Below are copies of each of the articles distributed at the committee's booth at the 1999 ASIS Annual Seminar in Las Vegas.  Please choose the name of the article you are interested in to jump to that article.

Computer Crime
Day 1, 2000: Smoking Guns of Y2K
Discovering a New World: Electromagentic Media
Risk Management and Security
Sample Internet Use Policy
The Legal Liability of Electronic Information
Threats to Automated Information Systems and Networks

Computer Crime

As the new millenium approaches, worries about Y2K problems seem to be the most prevalent security concern when it comes to computers. Security managers, however, should not lose sight of the other areas of security concern when it comes to computers. Computers present opportunities for critical problems both internally within a company, as well as externally to the public.

Computer Crime From The Inside

A recent nationwide FBI survey on computer security found 75% of the companies responding had been victimized by computer related crime in the preceding year, 59% could place a figure on their losses ($401,600 per company on average) and 49% of the respondents reported unauthorized use of their computer systems.

The age of electronic innocence is long past. Any company, regardless of its size or computer savvy, can be a victim of high-tech crime, falling prey to hackers, computer thieves, software viruses and unauthorized activities by their own employees. Chances are that most companies will sooner or later become victims of high-tech crime.

Deterring high-tech crime can be a daunting challenge because technology itself cannot provide a complete security system but, at best, can only make it harder for wrongdoers to strike. Deterring criminal activity involves assessing vulnerability, instituting the best protections possible, and formulating plans for responding if criminals strike.

Experts say that when information is stolen from a company, often the culprit is a seemingly loyal employee. Employees steal data because of dissatisfaction with salary, promotion opportunities, or working conditions; conflict with managers or financial problems linked to alcohol or drug use.

The first step in preventing any computer crime is to formulate a company security policy that details what information is valuable and how to protect it. Besides setting rules for users, the policy should spell out managers’ responsibilities for computer security.

Managers should know which people have the opportunity to do damage. The most likely suspects are employees who arrive at work early in the morning and leave late at night. Be aware of employees’ schedules and find out what they’re doing if they linger beyond normal business hours. Set your network to monitor activity in, and restrict access to, sensitive files. Remove nonessential modems that could be used wrongfully to transmit information.

Other common sense safeguards include imposing password requirements (including on screen-savers), requiring employees to memorize their passwords and keep them secret, having employees log off during lunch and at the end of the day and requiring employees to encrypt sensitive files sent via the Internet.

Computer Crime from the Outside

Recent increases in attacks on computers by outsiders are primarily due to the number of companies whose networks are connected to the Internet or have installed modems on their networks.   The UNIX operating system that is found on most Internet servers was designed to be "open" thereby enabling the servers to communicate with far-flung networks of other types. It’s that openness that makes UNIX based systems easy to attack. Computer intruders regularly scour electronic bulletin boards, newsgroups and mailing lists, exchange electronic mail and pore over trade and hacker magazines to learn the vulnerabilities of computer systems.

Most hackers break into a company using information they have gained during phone calls to unsuspecting employees. The adoption of a policy prohibiting employees from giving out sensitive company information over the phone without approval will help.

Other tools often used by thieves include software program known as "war dialers." The programs enable hackers to scan a particular telephone exchange for modem lines and then attempt to break in once they are connected to one of the lines.

Simple defenses against outside attacks, such as passwords, often can be broken easily because employees choose common words or names as their passwords.

Hackers also have an array of break-in tools, such as "cracker" software programs, which guess passwords based on words and numbers and "sniffer" programs, which are installed at a modem or at the gateway between a company’s network and the Internet to record the passwords of people logging onto the network.

As with employee crime, the best protections against attacks by outsiders are matters of common sense. Companies can buy a technological barricade called a firewall and position it between their internal networks and external ones, but hackers often can get in anyway because the firewall hardware and software are poorly configured or are not activated. One way to avoid these problems is to pay outside experts to carry out complex configuration and installation chores.

Michael Ruhr, CPP, is the General Manager of Western Security Inc., a contract security company based in Van Nuys, CA. He is an active member of ASIS and currently serves on the ASIS Standing Committee on Computer Security.

Day 1 2000: Smoking Guns of Y2K

The immediate impacts of the Y2K event have been discussed by the media many times over and I will not belabor the point further. What has not been talked about are the long term impacts of the event, mainly, technology and its impact on litigation. It's likely that some corporations may lose revenues because of Y2K issues dealing with possible shutdown of operations, loss of confidence and other business impacts. This has a great potential to impact the financial statements and shareholder value that is so heavily focused on in today’s Equity Markets.

Many corporations in the state of California know the real cost and corporate implications of shareholder derivative lawsuits. Namely legal costs, judicial oversight on business decisions, financial damages, bad public relations with shareholders, and the community. For the sake of this discussion, let’s focus on the legal costs and judicial oversight.

The United States Government has recently approved legislation which might prove some measure of protection but should not be considered a safe harbor against Y2K suits. The Year 2000 Readiness and Responsibility Act would allow corporations with 50 or more employees a grace period 30 days to address its Y2K issue with an additional 60 days given if it agrees to fix the impacts of Y2K. The law would limit liability to $250,000 or three times the actual damages whichever are greater. This could still amount to a sizable sum when considering stock valuation. For the context of this paper, we will consider the impacts from a loss of stock valuation because of Y2K although Y2K suits will surround many different topics.

Loss of stock valuation will likely occur if investors view that a corporation will have difficulty in delivering earnings because of Y2K problems. Larger investors hold mass quantities of stock and, if the stock drops just 10 %, stand to lose a sizable portion of the capital in their portfolios. Even with 30 or 90 days to fix the issue, is this enough time to design, implement and test the problem before putting the fix into production? Is this just delaying the enviable? Minor problems should be able to be rectified in this time frame; however, major problems will likely require larger periods of time. At the conclusion of the 90 day time period, many things may happen including litigation. To get a good idea of some of the events that might happen after this time period let’s consider the possible actions used to determine the facts in question.

Litigation Period

The true cost of Y2K will not only be money spent on fixing the issue but also settling it. Under the loss of stock valuation scenario, the plaintiffs’ could be lenders trying to collect repayment of loans, shareholders who have lost equity in a particular company stock and other identities that suffered financial loss attributed to the company’s stock. The Y2K issue is not the only type of litigation that this would apply to. Any other business situation where key potential pieces of information might be found in electronic format would be applicable.

