Thursday, March 25, 2010

Computer Forensics: The Impact of Electronic Evidence on Modern Corporate Investigations

I attended a 2-hour lunch & learn hosted by the The Business Bank & RJ Ahmann Company at the Golden Valley Country Club, titled “Computer Forensics: The Impact of Electronic Evidence on Modern Corporate Investigations”. We ate while 3 speakers talked. Mark Lanterman was the last and primary speaker - I didn't catch the first two speaker's but they did excellent jobs. Mark is the CTO of a company called "Computer Forensic Services", a pretty high-end firm brought in by plaintiffs, defendants and the court system in general to figure out electronic evidence. His recent most high-profile cases have been Denny Hecker, Tom Petters and Paul McCartney's divorce. 

The initial speaker worked for The Business Bank and talked about banking/e-commerce fraud and what the e-commerce field is doing about it. 

Since you all love write-ups, here's some cleaned up notes and some observations of mine on the talks - some tentative best practices being put into place by the industry. Since we run an e-commerce platform ourselves, it behooves us to take a look at what the trends are, where our gaps are and maybe where we want to go ourselves. 

He primarily spoke regarding people who have admin accounts with their companies financial institution, or people with the role of orderers in an e-commerce platform.

1)    When a client’s admin account creates additional accounts, the account is held pending until a separate confirmation is made. They said it’s the hottest source of fraud right now – an admin’s account gets hacked, and the only thing the hackers do is create additional orderer accounts, and do their fraud from the fake orderer accounts. If it’s done properly, you never catch on that an admin’s account has been compromised (or which one), so they can keep doing it and doing it and doing it.
2)    As a result, have admin accounts password expiration be much faster than a normal user. They even referenced daily/every login expiration they have implemented. If the password changes every time the account it used, it makes the account harder to keep compromised and/or resell on the black market. It’s better to have less complex passwords (to keep users OK with 1-day expirations) then to have super-complex passwords that never expire.
3)    When activities of an orderer are outside the norm, insert challenge questions into the web page they have to answer before they can continue. If they can’t answer them, their account is locked until they call in.
4)    Geotracking (IP) restrictions on orderer/admin logins.
5)    Orderers/admins select a background watermark picture when their account is first created/logged into. This background watermark ensures they are in the “real” website when ordering/doing admin tasks.
6)    Issue RSA token fobs for admin & orderer accounts. It’s cheaper than a single fraud investigation. Usually you can charge the fob to the client and they are happy paying for it.

1)    This may sound draconian, but no file attachments in (externally bound) emails. None. Email is not secure. Secure email is still not secure. No file attachments, no documents, period.
2)    If you need to share files, use an external service. They threw out “ShareDefender” as an example, for (casual) secure file transmission between you & clients.

Mark Lanterman gave the longest talk, and he mainly used "warstories" to illustrate where computer forensics have gone, and the role corporations play there.

1)    Deleting evidence highlights what needs to be looked at by investigators. You can’t find a needle in a haystack but you can often see where the needle was by the missing hole, and then you know where to start looking.
2)    In the last couple years, for the first time ever in Minnesota, plaintiffs have been sanctioned for “evidence spoliation”.
3)    Evidence collected for one court case has led to many other cases. I.e. two executives sue each other and the 3rd party court appointed forensic investigators uncover internal fraud from IT purchasing, etc.
4)    Give out rich/smart devices to employees; they are much easier to monitor and collect much richer evidence. They named the iPhone as top of the list as greatest un-intentioned evidence collector on employees.
5)    Even if the corporation didn’t do the theft, if an employee brings IN illegally obtained data/software and uses it, or forwards it on for other departments to use, the corporation can and will be help liable in a court of law. This happened in the Pioneer Press vs Star Tribune court case a couple years ago. You cannot let new employees bring in shady data, shady software or shady devices. You will be held liable for their use. The Star Tribune was fined & sanctioned for this, they also had to pay Pioneer Press’s complete court costs and all expert testimony fees.

That last point is highly relevant to your employee onboarding process. There is absolutely no allowance to bring in home laptops, home software, USB drives from home, nothing. You have to actively prevent it, not just say “hey guys don’t bring in your favorite software from home, or the client list from your last place of work”. They are literally exposing your entire company to successful litigation & sanctions.


No comments:

Post a Comment