Subscribe

Catch me if you can

Spycraft and the privacy vs security debate.

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 25 Feb 2015
Tech journalist Paul Furber uses his investigative skills, and some forensic toolkits, to assist businesses with internal fraud cases.
Tech journalist Paul Furber uses his investigative skills, and some forensic toolkits, to assist businesses with internal fraud cases.

The biggest threat in your organisation could be sitting down the hall from you. The threat of attack from insiders is substantial and should not be underestimated. Insider attacks have occurred in businesses of all sizes and across all industries, often causing huge damage to the company. These crimes range from low-tech acts of fraud or theft, to highly sophisticated attacks of sabotage. Moreover, damages and losses are not only monetary, but can have a negative impact on the business' reputation.

Simon Campbell-Young, MD of Phoenix Distribution, says insiders also have an advantage over others who might wish a company harm, as they can often bypass physical and technical security measures such as intrusion prevention, firewalls and access systems. "Their login credentials are genuine. They know what policies and measures are in place and, too often, which ones are only loosely enforced and might therefore be vulnerable."

He says there are three basic types of malicious insiders, namely negligent insiders, malicious insiders and compromised insiders. Negligent insiders are usually lackadaisical about security, clicking on every attachment or special offer e-mail without a second thought. These insiders will also leave documents or flash drives lying around, or lose their phone or laptop that contains sensitive company data.

A compromised insider will casually plug in an external drive of dubious origin, or browse untrusted sites from their workstations. "They may not know that these sites are insecure and vulnerable to drive-by downloads or cross-site scripting."

Malicious insiders are the most dangerous, and include disgruntled staff. They're particularly dangerous as they will most often target something specific, such as databases or proprietary data. They've also been known to sabotage systems and information.

Campbell-Young believes some degree of caution should be exercised with all employees. "There are no hard and fast profiles of dangerous insiders, although they can be rooted out through anomalous behaviour patterns and suspicious online activity."

He adds that most insider attacks are about financial gain, although there are incidences of sabotage or damage to infrastructure and equipment.

Gaining visibility

To help prevent insider threats, Campbell-Young says there are several tools available, such as firewall logs, log management solutions, internal and host IPS, netflow monitoring, and SIEM solutions. "These tools will not only log mass amounts of data, they will also check the sources of the data to make sure they're reliable. Businesses can also choose how much they want or need to monitor, and where to direct those resources. Full packet capture is possible, but raises ethical concerns."

He advises businesses to let their employees know that they might be monitored, as this acts as a deterrent to those considering making off with valuable information or committing fraud. "Here it's good to involve the technical department, as well as HR and legal, as it's usually HR that will be aware of which staff members are dissatisfied. Research reveals that the month before and after termination is the window in which most insider crimes happen, and targeted monitoring can be applied to any employees HR suspects might be up to no good."

A question of privacy

Crime at the workplace has driven innovation in workplace surveillance devices, such as telephone call recording, bugging, hidden cameras, communications interceptions as well as personnel tracking technologies.

Thanks to the everyday use of interconnected technologies and computer systems, one of the problems employers face is how to utelise modern surveillance technology to keep an eye on employees' use of the companies' networks. It's a balancing act between security and privacy. Companies want their networks and data to be secure, while staff members want to prevent personal privacy intrusions.

Where you have humans, you will have problems of this nature.

Tim Jackson, Microdelta

Tim Jackson, MD at electronic surveillance company Microdelta, says these sorts of crimes happen to companies of all types and sizes. Microdelta boasts telephone recordings, hidden microphones and cameras in their security arsenal. "Where you have humans, you will have problems of this nature," he says.

He says cameras can be used to watch particular areas, and identify individuals going into places they shouldn't be, like a staff member going into the CIOs office after hours. "They're also good for picking up instances of petty theft."

He says there are also far more sophisticated crimes, like taking sensitive company information such as tender documents, customer lists, etc. "These are often taken to a competitor, or sometimes a company will recruit someone at a competitor, with the idea of being passed proprietary information by that individual."

Reshana Pillay, partner in the personal injury and insurance departments at law firm Hogan Lovells, says the Regulation of Interception of Communications and Provision of Communication-related Information Act (RICA) governs the use of digital surveillance in South Africa, particularly in the workplace. "South Africa's Constitution guarantees an individual's right to privacy, which includes the right of an individual not to have the privacy of their communications infringed."

