Structure your business to gather digital evidence
Cyber crime and legislative compliance demand that organisations build cyber forensic readiness into their systems and operations, advocate Jacqueline Fick told delegates at the ITWeb Security Summit yesterday.
Fick, who is the executive head: forensic services at Cell C and has also temporarily managed the Information Security portfolio, outlined her experiences of around 20 years of investigating and prosecuting digital crimes.
For successful investigations and prosecutions, it was important that the necessary evidence was available, and that the organisational architecture, processes and technologies were set up to assist investigators in gathering digital evidence in the event of a breach, she said. "How do you expect us to catch the bad guys if we do not have the evidence?" she asked. "You save so much time if information security is embedded as a priority from the start."
Gathering admissible evidence is not as simple as finding an email on a computer, she noted. "Digital evidence is fragile, and when you present this in a court of law, you don't only have to deal with the admissibility of that evidence, but also its reliability. A cyber investigator or prosecutor cannot depend only on information on a computer. The investigation must include a combination of statements and affidavits, sometimes confessions, and evidence from things like CCTV showing you that the person was behind the computer at the time spyware was installed."
Fick explained that gathering the relevant, admissible evidence was a lengthy process: "In the case of a leak, investigators must determine where to start, how many emails and mailboxes to wade through, to start comprehending who had access to the information. The investigation must extend to which meetings discussed the information and what was presented in physical format at those meetings, since in many cases, compromises took place in the real world."
Prevention is better than prosecution
Fick noted that cyber forensic readiness was crucial in identifying and stopping cyber crime, as well as for defending the organisation and supporting compliance.
"Cyber incidents, whether they lead to criminal or civil prosecution, are a reality. With the implementation of PoPI, can you say that you as an organisation are prepared when a customer claims you breached their rights to privacy? Will you be able to supply digitally sound evidence to prove you were not in the wrong?
"In the telco industry, under RICA, there are strict regulations about how telco personnel must deal with customer information. If they breach that confidentiality, there are fines for the individual of up to R2 million and for the organisation of up to R5 million. If telcos did not keep digitally sound evidence and were faced with a complaint, they would be robbed of that opportunity to prove their innocence," she said.
Fick urged organisations to work towards achieving proactive forensic cyber incident readiness with a multi-disciplinary approach that includes policies and procedures to ensure compliance.
"Prevention is far better than prosecution, and trying to play catch-up is no good. A proactive approach may not get cyber criminals convicted, but it can stop them and protect the organisation. You want to be able to gather evidence that you can use with the least possible impact to your operations within the shortest time possible and the least financial impact," she said.