Fresh Thoughts #110: Which Human? Part 2
- Newsletter
"How do you know it was me?"
I've heard this regularly from my children as they have grown up.
Pushing the boundaries of what is ok...
But it is also a frequent question from astute criminals.
For criminals, it means...
If you have evidence, show me...
And if there isn't a direct link and evidence to my direct, documented actions...
You have nothing.
From experience working with law enforcement, I know that it is tricky to deal with cybercrime.
It can be obvious that a crime has occurred...
But how do you know it was that specific person?
It Wasn't Me...
If you've ever been involved in prosecuting a cybercrime, you will know that it's not good enough to say that an action came from a device or a specific account.
Malware or a remote access trojan could have issued the command.
And the account could be compromised or shared.
Ultimately, you must demonstrate who was the human behind the keyboard, pressing the keys.
In one incident I assisted with, there was a wireless storage device with no security configuration.
No network authentication.
No access control.
"How do you know it was my client? It could have been anyone within range of the wireless signal..."
An oddly specific assertion, but one that couldn't be disproved.
No Silver Bullets
For law enforcement, the solution is simple and relies on the old adage: You must never rely on a singular, silver-bullet piece of evidence.
It is the tiny details that will make or break a prosecution.
This issue has been around for decades.
And yet, we have still managed to prosecute cybercriminals - albeit not with the frequency we would like.
In the case of the wireless storage device, the tiny details included:
- The device was sealed behind a false wall
- There was DNA on the micro-SD card within the device
- DNA on the power cord - behind the wall
- The default configuration of the device was secure - so the weak configuration was consciously created and implemented
In this instance, the defence became implausible.
But in other cases, plausible deniability was successful.
An Easier, Alternative Employer Approach
The lengths that are necessary for criminal convictions can be extreme.
And well beyond the ability of employers.
Yet criminal and illicit actions can and do happen on company devices and in the workplace.
So, how can you deal with this situation?
It will be no surprise that the most crucial element is planning ahead.
Rather than be backed into time-consuming and complex monitoring...
With prior planning - and clear policies - the need for proof of a specific action and intent can be bypassed.
It can be a simple case of enforcing an employment contract.
Employment Contracts
Three areas should work together to make resolving these situations more straightforward.
Firstly, cybersecurity policies are needed to specify acceptable staff behaviours:
- Only employees are permitted to access corporate data and devices
- Staff are not allowed to share credentials with anyone
- ...
This narrows the actions down to a single person (or malware).
Second, cybersecurity configuration and processes to mitigate common attack vectors:
- Anti-malware must be in place and active
- Software and operating systems must be patched
- Access logs will be monitored and recorded
- ...
This monitors to confirm if malware or an external attacker was the cause of the situation.
Finally, contract enforcement:
- Violation of corporate policies is a breach of the employment contract
- ...
Final Thoughts
For the unprepared and law enforcement, linking wrong-doing or an IT action to a specific person is time-consuming, complex and expensive.
But, with planning, schools and businesses can resolve this difficult situation more easily.
The cybersecurity policies, processes and employment contract examples above are undoubtedly incomplete. However, they show that combining these three elements can create a required outcome - without the complexity.
March 19, 20243 Minutes Read