She says in terms of section 36 of the Constitution, all rights may be limited. "Employees don't fully appreciate the overlapping and interrelated rights that are at play here. Viewed from the employer's perspective, it may be argued that privacy is not an absolute right. An employee's right to privacy should be balanced with the employer's business necessities or operational requirements. It should be kept in mind that the employer provides and owns the computer facilities the employee uses. Furthermore, the employer has a right to control the employee's working life."

Workplace context

Jackson says the legalities around surveillance are interesting, particularly the ones concerning the monitoring of communications. "The law is very easy to understand, as is the spirit of the law that prohibits monitoring. If you're already party to the communication, by recording that communication, you're not breaking the law. You can record to your heart's content."

But where you have, for example, a company director becoming suspicious of the bookkeeper, noticing funds missing, and perhaps doing a little investigation, then deciding to record his phone calls, the rules are slightly different. "Should the bookkeeper discuss with his wife how he's planning on spending the money, or with his bank discussing transferring sums, or discussing payments that are fictitious, and the company gets proof that he has defrauded them, technically the company is still guilty of an offence, under RICA, as it's an offence to monitor a communication with the intent of finding out something the company doesn't already know."

Employees fail to fully appreciate the overlapping and interrelated rights that are at play here.

However, Jackson says there are two ways around this. "Should the case go to court, if the evidence is found to be relevant, the court has complete discretion whether the evidence is admissible or not. If the guilty party still protests, they can lay charges against the company, but the evidence remains uncontested as they would have to admit it is indeed them on the recording."

Should they try to make a case, the court in a few instances has ruled that the director had a fiduciary duty to protect the company's interests, and was therefore between a rock and hard place, and was not to be prosecuted.

The second way to get around this is by informing employees they might be monitored. "RICA prohibits the monitoring of communications unless at least one of the parties has been informed their calls might be recorded. Many companies are putting a clause in their employment contracts stating that they might be doing this. Once the employee has signed, it's taken as consent, and as the law stands is sufficient."

The Act prescribes conditions under which an employer can intercept an employee's communications in the context of the workplace, adds Pillay. "The employer is permitted to set more general standards relating to conduct in the workplace and the use of equipment and tools. The employer can, for example, prescribe when, how, and for what purposes personal computers may be used. The same applies to access to the internet."

Jackson says the law is quite liberal, and employees should make no assumptions of privacy.

Tech journalist and editor, Paul Furber, has assisted various businesses with insider fraud cases. Often, when he is approached by an organisation, the job will entail finding deleted e-mails. "A few months ago, an SME called me because one of their partners had stolen a large sum of money using a complicated scheme that made small payments to various people," Furber recalls. "We knew he deleted e-mails sometime between January and June. I went to their offices, copied a hard drive, and ran a tool called Autopsy, which is essentially a web user interface tool that makes use of the Sleuthkit forensics toolkit."

ITWeb Security Summit 2015

A showcase for infosec thought leaders, ITWeb Security Summit 2015 takes place from 26 to 28 May, at Vodacom World, Midrand. Book today!

Autopsy can perform forensics on a disk or storage image file, on USB devices or hard drive partitions. "There have also been instances where fraud can be detected by looking through logs of financial transactions," says Furber. "I've done this before, but it has to be done manually, and it's very time-consuming as each and every transaction needs to be scrutinised."

Furber cites his biggest success as a case where he proved that one engineering company had stolen another's trade secrets. "That was a R30 million judgement. I was standing right behind the sheriff when they went to his place. I seized all their hard drives under controlled conditions and went away and looked for the plaintiff's formula, and found it in several places. I got grilled by Barry Roux in Germiston, which made me sympathise will all the prosecution witnesses on the Oscar Pistorius trial. But I was right, and he couldn't prove otherwise."

Malicious insiders can be stopped, but experts agree that stopping them is complex and requires a layered defence strategy that includes technical measures, staff education, policies and procedures.

Hogan Lovell's Pillay says companies need to first identity the source of the breach and put in place necessary safeguards to prevent further breaches. "Employers need to establish whether the breach was due to the employee's negligence or a deliberate act. Employees need to be properly trained on how to prevent security threats and also on how to identify possible cyber threats, including the reporting of an incident to the relevant regulator or the notification of individuals affected by the claim. It may be useful to have your attorney make contact with the relevant regulatory authority, in order to engage in discussions to mitigate the consequences that arise as a result of the claim."

"When dealing with the insider threat versus the external threat, the one advantage that businesses have is that to a certain degree, they have control over their internal environments, whereas they have none over the external one. While there is no silver bullet, even imperfect security controls have value and can help prevent attacks," concludes Campbell-Young.

This article was first published in Brainstorm magazine. Click here to read the complete article at the Brainstorm website.

Share