To support a plaintiffs claim, they will look for the smoking guns and dead skeletons that might be found in electronic format which might prove their case. These smoking guns could be revised or deleted documents such as budgets, emails asking for funding or approval to act and other internal documents that would clarify the events of the corporation’s Y2K re-mediation efforts. An example of a particularly troublesome document would the submitted budget of the CIO asking for specific funding, only to later be given a budget of 50% of the amount asked for. The catalyst of these events will be to address what is seen as the company management’s failure to address the Y2K issue that they reasonably could have foreseen.

Business records such as internal documents like email take on a rather casual appearance, providing brutal honesty and straight-forwardness from the author. Interactions between management and the IT staff can be potentially detrimental if taken out of context. Documents that request action or resources to remedy Y2K issues will be particularly scrutinized.

Plaintiffs will love to make their case about the company’s management group saying, you had a problem, your staff told you how to fix it and you either said no or took no action. Their logic will be the buck stops with management and because of the decision management has made we have this problem. Second guessing and taking things out of context will run rampant. The rationale and reasoning used by management to make this decision often times will not be captured in this manner because perhaps it was discussed in person or not discussed at all. A rebuttal witness explaining why the decision was made will be your alternative to the electronic document, often times after the damage has been done by the out of context internal document.

The process of uncovering electronic records is preceded by a discovery motion requesting a bit by bit copy of your electromagnetic media, i.e. hard drives. This process should make most businesses stop and take notice about their business records. The realities of what is captured by computers and made part of business records will surprise most individuals.

Reality

You might be asking yourself, how can anyone find these business records among all of the gigabytes of data? The answer is…discovery and computer forensics. Computer Forensic techniques are used to gather evidence found on electronic media like computers. Once the evidence is gathered, it is preserved and analyzed to determine the facts in question. Typically it can find deleted files, key information buried deep in a large document and is an excellent source of substantiating chronological time frames.

It will start with a discovery motion asking for a byte by bytes physical copy of all of your records pertaining to your Y2K re-mediation efforts. Now this may sound like a simple task but it is not. Nor is it inexpensive. Hardware, repository storage media and time can easily cost in the 100s of thousands of dollars to produce and analyze the business records in question.

After preserving a copy(s) of the media, the analysis and recovery of records can begin. A computer forensic professional will locate data by using forensic tools to isolate particular files, words or dates about the issue. The Microsoft v. Department of Justice anti-trust trial provides an excellent example of the electronic business records that forensics provides. Various officials at Microsoft had their emails presented to the court as evidence in this trial. The issue with this is that just reading the text does not accurately reflect the original message. When the reader of the document does not have the tone, inflection or body language of the author, they must draw conclusions. The judges, jury and arbitrators of the case will formulate conclusions based on how they perceive the information uncovered in electronic format. If a document is introduced in court and taken out context, damage control can become difficult. By now, you should be very concerned. What can you do?

Prevention

Key decision makers and legal representatives need to assess the process of how business records are collected and take action to guard against inadvertent exposure. This should include the following:

• Completing a due diligence review of the business records process and making knowledgeable decisions to eliminate records that are inappropriate.
• Establishing a communication protocol and records retention policy that accurately reflects business events that are pertinent.
• Reviewing and understanding the implication of the Year 2000 Readiness and Responsibility Act and how they might possible impact the company.
• Conducting a Technological review of your electronic storage capabilities and eliminating any data that is not required. It is possible that this exercise will save you money on hard disk space.

Day X, 2000

Should you make the conscious business decision to wait until the threat is eminent and then address a discover motion, you will need to scramble. The threat could mean you are served with a discovery motion for your electromagnetic media pertaining to Y2K re-mediation efforts. Before you comply with the request, understand what evidence is being turned over. Consult a professional who can obtain the evidence, conduct a due diligence analysis and identify potential issues you need to be aware of. Steps should be taken to reduce inadvertent disclosure. Being aware of what information the evidence holds will help keep the courtroom surprises to a minimum.

Y2K preparedness plans should include the legal risks that a public corporation might deal with. The use of computer forensic technology can reveal information that was not thought to exist. Understanding computer forensics can also help you implement the proper risk management strategies to reduce your risks. Preserving shareholder value in the new millennium will require foresight, knowledge, and bold action to stay ahead of potential issues such as these.

K.J. Kuchta is PACSW Leader for Ernst & Young’s Computer Forensics Services Group in Phoenix, AZ. He is an active member of the High Technology Crime Investigation Association (HTCIA), Association of Certified Fraud Examiners (ACFE), Computer Security Institute (CSI), International Association of Financial Crime Investigators Association (IAFCI) and the American Society of Industrial Security (ASIS). He currently serves as the Vice Chair on the ASIS Standing Committee of Computer Security.

Discovering a New World: Electromagentic Media

The convergence of technology on business has impacted the legal community and will produce interesting trends in the future of litigation. Most business records are created in electronic format first before being found in printed format. If it's found in printed form, it's because someone needed a printed copy. The amount of data being captured by businesses should cause the legal community to focus its discovery efforts on records in electronic format.

Data can take on an immortal quality when compared to the spoken or hand written word. When you get a letter created on a typewriter from a business associate or client, it's a pretty safe bet that a limited number of copies of the letter are shared only with the intended audience. This can not be said for communications in electronic format. Data found in electronic format can and does exist even when the author believes it is deleted. During no time in the history of humankind have we collected more information. It's found on archive tapes, data repositories and databases.

The reason for this immortal quality is found in how computers process, store and organize information. Information about the usage of the computer is often captured in files that are hidden from the user. Information might include document revisions, internet sight usage, date and time logs. Deleted files live on because they are not really gone from the hard drive until they are covered up with new information. Additionally, business contingency plans often capture information in case of a data loss scenario. This allows certain information to live on even if the author wants it deleted. For example, let’s say that I sent you a email and you did not read it until tomorrow but tonight a back-up tape is made. You read the email and delete it tomorrow but the email would still be available on the back-up tape for as long as the back-up tape is maintained.

Repositories of information are collected often times without the consent of the user. The mechanism for collecting this information is called "cookies". Website usage reports give marketers the knowledge of how many times you visit their website, what you are interested in, etc. The current marketing offer of giving a free PC comes with a string attached. It tracks your activity to provide details on how to sell products to you and others like you.

Information mentioned above can be used for good or bad purposes. Computer Forensics professionals capitalize on this information for legitimate business purposes. Their techniques can be used to gather important evidence about a hacking incident, fraud or just obtain electronic information on pertinent business issues. For the sake of this discussion, let’s focus on the uses of computer forensics in the legal arena.

