a computer listening to their headphones. On approaching, he notices on the computer screen that there is software converting YouTube videos into movie files, and a window showing files being copied from folder to folder. As the IT Director knew the individual, he told him not to use the companies’ computer for personal use. The employee says “Sorry mate, I will stop after this file finishes”. The IT Director phones the other members of the IT team to stand down and on his return they all leave for drinks.
What was really happening
The individual was in fact copying the entire Client Relationship Management (CRM) system which contained not only the company’s clients, but also all related financial information. This data is not only valuable to the company but is also protected by the Data Protection Act legislation. The individual used his position of trust, “friend of the IT Director”, to simply divert his attention to something obvious, while the real theft was taking place in the background.
RGL Forensics are often instructed to identify where data has been extracted and removed from company by making use of digital forensics. There are often artefacts left behind which allow us to demonstrate how an employee obtained the data and walked out of the door with it. We are living in a society where there is a need for instant results and the time to investigate is limited, leading to incidents not being dealt with in the correct manner.