As more companies connect their networks to the Internet, awareness of computer crime becomes critical. Generally speaking, computer crime involves a number of issues ranging from the theft of information from a computer system or network, to the use of a computer as a tool during the commission of a crime. While virus attacks are beyond the scope of this article, they represent a serious threat to network health, and must be coordinated with other security efforts discussed herein.

Taking reasonable measures to protect networks in the modern environment is more than prudent, it is critical. Given human avarice, widespread knowledge of computer technlogy and the law of averages, however, no matter how well one protects their networks, they may become the victim at some point. While urging the highest of priority to prevention, this article will discuss methods that should be employed in response to the occurrence of computer crime affecting your organization.

While avoiding technology - based operations would lower risk, the rewards of incorporating new technology into a company's existing infrastructure are compelling, with widely available programs streamlining internal production and operations, allowing business partners to communicate more quickly, and permitting customers and potential clients to gather information more efficiently. Deployed correctly, Enterprise Resource Planning (ERP), Customer Resource Management (CRM), and, for that matter, automated word processing, billing and word processing programs can bring costs down and improve customer satisfaction.

In the rush to automate and, particularly, to be online, many businesses and professional firms neglect to carefully weigh the impact of the decision. All too often these companies expect larger and more expansive projects to be completed in short time frames from understaffed, under-skilled, and over-worked network administration team. In such cases, security is viewed as a luxury rather than a necessity, a mistake many firms have lived to regret.

Whether the security breach involves network cracking and theft of information or digital funds, it can result in expensive losses in customer satisfaction as well as losses in revenue and liability for the company. What can be done once systems have been compromised?

Steps Taken After the Breach
The first step is to assess the situation. What is the severity level of the intrusion? Who will be involved in the investigation? Who is responsible for determining future actions? The more such questions have been addressed in advance by the adoption of a written security policy, the more quickly and accurately the effects of the breach can be ameliorated.

After the initial assessment is complete, decisive action to repair damage and prevent recurrence should follow. Circumstances may also require that the organization contact outside resources. In the past, following a serious breach, an organization had essentially one choice when investigating computer crime - the government. With the number of computer crimes growing each year, the resources of most governmental agencies have been overburdened, reflected in insufficient personnel resources to handle the load and inadequate technical expertise to thoroughly research the cases. Private companies specializing in the field of network security now offer computer crime and forensic evidence services. Such specialists must have the specific knowledge base to efficiently and quickly complete investigations, with a background in recovery and analysis of computer forensics, formal investigations, and the relevant laws. Once a security company has been engaged, the, the designated security representative from inside the company should work as a liaison between the company's management and the security team. Of course, in an ideal circumstance, the organization which has planned ahead can take advantage of an existing relationship with such an organization which knows their systems.

Methods of Investigations
Initial assessment following computer breach consists of a careful examination and inventory of all potentially affected systems. An important first step is determining if a perpetrator still has control of the any relevant computer. If they are still logged on, an important decision is to decide whether to terminate the user; leaving the intruder on the system may provide a better opportunity of profiling and ultimately identifying and apprehending the attacker. If on the other hand the investigator decides to lock the user out and disconnect the system from the network they can often limit the damage to what the malicious user has already accomplished. To complicate matters further, advanced hacker techniques such as 'logic bombs' can automatically erase 'tracks' when the connection is terminated; those tracks can include data up to and including all data on the computer. While this risk may not be high, it does exist, and illustrates the difficult choices faced by those working in a security breach circumstance.

A number of techniques are used to determine that type and breadth of a breach. As an example, when an attacker takes control of a machine, they may load a program that masks their identity and hides their running processes from legitimate system administrators. A popular method of detecting such an attack is to compare mathematical results from a similarly configured machine; a differing result indicates that a malicious process is in play. These unauthorized files are often called Trojan Horses, based on their mimicking of the technique of springing unexpected and potentially harmful surprise elements from 'inside' such files.

As a general rule, an investigator should not let the attacker know that they are being disconnected or tracked due to unauthorized access. During most sophisticated attacks the trail through which the connection travels will include different geographic locations and Internet providers in order to defeat detection. Needless to say, disconnection will generally alert the attacker that it is time to erase signs of their presence. If the company would like to know more about who has breached their security they may opt to have the security expert carefully watch what the intruder is doing. This type of investigation requires a large amount of skill to prevent alerting the attacker while still providing the company with security.

The Investigative Process / Overview
As with an investigation of any crime, a computer crime investigator must assess the amount of damage, identify systems which may have been compromised and analyze what crimes may have been committed. As with any investigation, various leads may appear, and care must be given not to jump to come to premature conclusions.

Different investigative techniques will be used if an insider or outsider committed the crime. They will consider factors such as how the criminal gained access, whether the act is malicious or accidental, and techniques that were used that may be unusual or highly technical. As the investigation progresses, the designated internal security manager will need to keep company management informed as to proposed steps and progress of the investigation.

Experienced legal counsel should be consulted, both for advice as to preserving potential claims and lowering company exposure to claims for negligence and the like. As well, at such time as it may appear that a chargeable crime has been committed, relevant authorities should be contacted and closely involved, especially with respect to the preservation of evidence and custody of evidence.

In each such eventuality, the company needs to assess, and control, costs based on time spent investigating, lawyers expenses, and lost productivity as systems are searched and people questioned. Whatever the result from a legal standpoint, a final report should be issued to the company outlining the steps that were taken and evidence that was recovered. Management should review for knowledge as to methods used to circumvent the security measures and recommendations on how to fix the problem. You should discuss the level of detail expected in the report with any outside consulting firm, with the knowledge that detailed step-by-step procedures in arriving at conclusions may be considered proprietary. You will need to assess on a case by case basis whether any such information is critical to understanding steps which must be taken in that regard.

Conclusion
The forensic science of computer investigations is one of many subsets of the network security field, which is a specialized type of LAN and WAN administration. Care must be taken to select a qualified firm that will quickly and efficiently investigate the crime and professionally assemble the series of reports. As time is of utmost importance in any investigation, especially one that deals with computers, all steps necessary should be outlined and reviewed before any breach of security occurs. By being proactive and diligent, an organization will enhance its chances of cutting future costs and limit liability. No matter how well any security measures are implemented, a determined individual can and will penetrate them. How well prepared companies are for this will determine that amount of damage the perpetrator can commit.

Andrew David Matuszak is a security specialist for Network Security Corp. and is currently involved in researching methods of forensic evidence collection and analysis. His responsibilities include the planning, deployment, and implementation of security systems including; firewalls, intrusion detection systems, and operating system lockdown.