Yesterday

Traditionally business records and other important information were found file cabinets on paper. Today, some information is found in paper but most likely was created as a file on a computer and printed in its present format on paper. Then it was placed in the file cabinet. A lot of information, such as email, does not exist in paper format unless printed. Huge file cabinets storing information were commonplace but are being replaced by small servers that now act as the file cabinets of the future. The challenge of traditional discovery motions asking for printed copies of all relevant information of electronic information are substantial and the following points should be considered:

• A gigabyte of text data, common measurements of disk space in today’s computers, if printed on a 8 1/2 X 11 size paper format would stack 85 feet tall
• Organizing and finding important information in this potentially large pool of data is a monumental task
• Certain information is not found in a logical file structure of Windows Explorer or similar product but in a sequence that the computer uses. Some of the information cannot be view with common applications found on the PC.
• You must trust that the opposing party has not overlooked some key piece of information found in the less than obvious places. This is true regardless of how you received the information ( paper or electronic). You can conduct a search yourself that is cost and time efficient and effective. This gives you the piece of mind that a comprehensive search was conducted.
• Print copies give you the final details of the document. The electronic version of a document can give you the history, revisions, authors and date and time stamps.

New World’s Changing Landscape

Electronic data that is pertinent to the business matters under review by the legal system will be found in a number of places. These areas should receive consideration when crafting a discovery motion because of the potential information found in them. The list below is an example of files and applications that you might want to consider:

• Email
• Networking Logging Records
• Data found in office application such as Word, Excel, Lotus, etc.
• Proprietary application such as accounting systems
• Human Resource Applications
• Cookies which are files that record information about internet usage
• Data Remnants such as deleted files, swap files and slack space.

Swap files contain data used during normal operations that generally was not saved by the user. It can be pictures or files that were downloaded from the internet. Slack space areas on a hard drive are created when the previous files assigned to that space have not been completely written over. Information that is not written over is recoverable.

You should also consider the following areas as potential repositories of data that you might be interested in:

• Back up or archived tapes
• Service Providers that are used as an outsourcing capacity and provide the hardware or services in support of a particular client. The service provider may have captured some of the data you are interested in.
• Home computers used to conduct business
• Diskettes and other media used as storage

All of the areas listed above are excellent places to start; however, gaining intimate knowledge of a business’s Information Technology (IT) capabilities provide a better picture to aid the discovery effort. Valuable data can be found in alot of different places. Through the use of interrogatories, these locations can be identified

Choices… Paper or Electronic?

By now it's become obvious that using discovery to find electromagnetic media provides alot of benefits. Having better information is not the only benefit. Getting the data you need gives you a tremendous opportunity to be better organized, more effective and efficient. Using technology and the data, you can export the data into a spreadsheet, conduct an extensive search for just about any characteristic or file and have the information and documents at your fingertips.

Making it happen

How does this process work? First, the methodologies and tools must be tested to insure results. The Computer Forensic professional must then preserve the electronic data. This is done though a number of means, what in effect happens is you protect the data so that it can not be modified. A copy or image of the data can be successfully made after it has been protected. A physical copy of the evidence is made so as to capture all of the data present. This includes the cookies and data remnants mentioned earlier.

The actual evidence is never analyzed or used unless we are sure that spoliation will not occur. If the forensic professional does not take steps to preserve the data, spoliation will occur. An example would be the simple act of turning a PC to the on position. When an operating system is turned on it starts to modify dates and times of files on the hard drive without keyboard input. Most forensic examiners prefer not to work on the original evidence but on an exact image of the evidence.

Sometimes the evidence is on a server that is so crucial that the server can not be removed or shutdown. In this case an image of the data or the hard drive will become your best evidence If your information is on a company’s high end server and a new server will cost anywhere from $100,000 to $200,000. It is cost prohibited to take it out of production. Removing the server might also have severe consequence to the organization if it can not find a replacement in a reasonable amount of time.

The first step of the forensic analysis is to take an inventory of the files present. This would include data remnants, cookies and other data not in a traditional format. Identification of documents that are of particular interest is established. The computer forensic examiner should understand the issues in question and help the attorney select potential targets or areas of interest. A search can be conducted for key words, particular files, specific dates or any other attribute.

Once specific information has been identified, it can be printed out or copied to some form of media that can be write protected in a database format. The information is now at your fingertips. In the case were you are being compelled to provide data pursuant to a discovery motion, you can review content for privileged information and redact its contents. The most important point is the data can be exported into a format that you can work with such as Excel, Access, etc.

With the data in your hand you can go forward with your case. If directed, the Computer Forensic professional would then be prepared to provide expert witness testimony about their findings. The process, methodology and findings need to be communicated to a level the case decision makers can understand. It is important that your expert be able to take the complex and technical findings and put them into simple terms that are understood by a lay person. Your expert needs to have the technical know how as well as business insight and good communication skills to be an effective witness.

Conclusion

The world of technology is changing at a fast pace, making discovery of electromagnetic media necessary. Getting the jump on the opposing counsel by these techniques will pay big dividends to you and your clients. The use of computer forensics in certain cases will provide you with a better picture of the information about the case. It will also help you organize and gain easier access to information you need at your fingertips. Technology should be used to get ahead, not restrict. What are you waiting for?

K.J. Kuchta is PACSW Leader for Ernst & Young’s Computer Forensics Services Group in Phoenix, AZ. He is an active member of the High Technology Crime Investigation Association (HTCIA), Association of Certified Fraud Examiners (ACFE), Computer Security Institute (CSI), International Association of Financial Crime Investigators Association (IAFCI) and the American Society of Industrial Security (ASIS). He currently serves as the Vice Chair on the ASIS Standing Committee of Computer Security.

Risk Management and Security

Our society depends on fast, accurate transmission of information. Everything from e-mail, stock quotes, credit ratings, bank balances, travel arrangements, even the weather, are all transacted by computer systems. Just ten years ago, most employees worked with dumb terminals which performed a prescribed set of functions. These terminals have migrated into personal computers on every desk, most linked to the Internet. Even prisoners are requesting modem access to conduct their in-prison enterprises.

The availability of all this information and the ease of intercepting it has created an environment where hackers are glorified as harmless 'whiz kids', even though the damage they do to a computer system may take weeks to undo. More serious incidents include the ten million dollars taken electronically from a major bank's cash management system.

Another problem in this new information society is the lessening of loyalty of employees to their organizations. Private companies have right-sized and downsized and tried to trim overhead to keep profit margins high. Both federal and state governments have also been pushed to reduce their budgets and do more work with less employees. The old days of having a job for life, where the company looked out for you and protected you, are over. The resulting lowering of morale contributes to a risky business environment, where the goals of the individual may no longer match the goals of the organization where they work.

