The Situation...

Shankar Saxena was shocked to see the full page ad of Whites Appliances announcing the launch of their new fully automatic washing machine. Not only was the look and feel of the product similar to the product that Shankar’s company Makton India was about to launch, its technical specifications matched too.

Ignoring his cup of tea, Shankar immediately logged on to the Whites website and what he saw hit him in the gut, like a hammer. Even the website had the same elements that his team had put together in their plan.

Soon, he was sitting with his key team members and legal experts trying to figure out the source of the information leak and also to understand whether there was any legal action that Makton could initiate against Whites.

The only person missing was Ravi Narayan who had been driving the project till recently, but had decided to quit a month ago for higher pursuits in life. Was he the man to be blamed?

Shankar quickly checked with the IT team on any anomaly in the usage of Ravi’s laptop or e-mail and was told that there was none. In fact, the technology team was quite sure that their security policies and tools restricted one from copying any classified data on laptops or any external storage device or printing the same.

“So how did the data fly out?” Shankar asked. “Could he have mailed the design details?” he wondered. “Not from the official e-mail,” his CIO informed, adding that the Makton office network did not allow users to log on to any personal e-mail accounts either.

Meanwhile, the legal team informed that since the tech specifications of Whites’ new product closely matched that of Makton’s, the company could explore the possibility of filing a copyright theft case and seek damages.

“The key to the case is the evidence of theft without which it would be difficult to prove that Makton was the company that had originally designed the product,” the legal team said.

The big questions...

• What should the technology team of Makton India do to find out the source of leakage and collect the vital ‘evidence of theft’ in a format that it is admissible in a court of law?
• What are the precautions in terms of policy changes and security tools that Makton needs to put in place to prevent recurrence of similar mishaps?

Check out the answers...

Probe tech team first

By Murali Talasila, Director, Forensic Services, KPMG India

About me: Security and audit professional. Has been also associated with firms like Pentafour, KPN and Deloitte

What should the technology team of Makton India do to find out the source of leakage and collect the vital ‘evidence of theft’ in a format that it is admissible in a court of law?

Information is the key to any organisation and since there are people willing to pay good money for it, companies are putting in controls to restrict data access and transfer. However, there is still a weak link—the technology team itself. Hence Makton needs to explore the possibility of involvement of someone from the technology team for this leakage.

Suspects have often gained access to the network of a company through VPN and separate network, courtesy the technology team. This is the most difficult to prove and prevent. The network should be analysed immediately to check any compromise. Also, back-up of the server, firewall and routers should be analysed to check if any configuration changes were done.

There are four ways in which data could have leaked out, including the possibility of the fraudster physically handing over the details to the other company. However, the company policy does not allow taking prints of the same.

Copying to external physical storage may also be ruled out because of the policies and tools at Makton restrict one from copying any classified data to their laptops or any personal device. However, the imaged hard disk could provide details of external hard drives and storage devices plugged into the PC and laptop. Also, the data could have been shared on to the network and stored on to the PC on which administrative rights are available, and data could have been either transferred over internet or copied in the external storage. This needs to be probed.

E-mail is another common method used for ‘siphoning’ information. But then Makton network does not allow users to log on to any personal e-mail accounts. However, a thorough forensic analysis of sent and deleted e-mails can help in uncovering the truth.

On the policy front, Makton may have restricted use of external e-mails in the company network but in practical terms it is very difficult to restrict such access as new e-mail sites crop up very frequently, and also there is a large number of sites which provide for data storage.

Analysis of web cache of the key suspect’s machine can indicate any recent access to sites which provide these facilities. Sometimes, the analysis of cache may indicate access to certain Internet sites which provide for storage capability. This will entail review of the Internet’s ISA server logs and proxy logs. It is also important to forensically preserve hard disk image of machines used by key people against whom there is a suspicion.

What are the precautions in terms of policy changes and security tools that Makton needs to put in place to prevent recurrence of similar mishaps?

