SA fails on forensic readiness
South African enterprises are hampering their ability to prosecute cyber-based crimes against them, due to a lack of forensic readiness, says IT forensic specialist Cyanre.
MD Danny Myburgh says Cyanre has seen a marked increase in local industrial espionage in recent months. However, investigations and prosecutions are being hampered by a lack of forensic readiness on the part of the companies affected.
"In the past eight months, we've seen a sudden increase in the number of local individuals and organisations targeting local companies for industrial espionage. The spyware in use is very sophisticated and appears to focus on company communications, including e-mail communications, Internet usage and online chat," he says.
The main targets for this spyware, Myburgh says, are senior management, finance departments, R&D and sales. Because this new trend is recent, and cases can take years to go to court, Myburgh says it is not clear exactly what information cyber criminals are looking for when they monitor their targets' communications.
Cyanre's investigations reveal that spyware is most often introduced into the target system by "thumb drive thugs" - employees who knowingly install it using a memory stick or mobile device.
Myburgh says: "In around 75% of cases we investigate, we find there was inside involvement - usually deliberate. Social engineering is used to a lesser degree, and we are also seeing spyware being mailed in, embedded in PDF files sent in mails reading something like: 'attached, please find proof of payment'."
Mobile devices are also becoming a major problem, Myburgh says. "If a BYOD [bring your own device] policy is not properly managed, enterprise security and the ability to investigate crimes later are hampered. In South Africa, we have not seen targeted attacks on mobile devices in order to get spyware into specific enterprises, but because South Africa follows international trends, it is likely only a matter of time before it happens."
Because the spyware being used for industrial espionage is highly advanced, it often takes some time for it to be discovered, Myburgh says. "This code may evade detection by scans, firewalls and anti-virus software by renewing itself regularly. It may restructure itself on a 48-hour basis, reinstall itself, and delete the old version to sidestep detection."
Myburgh says the espionage is often discovered only when the target company starts noticing its competition is approaching its clients, or suddenly has the same products and pricing.
"They may become suspicious that their competition knows too much about them, or perhaps a whistleblower in the company doing the spying may step forward to report it," says Myburgh.
Once a cyber forensic investigation is launched into the case, a lack of forensic readiness may hamper a successful prosecution. "In South Africa, it is estimated that less than 6% of all criminal cases are successfully prosecuted. With cyber-based crimes, the conviction rate could be even lower due to its technical nature," Myburgh says.
Forensic readiness is crucial to successful investigations and prosecutions, says Myburgh. "Enterprises need to conduct audits of their systems and processes to ensure that if there is a breach, their systems are configured to allow a successful investigation. Often, you will find too many people have the system administrator password, for example, or their system recording is not switched on. Organisations need to look at forensic readiness as part of their overall risk management and corporate governance strategies. They must focus on 'can we determine after an event who did what on the system, and how do we prove it?'"
Proof is critical in criminal cases, notes Myburgh. "Forensic readiness plays a major role in this - it has a major impact on whether we can successfully prosecute or not. If you want to departmentally charge an employee, you must show it was plausible or probable that they committed the crime; but criminal charges depend on proving this beyond a reasonable doubt.
"There is a great deal of risk, time and cost involved in cases not based on incontrovertible evidence. In 30% to 50% of cases, we will find an aspect of a case being derailed due to a lack of forensic readiness. This doesn't mean the entire case is derailed, but it significantly increases the amount of time and resources needed to investigate the case. If a company is forensic ready, it is able to react faster to attacks and investigate and prosecute attacks more successfully."
Myburgh will address these issues during the ITWeb Security Summit, to be staged in Sandton, from 7 to 9 May. He will also facilitate the digital forensics workshop on 9 May. For more information about this event, click here.