Risk management has reached a new level of importance in the information age. The growth of networked information systems and distributed computing has created a potentially dangerous environment. From trade secrets, proprietary information, troop movements, sensitive medical records and financial transactions, critically important data flows through these systems. Independent reports, such as the recently published FBI/CSI Computer Crime Survey, detail the losses which have been sustained by information systems. More than one hundred and thirty-six million dollars in losses were reported in this single report. With losses of this magnitude, organizations are becoming increasingly concerned with their potential exposure and looking for ways to evaluate their organization's security profile.

THE CORPORATE CULTURE IN A GLOBAL ECONOMY

In a global economy, success for organizations will be driven by their ability to innovate, to become truly global in their reach, and by their use of technology. This use of technology, primarily the use of computer systems and Internet technology requires exceptional security. In a recent class of information security professionals, the students were asked how many felt secure using a credit card for an on-line purchase. The response was telling, only 25% of the students raised their hands.

For a company to be able to send and receive proprietary data on-line, to use electronic commerce to receive money, and deliver orders, whether over an Internet connection, or through a world-wide company Intranet, excellent security will be an absolute requirement. Security organizations within companies, to be effective, will have to be data-driven, technology-based and decentralized. Security, which has often been administered as more of an art than a science, will have to be quantified and measured. The measurement tools of a security program are the risk assessment, and, especially, the Return on Investment numbers. In order for security management personnel to be able to keep up with a world-wide organization, it will have to use common processes and standardized procedures.

HOW MUCH IS TOO MUCH? -- THE INSIDER

In a data-driven company, the insider (employee) has access to a wide variety of information, and often few controls exist to control the employee. In the past five years, the use of tools such as intrusion detection monitors, virus detection software, firewalls, and other combinations of hardware, software, and firmware, have been used to control the attacks that may come from the outside. Unfortunately, the controls, monitoring and policies related to how insiders access systems has not been as comprehensive. As a result, there are numerous reports of employees doing everything from selling government secrets to foreign governments, to using company secrets for their own financial gain, to browsing an ex-spouse's medical records, or tax returns.

In assessing the value of proprietary company information, consider the Brown and Williamson employee, Dr. Jeffrey S. Wigand, who took company information not for personal gain, but to disclose questionable marketing practices in the tobacco industry. What was the ultimate cost of this insider, not just to Brown and Williamson, but to the entire tobacco industry? Here's what the Feb, 6, 1996 episode of 60 MINUTES, had to say:

"Tonight, Jeffrey Wigand, the scientist whose insistence on defying his former employer has led him to tell what he believes to be the truth about cigarettes. What is it that he believes to be the truth about cigarettes? And what is it that Brown & Williamson believes to be the truth about him? ….A story we set out to report six months ago has now turned into two stories: how cigarettes can destroy peoples' lives and how one cigarette company is trying to destroy the reputation of a man who refused to keep quiet about what he says he learned when he worked for them. The company is Brown & Williamson, America's third largest tobacco company. The man they set out to destroy is Dr. Jeffrey Wigand, their former three-hundred-thousand-dollar-a-year director of research. They employed prestigious law firms to sue him, a high-powered investigation firm to probe every nook and cranny of his life. And they hired a big-time public relations consultant to help them plant damaging stories about him in the Washington Post, the Wall Street Journal, and others. What Dr. Wigand told us in that original interview was that his former colleagues, executives of Brown & Williamson Tobacco, knew all along that their tobacco products, their cigarettes and pipe tobacco, contained additives that increased the danger of disease. And further, that they had long known that the nicotine in tobacco is an addictive drug, despite their public statements to the contrary, like the testimony before Congress of Dr. Wigand's former boss, B&W's Chief Executive Officer Thomas Sandefur."

Such is the power of the insider.

THE LINK BETWEEN PHYSICAL AND INFORMATION SECURITY MANAGEMENT

Only five years ago, the security functions in an organization were split between two different individuals. One was the information security officer, usually residing up on the 7th floor, near the MIS Department. The other was the physical security officer, using relegated to a back office, where he spent his day checking in guards and investigating petty theft. All that has changed. In fact, one of the challenges to organizations is how to integrate these two functions which are now almost completely interdependent.

The information security officer has to be sure that the organization's critical information systems are located in a secure environment because, as in the GAO Report cited below, all the firewalls in the world don't help if an outsider can walk in and sit down at a network server. Also, physical security controls are becoming more electronic and computerized. Everything from automated fire detection and entry controls, to the continued problem of laptop theft, are all turning the physical security officer into a high tech professional.

RESULTS OF THE FBI/CSI 1998 COMPUTER CRIME SURVEY

The "1998 Computer Crime and Security Survey" is conducted by CSI with the participation of the Federal Bureau of Investigation (FBI) International Computer Crime Squad’s San Francisco office. The survey was conducted in order to provides statistical data on state of computer crime and computer security; to quantify information losses and to further cooperation between law enforcement and organizations to report computer crimes. Based on responses from 520 security practitioners in U.S. corporations, government agencies, financial institutions and universities, the findings of the "1998 Computer Crime and Security Survey" indicate that computer crime and other information security breaches are still on the rise and that the cost to U.S. corporations and government agencies is increasing. Two hundred and forty-one of these organizations, which were able to quantify their losses, reported losses over $136 million dollars. This figure represents a 36% increase in reported losses over the 1997 figure of $100,115,555 in losses.

The survey also reported that 64% of respondents said they experienced computer security breaches within the last twelve months. The problem of employees, "insiders" was underscored in several parts of the survey. .. For example, 44% reported unauthorized access by employees, and the most serious financial losses occurred through unauthorized access by insiders (18 respondents reported a total of $50,565,000 in losses), theft of proprietary information (20 respondents reported a total of $33,545,000 in losses), telecommunications fraud (32 respondents reported a total of $17,256,000 in losses) and financial fraud (29 respondents reported a total of $11,239,000 in losses).

The number of organizations that cited their Internet connection as a frequent point of attack rose from 47% in 1997 to 54% in 1998. This represents a 17% increase over the initial 1996 figure of 37%. And significantly, the number of respondents citing their Internet connection as a frequent point of attack is now equal to the number of respondents citing internal systems as a frequent point of attack. (In the past, internal systems has been considered to be the greater of problems. It is not that the threat from inside the perimeter has diminished, it is simply that the threat from outside, via Internet connections, has increased.) This trend was reinforced by another piece of data. Of those who acknowledged unauthorized use, 74% reported from one to five incidents originating outside the organization, and 70% reported from one to five incidents originating inside the organization.

