|
|
|
Report to Management All incidents should be reported to management as soon as possible. Prompt internal reporting is imperative to collect and preserve potential evidence. It is important that information about the investigation be limited to as few people as possible. Information should be given on a need-to-know basis, which limits the possibility of the investigation being leaked. In addition, all communications related to the incident should be made through an out-of-band method to ensure that the intruder does not intercept any incident-related information. In other words, E-mail should not be used to discuss the investigation on a compromised system. Based on the type of crime and type of organization it may be necessary to notify:
The Preliminary Investigation A preliminary internal investigation is necessary for all intrusions or attempted intrusions. At a minimum, the investigator must ascertain if a crime has occurred; and if so, he or she must identify the nature and extent of the abuse. It is important for the investigator to remember that the alleged attack or intrusion may not be a crime. Even it appears to be some form of criminal conduct, it could merely be an honest mistake. There is no quicker way to initiate a lawsuit than to mistakenly accuse an innocent person of criminal activity. The preliminary investigation usually involves a review of the initial complaint, inspection of the alleged damage or abuse, witness interviews, and, finally, examination of the system logs. If during the preliminary investigation, it is determined that some alleged criminal activity has occurred, the investigator must address the basic elements of the crime to determine the chances of successfully prosecuting a suspect either civilly or criminally. Further, the investigator must identify the requirements of the investigation (i.e., the dollars and resources). If it is believed that a crime has been committed, neither the investigator nor any other company employees should confront or talk with the suspect. Doing so would only give the suspect the opportunity to hide or destroy evidence. Determine if Disclosure Is Required Determine if a disclosure is required or warranted due to laws or regulations. Disclosure may be required by law or regulation or may be required if the loss affects the corporation’s financial statement. Even if disclosure is not required, it is sometimes better to disclose the attack to possibly deter future attacks. This is especially true if the victim organization prosecutes criminally or civilly. Some of these attacks would probably result in disclosure:
The Federal Sentencing Guidelines also require organizations to report criminal conduct. The stated goals of the commission were to “provide just punishment, adequate deterrence, and incentives for organizations to maintain internal mechanisms for preventing, detecting, and reporting criminal conduct.” The guidelines also state that organizations have a responsibility to “maintain internal mechanism for preventing, detecting, and reporting criminal conduct.” The Federal Sentencing Guidelines do not prevent an organization from conducting preliminary investigations to ascertain if, in fact, a crime has been committed. Investigation Considerations Once the preliminary investigation is complete and the victim organization has made a decision related to disclosure, the organization must decide on the next course of action. The victim organization may decide to do nothing, or it may attempt to eliminate the problem and just move on. Deciding to do nothing is not a very effective course of action, because the organization may be held culpably negligent should another attack or intrusion occur. The victim organization should at least attempt to eliminate the security hole that allowed the breach, even if it does not plan to bring the case to court. If the attack is internal, the organization may wish to conduct an investigation that might only result in the dismissal of the subject. If it decides to further investigate the incident, the organization must also determine if it is going to prosecute criminally or civilly, or merely conduct an investigation for insurance purposes. If an insurance claim is to be submitted, a police report is usually necessary. When making the decision to prosecute a case, the victim must clearly understand the overall objective. If the victim is looking to make a point by punishing the attacker, a criminal action is warranted. This is one way in which to deter potential future attacks. If the victim is seeking financial restitution or injunctive relief, a civil action is appropriate. Keep in mind that a civil trial and criminal trial can happen concurrently. Information obtained during the criminal trial can be used as part of the civil trial. The key is for the victim organization to know what it wants to do at the outset, so all activity can be coordinated. The evidence, or lack thereof, may also hinder the decision to prosecute. Evidence is a significant problem in any legal proceeding, but the problems are compounded when computers are involved. Special knowledge is needed to locate and collect the evidence, and special care is required to preserve the evidence. There are many factors to consider when deciding on whether to further investigate an alleged computer crime. For many organizations, the primary consideration is the cost associated with an investigation. The next consideration is probably the effect on operations or the effect on business reputation. The victim organization must answer these questions:
|