Email security: don’t let bandits in the back door
Cloud-based Office 365 has become one of the most common email platforms for small to mid-sized businesses — we see it every day. However, while Office 365 is a great option for businesses that don't want the responsibility of managing in-house email servers, it can also create a significant security risk to the business if it is implemented without appropriate security measures.
Some of the attacks we have investigated during the last few months have involved external offenders accessing an employee's business email account using a web browser. Once access is gained they implement a forwarding rule on the account which results in a copy of all email in and out of the account being sent to an external email account such as Gmail or Yahoo.
The attackers then dig through emails that are already in the account as well as any new material being sent and received, all the time looking for an opportunity to gain a financial benefit. This could include obtaining your valuable IP or other confidential data and selling it on the internet or manipulating invoicing and payments to redirect funds.
The cost to your business resulting from this type of compromise can include significant financial loss and the substantial wasted time and distraction from normal business while you identify the compromise and fulfil your reporting requirements under the Notifiable Data Breach Reporting legislation.
All these consequences can be prevented if you take suitable security measures before implementing the Office 365 email tenancy. It is critical to have a professional review your email platform, risk profile and security requirements before your business becomes the next victim.
If you use Office 365 and haven't had someone undertake a fundamental security review, you are at risk.
Spear Phishing Investigations
During 2015-16 we have seen a dramatic increase in the number of businesses being attacked by hackers who have created a domain similar to the victim company's and then masqueraded as a company office bearer to extract money.
Typically this type of attack involves the CFO receiving an email that appears to have come from the MD (or similar) instructing payment of an amount of money into a bank account for some business-related reason. Often, the timing coincides with the MD being away from the office and the transaction appears to be urgent. Following an exchange of emails, the transaction is made without the MD being aware that he has supposedly authorised it. Once the bogus transaction has been identified, there is usually a flurry of activity identifying what events led to the theft and where the money has gone. These incidents often lead to reassessment of the business's IT security as well as the processes in place relating to authorisation of financial transactions above certain amounts.
Cryptolocker (also known as Ransomware) involves computer systems being compromised by a Trojan file that encrypts all the victim's content.
In a business environment with network shares and user directories, that can involve a substantial amount of data - even more if the user has "Admin" rights. This type of system compromise has become common and we now regularly see evidence of remnant encrypted data on the systems we examine.
One matter we investigated in early 2016 involved the network connected printer/scanner/photocopier account being compromised through a brute force RDP attack. The business was compromised for five months before it was discovered and only when the attackers left a parting ‘message’ by downloading and executing the Cryptolocker executable. As the device had been set-up with an Admin account all network data was encrypted.
The first port of call in this type of attack is to rebuild the systems and restore the data. Unfortunately in this case we discovered that the backups hadn’t been working correctly for three weeks which meant a loss of three weeks data which had to be manually entered.
Our engagement on this matter related to identifying when and how the compromise occurred, what data (if any) was accessed and taken from the system, how the business responded to the attack, how the business IT service provider responded to the attack and how well the business was prepared to defend against and respond to future attacks.
Theft of Intellectual Property (Confidential Information)
During the course of 2015-16 we have seen evidence that departing employees continue to take confidential business information as they move to a new employer or set-up as a competitor.
This is a common matter for us, and often involves employees emailing documents to personal email addresses, copying data to removable media or accessing data from Cloud accounts such as Dropbox.
One business engaged us to defend it against the actions of an employee that had come from a competitor business and, unbeknown to the new employer, had sent intellectual property from his previous employer to his new business email address. Once the previous employer established that its IP had been taken it commenced litigation against the employee which threatened to overflow onto the new employer. Our role was to identify what had been sent into the business, if it had been distributed inside the business and sanitise it from the business systems (including backups), making it unaccessible.
Often the "departing employee" scenario can involve concerns that material has been deleted preventing the employer using it once the employee has gone. Our analysis in such circumstances includes recovery of deleted information and analysis of an employee's access to material.
Business Solvency & Administration: Books & Records Preservation
One of the applications of Forensic IT is the capture of “books and records” when an Administrator or Liquidator is appointed over a distressed company.
While in the past the description of “books and records” literally referred to hard documents, the term now mostly relates to electronically stored information such as accounting systems, email and documents stored on business networks or hosted (cloud) service providers.
Forensic IT is frequently engaged to capture relevant electronically stored information for business administrations. Many such engagements require the information to be collected without disruption to the business or the staff of the Administrator/Liquidator who are doing their best to quickly gain an understanding of the state of the business, often while still trading the business as they searched for a commercial solution. For the majority of these engagements, we work in the background and use our network acquisition software to obtain a copy of the relevant data without the need to shut down computers or servers or delay either the business or the Administrator.
Falsification of Documents
The authenticity of documents (both electronic and hard copy) can sometimes be called into question in legal disputes.
Often this type of matter requires the business systems where the documents were created to be investigated for forensic artefacts that support (or otherwise) that the documents were created when they are claimed to have been. This can include understanding the history of the business systems over the period of time in question and forming an expert opinion about the likelihood of recovering forensic artefacts.
Other matters can be more closely focused on confirming the date of a document's creation or modification through analysis of the metadata of the electronic document.
Transactional Inquiries by Government Regulators
Significant business transactions can sometimes be examined by Government regulators such as the Australian Competition and Consumer Commission (ACCC) and the Australian Securities and Investments Commission (ASIC).
Forensic IT has undertaken work for both business and Government regulators in such inquiries, typically relating to the identification of electronic data repositories (such as email databases, email archives, backups and shared-file directories), collection and processing of the data and discovering documents relevant to the inquiry based on criteria provided by the client.
This type of engagement usually involves reviewing email and documents dating back over substantial periods of time, often numbering in their millions, in an effort to identify those relevant to the transaction.
Once we collect the broader set of data we process it in a document review (eDiscovery) platform and apply a set of criteria to identify a smaller more relevant set of documents. This can also include applying criteria to identify and remove privilege or confidential business information.
Australian Government Agencies - Search Warrants
Forensic IT has a history of assisting in the execution of warrants with several different Australian Government agencies
Including field managing, assisting coordination, triage and forensic acquisition of desktop computers, servers and mobile devices.
A recurring type of engagement is the theft of substantial amounts of money by long-term, trusted employees. Such matters we have investigated include incidents where the CFO was suspected of having embezzled the client's money over many years.
We assisted by covertly collecting the accounting books and records and email from the client’s business systems prior to any approach being made to the employee. This allowed for the quantification of the theft, identification of recoverable assets as well as the preservation of evidence in case there was any attempt to alter records once the employee had been confronted.
Often, we provide a "facilitation" service to investigators where we collect the electronic material from computers and phones and then process it in our forensic suite of tools. We then give the investigator access to a portable report containing the forensic artefacts that allows them to investigate the data for material relevant to the allegations. This makes good use of the investigator's understanding of context and relevance.