Patrice Rapalus, Director of the Computer Security Institute, underscored the importance of the findings, "While companies may think that they are spending the requisite amount on information security, the dramatic increase in quantified dollar losses indicates otherwise. In addition to hardware and software (for example, firewalls), organizations must ensure that training staffing levels are adequate and that end users are made aware of the seriousness of the situation."

Robert Walsh, Special Agent in Charge of the FBI’s San Francisco office agreed that the dollar losses as reflected in this year’s survey are a matter of grave concern. "But what is of equal concern is the seeming reluctance of organizations, for the third year in a row, to report computer intrusions to law enforcement. It is understandable that negative publicity is cited as the principal reason for this; however, the FBI has successfully investigated, and resolve, many cases in which computer crimes are alleged with either minimal or no public exposure to the victim company."

THE GENERAL ACCOUNTING OFFICE REPORTS TO CONGRESS

In May of 1996, the General Accounting Office (GAO), the audit branch of the Federal government released a report to Congress with the intriguing title, 'Computer Attacks at Department of Defense Pose Increasing Risks' (GAO/AIMD-96-84 Defense Information Security). Using statistics from the Defense Information Systems Agency, as well as results of their own investigations, the report detailed more than 160,000 successful attacks against Department of Defense (DOD) computer systems. The report stated, "since the level of protection varies from installation-to-installation, the need for corrective measures should be assessed on a case-by-case basis by comparing the value and sensitivity of information with the cost of protecting it and by considering the entire infrastructure".

In summarizing their results, the GAO report recommended more stringent security policies and that the Department of Defense mandate risk assessments. In addition, the report also recommended that the Defense Department mandate that: all security incidents be reported; that risk assessments be performed routinely to determine vulnerability to attacks; that vulnerabilities and deficiencies be corrected expeditiously, as they are identified; and that the damage from intrusions be expeditiously assessed to ensure data/system integrity.

In May of 1998, the GAO released a report detailing the security problems it discovered at the Department of State, both information-related, as well as physical security. The report, numbered GAO/T-AIMD-98-170, stated, "We also obtained access to State's networks by breaching physical security at one facility, and finding user account information and active terminal sessions in unattended areas. For example, in several instances, we were able to enter a State facility without required identification....we found unattended personal computers logged onto a local area network... we found user identification and password taped to one of the computers. ...we were able to access the local area network server and obtain supervisor-level access to a workstation.

In further explaining the basis of the problem, the GAO report stated, "The primary reason why our penetration tests were successful is that State, like many federal agencies, lacks the basic building blocks necessary to effectively manage information security risks....State did not routinely perform risk assessments so that its sensitive information could be protected based on its sensitivity and criticality to mission-related operations". This is a deficiency that could also be applied to many other government agencies and most private companies as well.

THE PRESIDENT'S COMMISSION ON CRITICAL INFRASTRUCTURE PROTECTION

In mid-1996, the Clinton White House announced an Executive Order (Executive Order 13013) establishing the President's Commission on the Critical Infrastructure Protection (PCCIP). Modeled after the NSTAC (a coaliation of communications companies and the federal government), the PCCIP's mission was to "assess the scope and nature of the vulnerabilities of, and threat to, critical infrastructures; ........and recommend a comprehensive national policy and implementation strategy for protecting critical infrastructures from physical and cyber threats and assuring their continued operations.......

The Gulf War had heightened awareness by pointing out how many 'private' resources were used in fighting the Persian Gulf War. Commercial long distance lines and even cell phones formed a piece of the U.S. war effort. Yet these resources were not under the direct control of the Department of Defense, or even the Federal government. The PCCIP identified eight critical infrastructures including:

1. Telecommunications

2. Electrical Power Systems

3. Gas and Oil Storage and Transportation

4. Banking and Finance

5. Transportation

6. Water Supply Systems

7. Emergency Services (medical., fire, police, rescue)

8. Continuity of Government

Representatives from the highest levels of both government and large private companies made up the PCCIP. In addition, the structure of the PCCIP included a task force (the Interim Coordinating Mission) "to provide/Coordinate guidance to detect, prevent, halt or confine an attack and to recover and restore service"; to issue threat and warning notices in the event advance information is obtained about a threat; and to provide training and education on methods of reducing vulnerabilities, and conduct after-action analysis.

The President's Commission on the Critical Infrastructure Protection's report was released in fall of 1997. The report recommending vulnerability assessment as one the most effective safeguards for government AND private information systems. The report noted that, "Government leaders are insufficiently aware of the vulnerabilities...". It goes on to recommend a broad program of awareness and education, a major effort directed toward encouraging information sharing, as well as an increased emphasis on vulnerability assessments and quantitative risk management processes.

Presidential Decision Directives (PDD's) 62 & 63 were issued in May of 1998. PDD 62 unified the government effort to deter terrorism by organizing efforts under one organization. PDD 63 gives direction on how to better protect critical infrastructures and has generated a massive vulnerability assessment effort by the government to substantially increase security of federal agencies substantially by the Year 2000.

ELEMENTS OF RISK ASSESSMENT

The formal, quantitative risk assessment is the foundation and starting point of a good risk management program. Risk assessment is a method of determining what kinds of controls are needed to protect an organization's information systems and other assets and resources not just adequately, but cost-effectively.

The risk assessment process analyses a set of five variables, and comes up with recommended actions based on the relationships of these variables to each other.

First, what are you trying to protect, how much is it worth, and how much depends on it. Second, what could potentially threaten the asset. Third, what weakness exists that would allow the threat to materialize. Fourth, if the threat occurs, what kind of loss could you have. And, fifth, what controls could you put into place that would reduce the loss if a threat occurred, or eliminate the threat altogether

The five variables include:

1. ASSETS - whatever you're trying to protect. Assets can include databases, information, personnel, facilities, applications, computer hardware and software, and communications systems.

2. THREATS - Threats are events which could occur, and cannot ever be completely eliminated, although you can reduce the likelihood of occurrence, or mitigate its impact. Even stringent security cannot eliminate every threat. Threats include events such as hurricanes, earthquakes, viruses, hackers, data destruction, data modification, theft of data, theft of company property, fire, false alarms, bomb threats, sabotage, fraud, or embezzlement.

3. VULNERABILITIES - These are weaknesses in the organization which would create a condition which would allow the threat to materialize and triggering a loss.

4. LOSSES - Loss categories include direct loss, disclosure losses, loss of data integrity, losses due to data modification, losses due to delays and denials of service, loss of reputation, and for physical security reviews, loss of life.

5. SAFEGUARDS - Safeguards are security controls which, when put in place, can eliminate, reduce or mitigate the impact of a threat occurrence.