Makton should ensure that its IT policy incorporates change management process with involvement of senior management. Technology coupled with processes and awareness in people play a major role in organisational security. However, most organisations lack appropriate tooling and disciplinary measures against policy violations.

Seek external expertise

By Alok Gupta, MD, Pyramid Cyber

About me: Technopreneur for over two decades, associated with Samtech InfoNet, eKutir Tech and now Pyramid Cyber Security

What should the technology team of Makton India do to find out the source of leakage and collect the vital ‘evidence of theft’ in a format that it is admissible in a court of law?

On the face of it, this case looks like one of intellectual property theft blended with cyber crime. The Makton IT team seems to have done a good job with strict and tight policies to ensure that such mishaps do not happen. But often, gaps are left and can be exploited.

In this case, however, there seem to be two possible scenarios. One, some weakness in the network has been exploited but from the outside and using a machine that did not belong to Ravi. Either Ravi accessed the network from a public machine or from a machine at home. Two, someone on the inside apart from Ravi is also involved, and he could have opened the network temporarily for access from the outside.

A forensic analysis of not just Ravi’s machine but also of the network is crucial. This is because courts of law accept only that evidence where a proper chain of custody has been maintained along with the use of scientific process and tools.
Usually, internal IT teams are not equipped to handle such strict chain of custody. So the IT team must immediately engage with a company or consultant that has a proven expertise of cyber crime and cyber forensics to conduct a forensic acquisition and analysis of the source and suspect destination devices and applications including e-mails.

But before that Makton CIO must ensure that Ravi’s laptop is not used for anything at all. It must be shut down and sealed in a box. Like in any other crime a cyber criminal also leaves many electronic traces which can only be detected by experts.

What are the precautions in terms of policy changes and security tools that Makton needs to put in place to prevent recurrence of similar mishaps?

Despite Makton’s efforts to implement robust security policies, some gaps in implementation seem to have left room for certain vulnerabilities that can be exploited. To prevent recurrence of such incidents, companies should get their security policy reviewed by a team of experts. This should always be followed by a  comprehensive third party audit to detect gaps and vulnerabilities. Cost of prevention is far lower than that of detection and resolution.

Organisations like Makton, where intellectual property theft is always a threat, can deploy online forensic tools. These tools can be used to set appropriate alerts in case confidential or restricted data is tampered with, or leaked in future.
The other dimension of prevention is awareness since most users of IT in any organisation are functional professionals with very limited understanding and knowledge of cyber and digital ethics. So it is imperative to create a company-wide culture of ethical use of cyber assets.

Foolproof security is impossibe

By Satish Pendse, CIO, HCC

About me: IT leader with multi sectoral experience, ranging from Godrej, Jet Airways, Marico, Kuoni, to HCC

What should the technology team of Makton India do to find out the source of leakage and collect the vital ‘evidence of theft’ in a format that it is admissible in a court of law?

It will be worth auditing the claims made by the IT team regarding the information security through competent third party. Several possibilities exist in this case. The culprit might have used a digital camera or even his mobile’s camera to click screen photos. He may have taken printouts and spirited them away. He may have written down the key facts in his diary. Chinks in security always remain. Constant vigilance is called for.

What are the precautions in terms of policy changes and security tools that Makton needs to put in place to prevent recurrence of similar mishaps?

Some of these possibilities can be eliminated using the suggestions listed below though their organisation-wide application is impractical. Use them only in departments critical from the information security perspective.

• Ban use of digital camera / mobiles with camera.
• Physically partition the critical departments from others.
• Bar entry to these departments by others. People from these departments should go out if they want to meet others.
• Devise and implement thorough policy changes to ensure physical and digital security of the critical departments.
• Make use of Information Risk Management (IRM) software. It can control printing, copying, forwarding of files and can even make files invalid after a certain date.

However, do remember that one can still never claim to have a foolproof security.