RISK ASSESSMENT METHODOLOGY

The risk assessment process includes gathering information about the assets of the organizations, including all information assets such as networks, data centers, computers, hardware, software, data/information; as well as physical assets, such as the personnel who staff the organization, the network uers, the physical facility and dozens of other organizational resources. In addition, the risk assessment process includes finding sources for comprehensive threat data, which may be data gathered from internal sources such as incident report data, intrusion detection software, as well as threat data such as crime statistics, industry standards and benchmarking data, and historical data about what has happened in the organization previously.

Vulnerability assessment is a key component of the risk assessment. Vulnerability data can come from two sources -- a combination of both is recommended. The first source is a survey to find the weaknesses in the organization, asking the organization's personnel a controlled set of questions that validate compliance with the organization's standards. The second source is technical vulnerability scanning reports that give very micro-level details about the weaknesses in the configuration of a network, produced by commercial products such as ISS and NetSolar from Cisco

Vulnerability data is then matched to see. what combination of Asset/Threat/Vulnerability could trigger a loss, and then deciding what safeguards might be put in place to reduce or eliminate the potential loss.

STEPS IN A RISK ASSESSMENT

There are seven basic steps in a risk assessment:

1. Set parameters for risk analysis

2. Define system's assets

3. Determine relevant threat profiles.

4. Survey all system users to discover vulnerabilities.

5. Analyze all data

6. Write the report.

THE VULNERABILITY ASSESSMENT

Risk assessment is composed of two parts, the vulnerability assessment and the countermeasure (safeguard) assessment. The vulnerability assessment looks at an existing systems or facility and evaluates its existing security, including how personnel are complying with existing policies and guidelines. The result of the vulnerability assessment will present a detailed road map of all the existing weaknesses in the present system, including information of how widespread the problem is, and which individuals identified the weakness (vulnerability).

Surveying people who use the systems under review is a critical part of the vulnerability assessment. While paper surveys are laborious and difficult to aggregate, automated questionnaires now exist which allow risk analysts to interview users electronically. Survey questions start with a Control Standard which outline the official policy of the organization. Questions should be set up to validate compliance against published policies, guidelines and directives. There is little point to asking questions unrelated to requirements, because the organization would find it difficult to enforce compliance if it was not a requirement.

The risk analysis manager is the analyst in charge. However, there may be other individuals in the organization who can make major contributions. According to the audit guidelines for risk assessment, the more people you interview, the more likely you are to find a vulnerability. Individuals should not be asked to answer more than 50-100 questions, which are directly related to their job. For example, a network user might answer questions related to whether they use their passwords, whether they log off their terminals when they leave their station, or whether they have attended basic data security training. A database administrator will answer a few general questions, but also more specific questions related to their job.

SURVEY QUESTIONS

Asking good questions is the very heart of the risk assessment and also forms the core of the vulnerability assessment. Questions should always be compliance based and directly linked to a control standard or control objective. If you ask questions that are not linked to standards, and discover major problems, the path will not exist to force compliance. Limiting the number of questions to ask is one of the most difficult aspects of the analysis.

Employees may be nervous when they are asked to answer questions related to how they perform their jobs. It is important to make sure that these individuals understand that the risk assessment is a scientific process, and that any data gathered in the risk assessment will be seen by only one individual (the risk analysis manager), and that their comments will not be reviewed by their supervisor, nor will they end up in their personnel file.

Random surveys are often used to predict election results, from local precincts in a particular city, to federal elections, where the network news teams are able to predict the final results from a profile of only a few key states. In these example, random samples are usually less than 1%. In a risk assessment, a random sample is not desirable. Instead, the objective should be to question as many people as possible. The more individuals you question, the better the chances that you will discover a vulnerability.

It is unrealistic to think that people will answer more than fifty to one hundred questions. To avoid individuals having to answer questions that do not relate to their area, in a risk assessment, questions are divided into job categories, or what is called 'functional areas'. Functional areas are pieces of a job. By dividing up questions into these categories, for example, Michael Smith may answer 20 questions for network users, 20 questions for personnel management (which is his area), and 15 general organization questions. More specialized personnel, such as facilities managers, the physical security officer, or a database administrator will answer questions that relate only to his/her particular area.

Questions start as control standards. The standard might be: "Passwords should be changed every month". You might cite a reference representing where this standard originated, for example, "Telecom Security Directive 3, p. 4, paragraph 5". The question statement asks the user how well they comply with this standard on a percentage scale from 0 to 100. The zero answer means the user never complies with the standard. Answer of 100 means the user complies with the standard one hundred percent of the time; and the user is encouraged to answer with any percentage in between.

In addition, users should be allowed two additional options in answering. The first is the opportunity to answer 'not applicable', if the question doesn't apply to them; and secondly, to answer "I don't know", if they don't know the answer. This question process also serves as a training exercise, and a security awareness process.

THE TECHNICAL VULNERABILITY ASSESSMENT

Technical vulnerability assessments use scanning tools to survey the actual network and report the technical weaknesses that are discovered. Products, such as NetSolar by Cisco, uses both passive analysis and active probing methods to identify security vulnerabilities, which may increase the efficiency of vulnerability identification and reducing false positive results. These technical assessments can differentiate between infrastructure devices (such as routers, switches, and firewalls) and host devices (user workstations or servers [such as e-mail servers such as Web servers. Technical vulnerability tools can find vulnerabilities in Network TCP/IP hosts, UNIX hosts, Windows NT hosts, web servers, mail servers, FTP servers, firewalls, routers and switches.

VULNERABILITY ASSESSMENT RESULTS

At a very high level, the vulnerability assessment will analyze and summarize the results of the all the weaknesses, which were discovered, in the systems under review,as illustrated in the chart below:

Vulnerabilities which are commonly discovered in risk assessments include:

50% of network users don't memorize passwords

Users don't always log-off terminals

Servers aren't located in a secured area

Supervisors loan passwords to employees

No clear separation of duties

Uncompiled source code can reside on the system

The disaster recovery plan has not been completed/updated.

 ENROLLING THE ORGANIZATION IN RISK MANAGEMENT

Risk assessment is a management process and, by its nature, should involve the whole organization. Because the vulnerability discovery process will include questioning many different parts of the organization, it is vitally important to the eventual acceptance of the risk assessment findings, that different departments be involved in the initial setting up of the analysis. Mid-level managers may feel threatened that another group is asking questions of 'their' employees. They may worry that the findings could reflect negatively on their performance as supervisors.

In addition, if the survey questions are not approved prior to their use by the various supervisors and department heads, the results they generate might be discounted and not taken seriously. For these reasons, it is important to set up a risk analysis team within the organization. The team members will include representatives from each department included in the analysis process. Team members will review questions, identify the correct standards for their areas, assist the risk analyst in arriving at current asset replacement values, and serve as administrative support for the surveys in their respective areas of responsibility.

THE COST BENEFIT ANALYSIS - ESTABLISHING ROI

The cost benefit analysis combines information from the vulnerability assessment along with relevant threat data and asset information such as present day replacement values, criticality, integrity and availability of the information contained in the system under review, as well as how completely safeguards are currently being implemented. In reviewing the existing security controls, it's important to indicate percentages of current implementation. For example, maybe the visitor badging policy is only 70% implemented, meaning that it is implemented on weekdays, but not on weekends. In actual risk assessments, completing implementation of an existing control to 100% is often the most cost effective solution.

The result of the cost benefit analysis will be to create a return on investment ratio (ROI), balancing the value of the information against the cost of controls to protect it. By establishing Return On Investment data, managers and directors can make more informed decisions regarding which controls to implement, based on strictly on initial cost, but also on the current threat exposure of the organization.

The accountability which is a built-in component of risk assessment is increasingly attractive to top level management, both in the federal sector, as well as in private industry, where board members and shareholders want quantitative numbers to use in assessing the security level of an organization and making the resultant management recommendations. A typical Cost Benefit Analysis graph is shown below:

AUTOMATING THE RISK MANAGEMENT PROCESS

The new emphasis on the need for risk management is causing a renewed interest in automated risk analysis software tools, which can reduce the time involved in a large risk assessment project by more than sixty percent.

A manual risk assessment on a major computer network , including the personnel, the facilities, any remote sites, 1000 users tied to a mainframe, may take from six months to one year to analyze using a manual method. Using an automated software program can cut the time from 6 months to 6 weeks. The risk analysis manager will spend most of his time on this analysis, enlisting help from other departments, facilities managers (to provide some threat data); from accounting (to help establish asset values), and from all the departments which will be included in the review.

In risk management of facilities and sites, additional considerations include the technical competence of the manager conducting the analysis. For large, multinational security companies, expertise in conducting risk management activities may vary from someone with 2 years experience, to a security professional with over thirty years experience. Obviously, the difference in experience will make a big difference in the analysis results, unless an automated tool is used, which can create a standard set of questions, and standardize the asset and threat data. Standardized data will allow large, distributed companies to establish a baseline over many sites and normalize the experience differences between many analysts.

RISK MANAGEMENT -- A CRITICAL MANAGEMENT TOOL

A high-level risk assessment is, in itself, the most cost-effective safeguard available. It is a way of looking at a large organization in a consistent and quantifiable manner, with defensible results. It also provides a way of benchmarking the effectiveness of security across an organization and it will identify the weak areas so those can be revisited with a more intensive analysis at a later date.

Corporate security policies and government regulations are being constantly re-written to address the increasingly networked environment, with a less loyal work force. Under these fast-changing conditions, risk management is becoming an increasingly important tool in corporate management strategies.

ABOUT THE AUTHOR:

Caroline R. Hamilton is President of RiskWatch, Inc., a company specializing in security and risk management software. She was a Charter member of the National Institute of Standards and Technology's Risk Management Model Builders Workshop from 1988 to 1995. From 1996-1998, she served on the working group to create a Defensive Information Warfare Risk Management Model, (DIWRM2) under the auspices of the Office of the Secretary of Defense. She is a member of the American Society for Industrial Security's Standing Committee on Computer Security, and is working with the U.S. Coast Guard and the Maritime Security Council to create technical guidelines for risk assessment of ports. Based in Davidsonville, Maryland, she has written for the Computer Security Journal, the CSI Alert, Defense Electronics, InfoSecurity News, Access Control, Today's Facilities Manager and many other publications.

Sample Internet Use Policy

POLICY:

Company Name provides Internet services and access to its employees, staff, volunteers, contractors, contracted employees, affiliates and alliance partners (collectively, "users"). The use of Internet services and access to the Internet is intended for the purpose of advancing Company Name’s business and healthcare activities.

The use of Internet services and Internet access through Company Name is a privilege, not a personal or contractual right. The privilege may be revoked for non-compliance with this policy, as explained below. Further, violation of this policy shall be grounds for disciplinary action up to and including termination of employment or contract.

No user has any reasonable expectation of privacy in his or her Internet activity or in any data created, sent, received or stored on or through the Internet. All such data is Company Name’s property. Company Name reserves the right to monitor the Internet activity of users at any time, and to access and disclose the contents of Internet-related files, for any business reason or as required by law, with or without notice to the user.

EXPLANATION:

Internet services should be used to advance the objectives of Company Name without jeopardizing its business and healthcare mission. Inappropriate uses of the Internet, as described below, are prohibited. Nothing in this policy invalidates, alters or limits other Company Name policies, including policies governing business communication, record keeping, correspondence and the transmittal of medical record information to outside sources.

Appropriate and Inappropriate Uses of Company Name Internet Services. Internet services are intended for the purpose of advancing the business objectives of Company Name. Appropriate uses include, but are not limited to:

• searching for healthcare or business information
• downloading information relevant to healthcare or business needs
• subscribing to relevant business or healthcare news groups
• using the Company Name Intranet

Inappropriate uses of the Internet include, but are not limited to:

• viewing, transmitting, receiving, printing, copying, maintaining or storing material that includes pornographic, prurient or obscene content
• viewing, transmitting, receiving, printing, copying, maintaining or storing material that may be offensive, hostile or intimidating on the basis of race, creed, color, national origin, gender, age, disability or sexual orientation
• viewing, transmitting, receiving, printing, copying, maintaining or storing material that is slanderous, defamatory, harassing, vulgar, offensive or threatening
• communicating, disseminating or printing material in violation of the lawful copyright or trademark rights of others
• promoting any unlawful activity or any activity for personal gain
• promoting political or religious beliefs
• providing a Company Name Internet user name for purposes unrelated to Company Name’s business or healthcare activities
• unauthorized viewing or transferring of material that is confidential or proprietary to Company Name
• creating or maintaining a personal web site through the use of Company Name resources

Company Name reserves the right to deny users access to external Internet sites that serve no legitimate business or healthcare purpose.

Security:

Company Name does not routinely monitor users’ Internet activities but reserves the right to do so, and to access and disclose the contents of Internet-related files, with or without notice to the user, at any time and for any business purpose, including but not limited to internal investigations of alleged or suspected illegal or improper activity.

Internet activities can pose significant risks to network security and integrity as well as the security of healthcare and business information. Users must exercise extreme caution when using downloaded Internet information.

This policy applies to all users of Company Name Internet services.

Users shall follow security policies and standards governing the use of Internet activities.

Managers shall be familiar with this policy and take appropriate action in the event of policy violations.

Information Security shall periodically monitor Internet services for performance, integrity and availability, complying with Company Name policies and standards. The Information Security group will perform investigation of suspicious or unusual Internet activities and report findings to management, and will provide controls, detection and security to minimize Internet misuse and abuse.

DEFINITIONS:

Internet: A federation of computer networks that allow for exchange of information

Internet services: A sub-department of Company Name’s Information Systems Department which supports users for Intranet and Internet access and support.

Intranet: A secure network of computers that allows only authorized internal users access to information content. Company Name’s Intranet is Name, an internal network behind the firewall that allows authorized internal users to access information via a browser.

REFERENCE

Standards:

Approvals:

_________________________________ ___________________

Date

Senior Executive Director Information Services

_________________________________ ___________________

Date

Quality and System Resources

The Legal Liability of Electronic Information

In today’s economy, information is power. The exponential growth of electronic information in corporate America has increased companies’ productivity to unprecedented levels – but that information has its dark side.

When an employee leaves the building – for the day or forever – does valuable information leave with them? What happens if an employee maliciously destroys computer records? Is discrimination, harassment, or theft of intellectual property going on that managers don’t know about?

Computers are critical to communication, records keeping, and planning in companies today. The electronic records they generate provide virtually permanent evidence of these activities. And the most common form of these records is e-mail. E-mail records span the entire organization, passing through every corner of the organization and residing of every desktop.

Liability

Most organizations have little or no knowledge of the contents of their stored e-mail records. That is why many are taking steps – through development of data monitoring and data retention policies – to monitor the content of future records as they are created. Such policies limit the organizations’ future liability by defining which records are to be backed up and put into the company’s storage.

Beyond managing the content of such records, the organization needs to be able to produce specific documents for litigation when the case demands. In virtually every type of employee-relation case (harassment, intellectual property theft, fraud, and discrimination) e-mail records form the basis of proof. The burden of preserving those records and recovering them for court cases rests with the company – and failure to comply has been known to result in multimillion-dollar sanctions.

E-mail records contain not only message content but also date stamps and time stamps, access codes, document attachments and distribution lists – much of which can prove powerful in court. Every system an e-mail record passes through retains a copy of that record that can be recovered for use in litigation. Records often span several software platforms and storage media systems, and can be shielded by extensive password and encryption structures. So, as the amount of records grows, the task of tracking their content becomes harder to manage.

Once an e-mail record is deleted, it is far from gone. After it has been sent, a copy can be recovered from several different locations: the sender’s computer, the recipient’s computer, and any computer in between. Even after it was thought to be destroyed, a copy of the message or traces of it can be recovered.

 Written Policies

Too many people use e-mail as an electronic filing system, rarely deleting messages. The records are backed up and stored before the company has established priorities about which messages need to be retained. The lack of priorities makes it harder to recover records in legal or employee-relations matters. Companies often have no record of what software was used to create the document or where it resides in the storage system. Before businesses can monitor the records’ content, they must first find it and then convert it to a readable format.

"Corporate e-mail recoveries are challenging because most companies change e-mail and backup systems regularly. We’re able to develop special tools to deal with obsolete systems, media and multiple messaging formats", said Michael Norby, Senior Software Engineer at ONTRACK Data International. "Often, we’re able to read data our clients can’t read themselves".

 Thinking Ahead

Proactive Corporate Counsel seek ways to monitor, preserve, and recover required records. They don’t wait for a crisis before evaluating and controlling the risk that the company’s data pose.

For example, Internet giant Amazon.com recently had an event called "sweep and keep". Employees were given complimentary lattes in exchange for removing from their own e-mail systems records the company wasn’t legally required to retain. After purging of the system, the company issued document-creation guidelines designed to prevent future exposure.

The benefit of being proactive is as close as the morning newspaper. Monica Lewinsky, Bill Gates, and Colonel Oliver North found that their e-mail records came under public scrutiny. What began for them as a private exchange of ideas resulted in worldwide exposure of activities they probably would rather have kept private.

Since the advent of data retention policies, the difficulty for most organizations is not how to keep future records clean of unintentionally-communicated remarks, but how to control the millions of records currently being stored in electronic archives. Even if the records were not actively backed up and stored, they exist in the memory of every computer in the system.

The time is overdue for organizations to take control. As paper documents were recognized twenty years ago, electronic documents present a legal liability to their organization. Today’s exposure is in many ways much broader than it was when companies were concerned mainly about paper documents, because so many more employees access and create electronic documents as a part of their jobs.

 Regaining Control

Control of future records starts with a data retention policy for creating and archiving information. But first, companies need to decide what to do about the e-mail records going back many years and currently residing in storage archives. A critical step is to separate out and preserve the records that the organization is legally required to maintain or are needed for normal business operation.

Companies must learn to think like prosecutors in this regard and look for any evidence tat could conceivably support charges of malfeasance. A systematic program would start with a search of all recoverable documents – deleted documents, draft documents, and e-mail distribution records. A primary focus would be on e-mails with dangerous or unnecessary content.

Unfortunately, electronic communication and document storage developers didn’t anticipate these recovery challenges. They designed the systems to help their organizations move forward, to support growth and productivity, with little thought of the implications.

As a result, huge amounts of data are stored in outdated or obsolete formats. In addition, the media the records are stored on may have deteriorated. The combined expertise of consultants specializing in data recovery, electronic evidence and security concerns is needed to access that data and convert it to today’s media.

Once the documents have been converted to a readable format, restored to full status, and searched for dangerous content, they need to be sorted – are they essential, unnecessary, or questionable? They also must be categorized and organized to serve their organizations efficiently.

 Explosive

Companies are finally realizing they are sitting on a powder keg. Attorneys are urging corporate clients to perform a data audit and to eliminate any information they are not required to retain.

But companies need information to do business: to keep track of which customers owe them money, what the financial situation was last year, or when you approval on a given proposal came through. Moreover, although certain information may get a company in trouble, other information is required to proactively defend against allegations or to prosecute.

Lawsuits stemming from a company’s own stored documents can cause often-irreparable damage. To control the "enemy within", it is advisable to conduct an audit of the recoverable information (live, stored, and deleted) in your company’s storage and to examine all e-mail and other stored documents for evidence of dangerous or unnecessary activity.

Troy Hegr
Director - Computer Evidence Services Division,
ONTRACK Data International, Inc.